Uploaded image for project: 'Ranger'
  1. Ranger
  2. RANGER-2306

Knox Plugin doesn't pass X-Forwarded-for remote address to Ranger

    XMLWordPrintableJSON

Details

    • Bug
    • Status: Resolved
    • Major
    • Resolution: Fixed
    • 1.2.0
    • 2.0.0, 1.2.1
    • plugins
    • None

    Description

      Problem Description:
      IP-based Knox policies doesn't work when Knox is behind a Load Balancer. Because currently Ranger Knox plugin doesn't accept & pass on the "X-Forwarded-for" header to Ranger policy engine.

      Impact:
      In an environment where Knox is running behind a Load Balancer and Knox has a Ranger policy to allow/deny access to Hadoop services based on client IP addresses, this won't work as expected due to this bug.

      Expected Behavior:
      1. Knox plugin should process "X-Forwarded-for" header received from Load Balancer and pass it on to policy engine in the form of 'RangerAccessRequestImpl.forwardedAdresses'.

      Steps to reproduce:
      1. Install & configure Knox behind a Load Balancer
      2. Enable Ranger Knox plugin
      3. Also Set "ranger.plugin.knox.use.x-forwarded-for.ipaddress=true" and "ranger.plugin.knox.trusted.proxy.ipaddresses=<comma-seperated-ip-of-load-balancers>"
      4. Define a Knox policy to allow access to user from designated client IP(s)
      5. Try to access any WebHDFS (for example) resource via Knox via Load Balancer for designated client host.

      Workaround:
      None

      Attachments

        Issue Links

          Activity

            People

              Unassigned Unassigned
              vrathor-hw Vipin Rathor
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: