hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Daryn Sharp (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10880) Move HTTP delegation tokens out of URL querystring to a header
Date Wed, 06 Aug 2014 20:28:15 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14088198#comment-14088198
] 

Daryn Sharp commented on HADOOP-10880:
--------------------------------------

I was assuming the plan was to use http authentication itself.   The RFC defined method DIGEST
(circa late 90s) prevents sending the password over the wire in plain text.  I'm pretty sure
the SASL DIGEST-MD5 client we use at the RPC layer is emitting exactly what goes in the headers
during the exchange.

It's also not going to play nice with HA tokens...

> Move HTTP delegation tokens out of URL querystring to a header
> --------------------------------------------------------------
>
>                 Key: HADOOP-10880
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10880
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.4.1
>            Reporter: Alejandro Abdelnur
>            Assignee: Alejandro Abdelnur
>            Priority: Blocker
>         Attachments: HADOOP-10880.patch
>
>
> Following up on a discussion in HADOOP-10799.
> Because URLs are often logged, delegation tokens may end up in LOG files while they are
still valid. 
> We should move the tokens to a header.
> We should still support tokens in the querystring for backwards compatibility.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message