hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Haohui Mai (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-10670) Allow AuthenticationFilter to respect signature secret file even without AuthenticationFilterInitializer
Date Wed, 25 Mar 2015 18:03:53 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-10670?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14380372#comment-14380372
] 

Haohui Mai commented on HADOOP-10670:
-------------------------------------

bq.  it's a side effect of the original implementation, which simply loaded the secret from
a config property, or used a random one if not set.

My understanding is that the use case of inlining the secret is never supported. The property
is used to pass the secret internally. The way it works before HADOOP-10868 is the following:

* Users specify the initializer of the authentication filter in the configuration.
* {{AuthenticationFilterInitializer}} reads the secret file. The server will not start if
the secret file does not exists. The initializer will set the property if it read the file
correctly.
* There is no way to specify the secret in the configuration out-of-the-box -- the secret
is always overwritten by {{AuthenticationFilterInitializer}}.

It looks like that there might be some misunderstandings in the above work flow in HADOOP-10868.
We can remove {{StringSecretProvider}} in a separate jira. [~rkanter] what do you think?



> Allow AuthenticationFilter to respect signature secret file even without AuthenticationFilterInitializer
> --------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-10670
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10670
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>            Priority: Minor
>         Attachments: HADOOP-10670-v4.patch, HADOOP-10670-v5.patch, HADOOP-10670-v6.patch,
hadoop-10670-v2.patch, hadoop-10670-v3.patch, hadoop-10670.patch
>
>
> In Hadoop web console, by using AuthenticationFilterInitializer, it's allowed to configure
AuthenticationFilter for the required signature secret by specifying signature.secret.file
property. This improvement would also allow this when AuthenticationFilterInitializer isn't
used in situations like webhdfs.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message