You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@impala.apache.org by ta...@apache.org on 2019/02/21 19:39:49 UTC

[impala] 01/13: IMPALA-7182: [DOCS] Insecure clusters with public IPs not allowed

This is an automated email from the ASF dual-hosted git repository.

tarmstrong pushed a commit to branch 2.x
in repository https://gitbox.apache.org/repos/asf/impala.git

commit db988c71e49e0a42705ba06e7a3300fdb219afb6
Author: Alex Rodoni <ar...@cloudera.com>
AuthorDate: Mon Jun 18 14:44:08 2018 -0700

    IMPALA-7182: [DOCS] Insecure clusters with public IPs not allowed
    
    Change-Id: I9db28d42fccd9711635c6aee66f2aafc758d58d0
    Reviewed-on: http://gerrit.cloudera.org:8080/10751
    Reviewed-by: Alex Rodoni <ar...@cloudera.com>
    Reviewed-by: Michael Ho <kw...@cloudera.com>
    Tested-by: Impala Public Jenkins <im...@cloudera.com>
    Reviewed-on: http://gerrit.cloudera.org:8080/12546
    Reviewed-by: Tim Armstrong <ta...@cloudera.com>
---
 docs/topics/impala_known_issues.xml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/docs/topics/impala_known_issues.xml b/docs/topics/impala_known_issues.xml
index 47e0c5c..322cdb5 100644
--- a/docs/topics/impala_known_issues.xml
+++ b/docs/topics/impala_known_issues.xml
@@ -776,6 +776,35 @@ select * from tab_separated; -- 20 second delay before getting "Cancelled due to
 
     </conbody>
 
+    <concept id="id_p1n_tbx_22b">
+
+      <title>Impala does not allow the use of insecure clusters with public IPs</title>
+
+      <conbody>
+
+        <p>
+            Starting in <keyword keyref="impala212_full"/>, Impala, by default,
+            will only allow unencrypted or unauthenticated connections from
+            trusted subnets: <codeph>127.0.0.0/8</codeph>,
+              <codeph>10.0.0.0/8</codeph>, <codeph>172.16.0.0/12</codeph>,
+              <codeph>192.168.0.0/16</codeph>, <codeph>169.254.0.0/16</codeph>.
+            Unencrypted or unauthenticated connections from publicly routable IPs
+            will be rejected.
+        </p>
+
+        <p>
+            The trusted subnets can be configured using the
+              <codeph>--trusted_subnets</codeph> flag. Set it to
+              '<codeph>0.0.0.0/0</codeph>' to allow unauthenticated connections
+            from all remote IP addresses. However, if network access is not
+            otherwise restricted by a firewall, malicious users may be able to
+            gain unauthorized access.
+        </p>
+
+      </conbody>
+
+    </concept>
+
     <concept id="impala-4712">
 
       <title>Transient kerberos authentication error during table loading</title>