You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by ta...@apache.org on 2019/02/21 19:39:49 UTC
[impala] 01/13: IMPALA-7182: [DOCS] Insecure clusters with public
IPs not allowed
This is an automated email from the ASF dual-hosted git repository.
tarmstrong pushed a commit to branch 2.x
in repository https://gitbox.apache.org/repos/asf/impala.git
commit db988c71e49e0a42705ba06e7a3300fdb219afb6
Author: Alex Rodoni <ar...@cloudera.com>
AuthorDate: Mon Jun 18 14:44:08 2018 -0700
IMPALA-7182: [DOCS] Insecure clusters with public IPs not allowed
Change-Id: I9db28d42fccd9711635c6aee66f2aafc758d58d0
Reviewed-on: http://gerrit.cloudera.org:8080/10751
Reviewed-by: Alex Rodoni <ar...@cloudera.com>
Reviewed-by: Michael Ho <kw...@cloudera.com>
Tested-by: Impala Public Jenkins <im...@cloudera.com>
Reviewed-on: http://gerrit.cloudera.org:8080/12546
Reviewed-by: Tim Armstrong <ta...@cloudera.com>
---
docs/topics/impala_known_issues.xml | 29 +++++++++++++++++++++++++++++
1 file changed, 29 insertions(+)
diff --git a/docs/topics/impala_known_issues.xml b/docs/topics/impala_known_issues.xml
index 47e0c5c..322cdb5 100644
--- a/docs/topics/impala_known_issues.xml
+++ b/docs/topics/impala_known_issues.xml
@@ -776,6 +776,35 @@ select * from tab_separated; -- 20 second delay before getting "Cancelled due to
</conbody>
+ <concept id="id_p1n_tbx_22b">
+
+ <title>Impala does not allow the use of insecure clusters with public IPs</title>
+
+ <conbody>
+
+ <p>
+ Starting in <keyword keyref="impala212_full"/>, Impala, by default,
+ will only allow unencrypted or unauthenticated connections from
+ trusted subnets: <codeph>127.0.0.0/8</codeph>,
+ <codeph>10.0.0.0/8</codeph>, <codeph>172.16.0.0/12</codeph>,
+ <codeph>192.168.0.0/16</codeph>, <codeph>169.254.0.0/16</codeph>.
+ Unencrypted or unauthenticated connections from publicly routable IPs
+ will be rejected.
+ </p>
+
+ <p>
+ The trusted subnets can be configured using the
+ <codeph>--trusted_subnets</codeph> flag. Set it to
+ '<codeph>0.0.0.0/0</codeph>' to allow unauthenticated connections
+ from all remote IP addresses. However, if network access is not
+ otherwise restricted by a firewall, malicious users may be able to
+ gain unauthorized access.
+ </p>
+
+ </conbody>
+
+ </concept>
+
<concept id="impala-4712">
<title>Transient kerberos authentication error during table loading</title>