Return-Path: X-Original-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Delivered-To: apmail-hadoop-common-issues-archive@minotaur.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id A21FA114F6 for ; Fri, 1 Aug 2014 23:45:40 +0000 (UTC) Received: (qmail 7453 invoked by uid 500); 1 Aug 2014 23:45:40 -0000 Delivered-To: apmail-hadoop-common-issues-archive@hadoop.apache.org Received: (qmail 7410 invoked by uid 500); 1 Aug 2014 23:45:40 -0000 Mailing-List: contact common-issues-help@hadoop.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: common-issues@hadoop.apache.org Delivered-To: mailing list common-issues@hadoop.apache.org Received: (qmail 7397 invoked by uid 99); 1 Aug 2014 23:45:40 -0000 Received: from arcas.apache.org (HELO arcas.apache.org) (140.211.11.28) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 01 Aug 2014 23:45:40 +0000 Date: Fri, 1 Aug 2014 23:45:40 +0000 (UTC) From: "Robert Kanter (JIRA)" To: common-issues@hadoop.apache.org Message-ID: In-Reply-To: References: Subject: [jira] [Updated] (HADOOP-10791) AuthenticationFilter should support externalizing the secret for signing and provide rotation support MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-JIRA-FingerPrint: 30527f35849b9dde25b450d4833f0394 [ https://issues.apache.org/jira/browse/HADOOP-10791?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Robert Kanter updated HADOOP-10791: ----------------------------------- Attachment: HADOOP-10791.patch The patch addresses Tucu's comments. I spoke with him about hist last point (the logic change) and we decided it should be fine to leave the code where it is and instead not create new arrays and document that these should not be modified by the caller. I also added findbugs excludes for this. > AuthenticationFilter should support externalizing the secret for signing and provide rotation support > ----------------------------------------------------------------------------------------------------- > > Key: HADOOP-10791 > URL: https://issues.apache.org/jira/browse/HADOOP-10791 > Project: Hadoop Common > Issue Type: Improvement > Components: security > Affects Versions: 2.4.1 > Reporter: Alejandro Abdelnur > Assignee: Robert Kanter > Attachments: HADOOP-10791.patch, HADOOP-10791.patch, HADOOP-10791.patch > > > It should be possible to externalize the secret used to sign the hadoop-auth cookies. > In the case of WebHDFS the shared secret used by NN and DNs could be used. In the case of Oozie HA, the secret could be stored in Oozie HA control data in ZooKeeper. > In addition, it is desirable for the secret to change periodically, this means that the AuthenticationService should remember a previous secret for the max duration of hadoop-auth cookie. -- This message was sent by Atlassian JIRA (v6.2#6252)