Return-Path: 
 <common-issues-return-65738-apmail-hadoop-common-issues-archive=hadoop.apache.org@hadoop.apache.org>
X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org
Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org
Received: from mail.apache.org (hermes.apache.org [140.211.11.3])
	by minotaur.apache.org (Postfix) with SMTP id 6832F10D49
	for <apmail-hadoop-common-issues-archive@minotaur.apache.org>;
 Wed, 23 Jul 2014 17:01:44 +0000 (UTC)
Received: (qmail 99266 invoked by uid 500); 23 Jul 2014 17:01:44 -0000
Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org
Received: (qmail 99211 invoked by uid 500); 23 Jul 2014 17:01:44 -0000
Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:common-issues-help@hadoop.apache.org>
List-Unsubscribe: <mailto:common-issues-unsubscribe@hadoop.apache.org>
List-Post: <mailto:common-issues@hadoop.apache.org>
List-Id: <common-issues.hadoop.apache.org>
Reply-To: common-issues@hadoop.apache.org
Delivered-To: mailing list common-issues@hadoop.apache.org
Received: (qmail 99123 invoked by uid 99); 23 Jul 2014 17:01:43 -0000
Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 23 Jul 2014 17:01:43 +0000
Date: Wed, 23 Jul 2014 17:01:43 +0000 (UTC)
From: "Robert Kanter (JIRA)" <jira@apache.org>
To: common-issues@hadoop.apache.org
Message-ID: <JIRA.12725793.1404754974360.30067.1406134903858@arcas>
In-Reply-To: <JIRA.12725793.1404754974360@arcas>
References: <JIRA.12725793.1404754974360@arcas>
Subject: [jira] [Commented] (HADOOP-10791) AuthenticationFilter should
 support externalizing the secret for signing and provide rotation support
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394


    [ https://issues.apache.org/jira/browse/HADOOP-10791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14071960#comment-14071960 ] 

Robert Kanter commented on HADOOP-10791:
----------------------------------------

I ran the failed test multiple times and it always succeeded; I think it was just being flakey.

> AuthenticationFilter should support externalizing the secret for signing and provide rotation support
> -----------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-10791
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10791
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Robert Kanter
>         Attachments: HADOOP-10791.patch, HADOOP-10791.patch
>
>
> It should be possible to externalize the secret used to sign the hadoop-auth cookies.
> In the case of WebHDFS the shared secret used by NN and DNs could be used. In the case of Oozie HA, the secret could be stored in Oozie HA control data in ZooKeeper.
> In addition, it is desirable for the secret to change periodically, this means that the AuthenticationService should remember a previous secret for the max duration of hadoop-auth cookie.



--
This message was sent by Atlassian JIRA
(v6.2#6252)