hadoop-common-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Haohui Mai (JIRA)" <j...@apache.org>
Subject [jira] [Created] (HADOOP-11748) Secrets for auth cookies can be specified in clear text
Date Wed, 25 Mar 2015 18:24:52 GMT
Haohui Mai created HADOOP-11748:
-----------------------------------

             Summary: Secrets for auth cookies can be specified in clear text
                 Key: HADOOP-11748
                 URL: https://issues.apache.org/jira/browse/HADOOP-11748
             Project: Hadoop Common
          Issue Type: Bug
            Reporter: Haohui Mai
            Priority: Critical


Based on the discussion on HADOOP-10670, this jira proposes to remove {{StringSecretProvider}}
as it opens up possibilities for misconfiguration and security vulnerabilities.

{quote}

My understanding is that the use case of inlining the secret is never supported. The property
is used to pass the secret internally. The way it works before HADOOP-10868 is the following:

* Users specify the initializer of the authentication filter in the configuration.
* AuthenticationFilterInitializer reads the secret file. The server will not start if the
secret file does not exists. The initializer will set the property if it read the file correctly.
*There is no way to specify the secret in the configuration out-of-the-box – the secret
is always overwritten by AuthenticationFilterInitializer.

{quote}





--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message