hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benoy Antony (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-10565) Support IP ranges (CIDR) in proxyuser.hosts
Date Fri, 02 May 2014 06:27:15 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-10565?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Benoy Antony updated HADOOP-10565:
----------------------------------

    Attachment: HADOOP-10565.patch

Attaching patch which enhances proxyuser.hosts to accept Ip ranges in CIDR format.
The patch uses a utility container MachineList to hold ips, ip ranges and/or host names.

The current proxyuser authorize does a linear scan of ip list. MachineList does a HashSet
Lookup. 

The performance test :

Scenario 1: With 128 ip entries. Lookup a random ip 1 million times

current implementation : 86940 ms  (close to 0.1 ms for each authorize() call)

New implementation using list of ips : 3420 ms

New implementation using ip range : 3936 ms

So with 128 entries , There is  a 25 fold improvement in speed.


Scenario 2 : With 4 ip entries. Lookup a random ip 1 million times

current implementation :  7117 ms  

New implementation using list of ips : 3380 ms

New implementation using ip range : 3969 ms

The performance Test code is added in TestProxyUsers

If specifying hostnames, the current implementation loops through the list hosts and tries
to resolve the ip. The new implementation attempts to resolve the incoming ip's hostname with
the list of hostnames. If that doesn't match , it loops through the lis hostnames. The new
implementation (MachineList) supports an argument requesting to resolve the ip addresses of
specified hostnames during MachineList construction.


> Support IP ranges (CIDR) in  proxyuser.hosts
> --------------------------------------------
>
>                 Key: HADOOP-10565
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10565
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Benoy Antony
>            Assignee: Benoy Antony
>         Attachments: HADOOP-10565.patch
>
>
> In some use cases, there will be many hosts from which the user can impersonate. 
> This requires specifying many ips  in the XML configuration. 
> It is cumbersome to specify and maintain long list of ips in proxyuser.hosts
> The problem can be solved if proxyuser.hosts accept ip ranges in CIDR format.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message