You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues-all@impala.apache.org by "Joe McDonnell (Jira)" <ji...@apache.org> on 2023/03/15 23:21:00 UTC

[jira] [Assigned] (IMPALA-11942) Consider restricting --trusted_domain=localhost to 127.0.0.1

     [ https://issues.apache.org/jira/browse/IMPALA-11942?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Joe McDonnell reassigned IMPALA-11942:
--------------------------------------

    Assignee: Joe McDonnell

> Consider restricting --trusted_domain=localhost to 127.0.0.1
> ------------------------------------------------------------
>
>                 Key: IMPALA-11942
>                 URL: https://issues.apache.org/jira/browse/IMPALA-11942
>             Project: IMPALA
>          Issue Type: Bug
>          Components: Backend
>    Affects Versions: Impala 4.3.0
>            Reporter: Joe McDonnell
>            Assignee: Joe McDonnell
>            Priority: Major
>
> The trusted domain feature introduced in IMPALA-10210 allows avoiding authentication when coming from a trusted domain (controlled by the trusted_domain startup flag).
> In some of our tests, we set this to localhost, and we've noticed that on Ubuntu 20 in AWS, some addresses other than 127.0.0.1 resolve back to localhost (e.g. 127.23.0.1 resolves to localhost). This causes test failures on Ubuntu 20 running on an AWS machine.
> In general, reverse DNS can be attacked to resolve other IP addresses back to localhost. We should look into restricting --trusted_domain=localhost to 127.0.0.1 so that the attacks on reverse DNS can't impact security.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-all-unsubscribe@impala.apache.org
For additional commands, e-mail: issues-all-help@impala.apache.org