Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-10791

AuthenticationFilter should support externalizing the secret for signing and provide rotation support

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • 2.4.1
    • 2.6.0
    • security
    • None
    • Reviewed

    Description

      It should be possible to externalize the secret used to sign the hadoop-auth cookies.

      In the case of WebHDFS the shared secret used by NN and DNs could be used. In the case of Oozie HA, the secret could be stored in Oozie HA control data in ZooKeeper.

      In addition, it is desirable for the secret to change periodically, this means that the AuthenticationService should remember a previous secret for the max duration of hadoop-auth cookie.

      Attachments

        1. HADOOP-10791.patch
          43 kB
          Robert Kanter
        2. HADOOP-10791.patch
          43 kB
          Robert Kanter
        3. HADOOP-10791.patch
          53 kB
          Robert Kanter
        4. HADOOP-10791.patch
          54 kB
          Robert Kanter

        Issue Links

        Activity

          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            rkanter Robert Kanter
            tucu00 Alejandro Abdelnur
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment