[jira] [Updated] (HADOOP-10565) Support IP ranges (CIDR) in proxyuser.hosts

Fri, 02 May 2014 15:01:20 -0700 

     [ 
https://issues.apache.org/jira/browse/HADOOP-10565?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Benoy Antony updated HADOOP-10565:
----------------------------------

    Description: 
In some use cases, there will be many hosts from which the user can 
impersonate. 
This requires specifying many ips  in the XML configuration. 
It is cumbersome to specify and maintain long list of ips in proxyuser.hosts
The problem can be solved if we enable proxyuser.hosts to accept ip ranges in 
CIDR format.

In addition, the current ip authorization involve a liner scan of the ips and 
an attempt to do InetAddress.getByName()  for each ip/host. 

It may be beneficial to group this functionality of ip authorization by looking 
up  "ip addresses/host names/ip-ranges" into a separate class. This could be 
reused in other usecases which require similar functionality

  was:
In some use cases, there will be many hosts from which the user can 
impersonate. 
This requires specifying many ips  in the XML configuration. 
It is cumbersome to specify and maintain long list of ips in proxyuser.hosts
The problem can be solved if proxyuser.hosts accept ip ranges in CIDR format.



> Support IP ranges (CIDR) in  proxyuser.hosts
> --------------------------------------------
>
>                 Key: HADOOP-10565
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10565
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Benoy Antony
>            Assignee: Benoy Antony
>         Attachments: HADOOP-10565.patch
>
>
> In some use cases, there will be many hosts from which the user can 
> impersonate. 
> This requires specifying many ips  in the XML configuration. 
> It is cumbersome to specify and maintain long list of ips in proxyuser.hosts
> The problem can be solved if we enable proxyuser.hosts to accept ip ranges in 
> CIDR format.
> In addition, the current ip authorization involve a liner scan of the ips and 
> an attempt to do InetAddress.getByName()  for each ip/host. 
> It may be beneficial to group this functionality of ip authorization by 
> looking up  "ip addresses/host names/ip-ranges" into a separate class. This 
> could be reused in other usecases which require similar functionality



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to