hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alejandro Abdelnur (JIRA)" <j...@apache.org>
Subject [jira] [Updated] (HADOOP-7621) alfredo config should be in a file not readable by users
Date Mon, 19 Sep 2011 15:37:09 GMT

     [ https://issues.apache.org/jira/browse/HADOOP-7621?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]

Alejandro Abdelnur updated HADOOP-7621:
---------------------------------------

    Attachment: HADOOP-7621.patch

Based on feedback, second patch uses the default config files for all properties and for the
secret now there is a property pointing to a file from where the secret will be loaded instead
being inline. 

This is is identical to how keytabs are handled. And it is the responsibility of the deployer
to make sure those files are available and have the right permissions.

The patch is also setting&creating the test.build.dir and test.build.data directories.


> alfredo config should be in a file not readable by users
> --------------------------------------------------------
>
>                 Key: HADOOP-7621
>                 URL: https://issues.apache.org/jira/browse/HADOOP-7621
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 0.20.205.0, 0.23.0, 0.24.0
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>            Priority: Critical
>             Fix For: 0.20.205.0, 0.23.0, 0.24.0
>
>         Attachments: HADOOP-7621.patch, HADOOP-7621.patch
>
>
> [thxs ATM for point this one out]
> Alfredo configuration currently is stored in the core-site.xml file, this file is readable
by users (it must be as Configuration defaults must be loaded).
> One of Alfredo config values is a secret which is used by all nodes to sign/verify the
authentication cookie.
> A user could get hold of this secret and forge authentication cookies for other users.
> Because of this the Alfredo configuration, should be move to a user non-readable file.

--
This message is automatically generated by JIRA.
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

Mime
View raw message