[jira] [Updated] (HADOOP-10565) Support IP ranges (CIDR) in proxyuser.hosts

Thu, 01 May 2014 23:28:25 -0700 

     [ 
https://issues.apache.org/jira/browse/HADOOP-10565?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Benoy Antony updated HADOOP-10565:
----------------------------------

    Attachment: HADOOP-10565.patch

Attaching patch which enhances proxyuser.hosts to accept Ip ranges in CIDR 
format.
The patch uses a utility container MachineList to hold ips, ip ranges and/or 
host names.

The current proxyuser authorize does a linear scan of ip list. MachineList does 
a HashSet Lookup. 

The performance test :

Scenario 1: With 128 ip entries. Lookup a random ip 1 million times

current implementation : 86940 ms  (close to 0.1 ms for each authorize() call)

New implementation using list of ips : 3420 ms

New implementation using ip range : 3936 ms

So with 128 entries , There is  a 25 fold improvement in speed.


Scenario 2 : With 4 ip entries. Lookup a random ip 1 million times

current implementation :  7117 ms  

New implementation using list of ips : 3380 ms

New implementation using ip range : 3969 ms

The performance Test code is added in TestProxyUsers

If specifying hostnames, the current implementation loops through the list 
hosts and tries to resolve the ip. The new implementation attempts to resolve 
the incoming ip's hostname with the list of hostnames. If that doesn't match , 
it loops through the lis hostnames. The new implementation (MachineList) 
supports an argument requesting to resolve the ip addresses of specified 
hostnames during MachineList construction.


> Support IP ranges (CIDR) in  proxyuser.hosts
> --------------------------------------------
>
>                 Key: HADOOP-10565
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10565
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Benoy Antony
>            Assignee: Benoy Antony
>         Attachments: HADOOP-10565.patch
>
>
> In some use cases, there will be many hosts from which the user can 
> impersonate. 
> This requires specifying many ips  in the XML configuration. 
> It is cumbersome to specify and maintain long list of ips in proxyuser.hosts
> The problem can be solved if proxyuser.hosts accept ip ranges in CIDR format.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to