hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Haohui Mai (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10670) Allow AuthenticationFilter to respect signature secret file even without AuthenticationFilterInitializer
Date Tue, 24 Mar 2015 22:33:54 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10670?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14378803#comment-14378803
] 

Haohui Mai commented on HADOOP-10670:
-------------------------------------

The approach looks good.

{code}
+      // The precedence from high to low : file, inline string, random
+      if (signatureSecretFile != null) {
+        providerClassName = FileSignerSecretProvider.class.getName();
{code}

I think the way the code works is a side effect on HADOOP-10868. We do not support inlining
the secret in the configuration. Anyone can read the configuration can forge the authentication
cookie. This is a security vulnerability since the Hadoop configuration is readable by both
servers and clients. We have similar issues in NFS / LDAP and we store the secret / credentials
in a separate file and guard them by setting the permissions properly.

We should remove {{StringSecretProvider}} once we have {{FileSecretProvider}}. [~rkanter],
can you comment on this?

I think the patch also needs to remove the duplicated code {{RMAuthenticationFilterInitializer}}
as well.

> Allow AuthenticationFilter to respect signature secret file even without AuthenticationFilterInitializer
> --------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-10670
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10670
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>            Priority: Minor
>         Attachments: HADOOP-10670-v4.patch, HADOOP-10670-v5.patch, hadoop-10670-v2.patch,
hadoop-10670-v3.patch, hadoop-10670.patch
>
>
> In Hadoop web console, by using AuthenticationFilterInitializer, it's allowed to configure
AuthenticationFilter for the required signature secret by specifying signature.secret.file
property. This improvement would also allow this when AuthenticationFilterInitializer isn't
used in situations like webhdfs.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message