It should be possible to externalize the secret used to sign the hadoop-auth cookies.
In the case of WebHDFS the shared secret used by NN and DNs could be used. In the case of Oozie HA, the secret could be stored in Oozie HA control data in ZooKeeper.
In addition, it is desirable for the secret to change periodically, this means that the AuthenticationService should remember a previous secret for the max duration of hadoop-auth cookie.
|Field||Original Value||New Value|
|Assignee||Robert Kanter [ rkanter ]|
|Status||Open [ 1 ]||Patch Available [ 10002 ]|
|Status||Patch Available [ 10002 ]||Resolved [ 5 ]|
|Hadoop Flags||Reviewed [ 10343 ]|
|Fix Version/s||2.6.0 [ 12327179 ]|
|Resolution||Fixed [ 1 ]|
|Status||Resolved [ 5 ]||Closed [ 6 ]|