Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-2306

Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Resolved
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 1.2.0
    • Fix Version/s: 2.0.0, 1.2.1
    • Component/s: plugins
    • Labels:
      None

      Description

      Problem Description:
      IP-based Knox policies doesn't work when Knox is behind a Load Balancer. Because currently Ranger Knox plugin doesn't accept & pass on the "X-Forwarded-for" header to Ranger policy engine.

      Impact:
      In an environment where Knox is running behind a Load Balancer and Knox has a Ranger policy to allow/deny access to Hadoop services based on client IP addresses, this won't work as expected due to this bug.

      Expected Behavior:
      1. Knox plugin should process "X-Forwarded-for" header received from Load Balancer and pass it on to policy engine in the form of 'RangerAccessRequestImpl.forwardedAdresses'.

      Steps to reproduce:
      1. Install & configure Knox behind a Load Balancer
      2. Enable Ranger Knox plugin
      3. Also Set "ranger.plugin.knox.use.x-forwarded-for.ipaddress=true" and "ranger.plugin.knox.trusted.proxy.ipaddresses=<comma-seperated-ip-of-load-balancers>"
      4. Define a Knox policy to allow access to user from designated client IP(s)
      5. Try to access any WebHDFS (for example) resource via Knox via Load Balancer for designated client host.

      Workaround:
      None

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                Unassigned
                Reporter:
                vrathor-hw Vipin Rathor
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: