[HUE-6546] Automatically configure Hue Axes log the remote ip.

Review Request #10825 - Created June 5, 2017 and submitted

Prakash Ranade
hue
master
HUE-6546
hue
enricoberti, jennykim, johan, krish, ranade, romain, subrata, weixia
commit 4038a0ac81477dda5d2078cd28115d6e5c7ec830
Author: Prakash Ranade <ranade@cloudera.com>
Date:   Tue Jun 6 11:47:55 2017 -0700

    HUE-6546 [core] Automatically configure Hue Axes log the remote ip.
    
        This is regression from earlier commit f60472e67c8c6fdb59ba8a2911b8fc0d331f5335
    
        User can directly point their browser to Hue Server port or Load Balancer port.
    
        When Hue Server starts it may set various configuration properties but unless we
        inspect request object we can not determine if user came through LB port or Hue port.
    
        This code change correctly logs real ip address of client in both cases.
    
        Tested on:
        - Tested on CDEP cluster.
        - Tested axes table logs correct remote ip

:100644 100644 0f95fe0... ca94e51... M	desktop/core/ext-py/django-axes-1.5.0/axes/decorators.py


  • 0
  • 0
  • 2
  • 3
  • 5
Description From Last Updated
  1. Commit message is usually: HUE-xxxx [component] Message message message
    :)

  2. 
      
  1. 
      
  2. desktop/core/src/desktop/middleware.py (Diff revision 2)
     
     

    Import here?

    (We keep them structured by type)

  3. desktop/core/src/desktop/middleware.py (Diff revision 2)
     
     

    Could we explain if it is a bug in django axe, fixed upstream or not?

    1. This is a bug in django-axes 1.5.0 that it assumes REVERSE PROXY is always hosted on public ip.

  4. desktop/core/src/desktop/middleware.py (Diff revision 2)
     
     

    This seems flawed though, what happens if we get concurrent requests, with some coming from LB, some not? (this setting is not supposed to be dynamic)

    Why can't we fix the get_ip to handle gracefully when BEHIND_REVERSE_PROXY is on but we don't get the headers?

    1. proposing alternate fix. Yesterday when Jenny and I were discussing about if we can avoid patching axes library. But seems like if we want to allow access to parallel access to Hue Server and LB port then we have to patch the library.

  5. 
      
  1. 
      
  2. Should we try to use request.META.get(REVERSE_PROXY_HEADER, '')

    1. X-Forwarded-For (XFF) HTTP header field is a common for identifying the originating IP address of a client connecting through reverse proxy load. Both nginx and apache supports it, I also checked "f5 networks LB" also supports it out of the box.

  3. 
      
  1. 
      
  2. Just comment, if more than one we go here?

    1. as discussed in our 1:1, I have added the fix.

  3. 
      
Review request changed

Status: Closed (submitted)

Loading...