[jira] [Commented] (HADOOP-10565) Support IP ranges (CIDR) in proxyuser.hosts

Benoy Antony (JIRA) Wed, 25 Jun 2014 00:45:08 -0700

    [ 
https://issues.apache.org/jira/browse/HADOOP-10565?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14043144#comment-14043144
 ]


Benoy Antony commented on HADOOP-10565:
---------------------------------------

Thanks [~arpitagarwal]  for the very detailed review. 
I have addressed your comments except #1 and #3.
For #1, note that the existing logic  in _DefaultImpersonationProvider_ 
performs host resolution in a loop. While researching for a better solution, I 
see that _InetAddress_ has a negative and positive cache internally. The 
administrators can specify the cache expiry via two system properties - 
{{networkaddress.cache.ttl}}   {{networkaddress.cache.negative.ttl (default: 10 
secs) }}
Reference: 
http://docs.oracle.com/javase/7/docs/technotes/guides/net/properties.html

These two parameters allow an administrator to tune the performance based on 
his specific environment and performance requirements. We can probably mention 
these parameters in the documentation. If this is acceptable, I can even remove 
the existing _cacheIP_ based functionality (MachineList.java:111-119) .  Thus  
#3 will be addressed as well.


> Support IP ranges (CIDR) in  proxyuser.hosts
> --------------------------------------------
>
>                 Key: HADOOP-10565
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10565
>             Project: Hadoop Common
>          Issue Type: Sub-task
>          Components: security
>            Reporter: Benoy Antony
>            Assignee: Benoy Antony
>         Attachments: HADOOP-10565.patch, HADOOP-10565.patch
>
>
> In some use cases, there will be many hosts from which the user can 
> impersonate. 
> This requires specifying many ips  in the XML configuration. 
> It is cumbersome to specify and maintain long list of ips in proxyuser.hosts
> The problem can be solved if we enable proxyuser.hosts to accept ip ranges in 
> CIDR format.
> In addition, the current ip authorization involve a liner scan of the ips and 
> an attempt to do InetAddress.getByName()  for each ip/host. 
> It may be beneficial to group this functionality of ip authorization by 
> looking up  "ip addresses/host names/ip-ranges" into a separate class. This 
> could be reused in other usecases which require similar functionality



--
This message was sent by Atlassian JIRA
(v6.2#6252)

[jira] [Commented] (HADOOP-10565) Support IP ranges (CIDR) in proxyuser.hosts

Reply via email to