hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benoy Antony (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10565) Support IP ranges (CIDR) in proxyuser.hosts
Date Wed, 25 Jun 2014 07:44:24 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14043144#comment-14043144
] 

Benoy Antony commented on HADOOP-10565:
---------------------------------------

Thanks [~arpitagarwal]  for the very detailed review. 
I have addressed your comments except #1 and #3.
For #1, note that the existing logic  in _DefaultImpersonationProvider_ performs host resolution
in a loop. While researching for a better solution, I see that _InetAddress_ has a negative
and positive cache internally. The administrators can specify the cache expiry via two system
properties - {{networkaddress.cache.ttl}}   {{networkaddress.cache.negative.ttl (default:
10 secs) }}
Reference: http://docs.oracle.com/javase/7/docs/technotes/guides/net/properties.html

These two parameters allow an administrator to tune the performance based on his specific
environment and performance requirements. We can probably mention these parameters in the
documentation. If this is acceptable, I can even remove the existing _cacheIP_ based functionality
(MachineList.java:111-119) .  Thus  #3 will be addressed as well.


> Support IP ranges (CIDR) in  proxyuser.hosts
> --------------------------------------------
>
>                 Key: HADOOP-10565
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10565
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Benoy Antony
>            Assignee: Benoy Antony
>         Attachments: HADOOP-10565.patch, HADOOP-10565.patch
>
>
> In some use cases, there will be many hosts from which the user can impersonate. 
> This requires specifying many ips  in the XML configuration. 
> It is cumbersome to specify and maintain long list of ips in proxyuser.hosts
> The problem can be solved if we enable proxyuser.hosts to accept ip ranges in CIDR format.
> In addition, the current ip authorization involve a liner scan of the ips and an attempt
to do InetAddress.getByName()  for each ip/host. 
> It may be beneficial to group this functionality of ip authorization by looking up  "ip
addresses/host names/ip-ranges" into a separate class. This could be reused in other usecases
which require similar functionality



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message