Google Git
Sign in
apache / impala / cfe25043a8275943cc88b7aa26a4d1ef480e0b11^! / .
commitcfe25043a8275943cc88b7aa26a4d1ef480e0b11[log] [tgz]
authorAlex Rodoni <arodoni@cloudera.com>Mon Jun 18 14:44:08 2018 -0700
committerImpala Public Jenkins <impala-public-jenkins@cloudera.com>Tue Jun 19 00:06:25 2018 +0000
tree0e4fb868265134e72f32d1c7ae12d67e26a2d498
parent6fb1cc6a0ed405e386af40584c22268648dda011 [diff]
IMPALA-7182: [DOCS] Insecure clusters with public IPs not allowed

Change-Id: I9db28d42fccd9711635c6aee66f2aafc758d58d0
Reviewed-on: http://gerrit.cloudera.org:8080/10751
Reviewed-by: Alex Rodoni <arodoni@cloudera.com>
Reviewed-by: Michael Ho <kwho@cloudera.com>
Tested-by: Impala Public Jenkins <impala-public-jenkins@cloudera.com>

diff --git a/docs/topics/impala_known_issues.xml b/docs/topics/impala_known_issues.xml
index 66574a4..21a99fe 100644
--- a/docs/topics/impala_known_issues.xml
+++ b/docs/topics/impala_known_issues.xml

@@ -301,7 +301,41 @@
 
   </concept>
 
-<!--<concept id="known_issues_security"><title id="ki_security">Impala Known Issues: Security</title><conbody><p> These issues relate to security features, such as Kerberos authentication, Sentry authorization, encryption, auditing, and redaction. </p></conbody></concept>-->
+<concept id="known_issues_security">
+  <title id="ki_security">Impala Known Issues: Security</title>
+  <conbody>
+    <p>
+      These issues are related to security features, such as Kerberos
+        authentication, Sentry authorization, encryption, auditing, and
+        redaction.
+    </p>
+  </conbody>
+
+  <concept id="id_p1n_tbx_22b">
+    <title>Impala does not allow the use of insecure clusters with public IPs</title>
+
+    <conbody>
+      <p>
+          Starting in <keyword keyref="impala212_full"/>, Impala, by default,
+          will only allow unencrypted or unauthenticated connections from
+          trusted subnets: <codeph>127.0.0.0/8</codeph>,
+            <codeph>10.0.0.0/8</codeph>, <codeph>172.16.0.0/12</codeph>,
+            <codeph>192.168.0.0/16</codeph>, <codeph>169.254.0.0/16</codeph>.
+          Unencrypted or unauthenticated connections from publicly routable IPs
+          will be rejected.
+      </p>
+
+      <p>
+          The trusted subnets can be configured using the
+            <codeph>--trusted_subnets</codeph> flag. Set it to
+            '<codeph>0.0.0.0/0</codeph>' to allow unauthenticated connections
+          from all remote IP addresses. However, if network access is not
+          otherwise restricted by a firewall, malicious users may be able to
+          gain unauthorized access.
+      </p>
+      </conbody>
+    </concept>
+</concept>
 
   <concept id="known_issues_resources">