hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benoy Antony (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10565) Support IP ranges (CIDR) in proxyuser.hosts
Date Wed, 25 Jun 2014 17:12:27 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14043762#comment-14043762
] 

Benoy Antony commented on HADOOP-10565:
---------------------------------------

The two properties {{networkaddress.cache.ttl}} and {{networkaddress.cache.negative.ttl}}
are not system properties. They are security properties. So they may not something that an
Admin tweaks regularly. Also there are many posts about how this caching is broken.

The other option will be to cache it by default during initialization iinside _MachineList_
including negative caching. This will make sure that there won't be any lookups done during
authorization. The cache will be flushed when the proxyuser config is refreshed via -refreshSuperUserConfiguration.
Please let me know your thoughts.

> Support IP ranges (CIDR) in  proxyuser.hosts
> --------------------------------------------
>
>                 Key: HADOOP-10565
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10565
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Benoy Antony
>            Assignee: Benoy Antony
>         Attachments: HADOOP-10565.patch, HADOOP-10565.patch
>
>
> In some use cases, there will be many hosts from which the user can impersonate. 
> This requires specifying many ips  in the XML configuration. 
> It is cumbersome to specify and maintain long list of ips in proxyuser.hosts
> The problem can be solved if we enable proxyuser.hosts to accept ip ranges in CIDR format.
> In addition, the current ip authorization involve a liner scan of the ips and an attempt
to do InetAddress.getByName()  for each ip/host. 
> It may be beneficial to group this functionality of ip authorization by looking up  "ip
addresses/host names/ip-ranges" into a separate class. This could be reused in other usecases
which require similar functionality



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message