Hadoop Common
  1. Hadoop Common
  2. HADOOP-10791

AuthenticationFilter should support externalizing the secret for signing and provide rotation support

    Details

    • Type: Improvement Improvement
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.4.1
    • Fix Version/s: 2.6.0
    • Component/s: security
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      It should be possible to externalize the secret used to sign the hadoop-auth cookies.

      In the case of WebHDFS the shared secret used by NN and DNs could be used. In the case of Oozie HA, the secret could be stored in Oozie HA control data in ZooKeeper.

      In addition, it is desirable for the secret to change periodically, this means that the AuthenticationService should remember a previous secret for the max duration of hadoop-auth cookie.

      1. HADOOP-10791.patch
        54 kB
        Robert Kanter
      2. HADOOP-10791.patch
        53 kB
        Robert Kanter
      3. HADOOP-10791.patch
        43 kB
        Robert Kanter
      4. HADOOP-10791.patch
        43 kB
        Robert Kanter

        Issue Links

          Activity

          No work has yet been logged on this issue.

            People

            • Assignee:
              Robert Kanter
              Reporter:
              Alejandro Abdelnur
            • Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development