[HADOOP-10791] AuthenticationFilter should support externalizing the secret for signing and provide rotation support - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.4.1
Fix Version/s: 2.6.0
Component/s: security
Labels:
None

Target Version/s:

2.6.0
Hadoop Flags:

Reviewed

Description

It should be possible to externalize the secret used to sign the hadoop-auth cookies.

In the case of WebHDFS the shared secret used by NN and DNs could be used. In the case of Oozie HA, the secret could be stored in Oozie HA control data in ZooKeeper.

In addition, it is desirable for the secret to change periodically, this means that the AuthenticationService should remember a previous secret for the max duration of hadoop-auth cookie.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

HADOOP-10791.patch
04/Aug/14 21:57
54 kB
Robert Kanter
HADOOP-10791.patch
01/Aug/14 23:44
53 kB
Robert Kanter
HADOOP-10791.patch
22/Jul/14 22:28
43 kB
Robert Kanter
HADOOP-10791.patch
22/Jul/14 18:35
43 kB
Robert Kanter

Issue Links

breaks

YARN-2388 TestTimelineWebServices fails on trunk after HADOOP-10791

Closed

is depended upon by

OOZIE-1917 Authentication secret should be random by default and needs to coordinate with HA

Resolved

relates to

HADOOP-11567 Refresh HTTP Authentication secret without restarting the server

Patch Available

Sub-Tasks

Create a ZooKeeper-backed secret provider

Closed

Robert Kanter

Activity

People

Assignee:: Robert Kanter

Reporter:: Alejandro Abdelnur

Votes:: 0 Vote for this issue

Watchers:: 8 Start watching this issue

Dates

Created:: 07/Jul/14 17:42

Updated:: 09/Feb/15 23:28

Resolved:: 05/Aug/14 21:25