hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benoy Antony (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-10565) Support IP ranges (CIDR) in proxyuser.hosts
Date Fri, 02 May 2014 22:00:22 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-10565?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Benoy Antony updated HADOOP-10565:
----------------------------------

    Description: 
In some use cases, there will be many hosts from which the user can impersonate. 
This requires specifying many ips  in the XML configuration. 
It is cumbersome to specify and maintain long list of ips in proxyuser.hosts
The problem can be solved if we enable proxyuser.hosts to accept ip ranges in CIDR format.

In addition, the current ip authorization involve a liner scan of the ips and an attempt to
do InetAddress.getByName()  for each ip/host. 

It may be beneficial to group this functionality of ip authorization by looking up  "ip addresses/host
names/ip-ranges" into a separate class. This could be reused in other usecases which require
similar functionality

  was:
In some use cases, there will be many hosts from which the user can impersonate. 
This requires specifying many ips  in the XML configuration. 
It is cumbersome to specify and maintain long list of ips in proxyuser.hosts
The problem can be solved if proxyuser.hosts accept ip ranges in CIDR format.



> Support IP ranges (CIDR) in  proxyuser.hosts
> --------------------------------------------
>
>                 Key: HADOOP-10565
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10565
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Benoy Antony
>            Assignee: Benoy Antony
>         Attachments: HADOOP-10565.patch
>
>
> In some use cases, there will be many hosts from which the user can impersonate. 
> This requires specifying many ips  in the XML configuration. 
> It is cumbersome to specify and maintain long list of ips in proxyuser.hosts
> The problem can be solved if we enable proxyuser.hosts to accept ip ranges in CIDR format.
> In addition, the current ip authorization involve a liner scan of the ips and an attempt
to do InetAddress.getByName()  for each ip/host. 
> It may be beneficial to group this functionality of ip authorization by looking up  "ip
addresses/host names/ip-ranges" into a separate class. This could be reused in other usecases
which require similar functionality



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message