[thxs ATM for point this one out]
Alfredo configuration currently is stored in the core-site.xml file, this file is readable by users (it must be as Configuration defaults must be loaded).
One of Alfredo config values is a secret which is used by all nodes to sign/verify the authentication cookie.
A user could get hold of this secret and forge authentication cookies for other users.
Because of this the Alfredo configuration, should be move to a user non-readable file.
- is depended upon by
HADOOP-8357 Restore security in Hadoop 0.22 branch
- relates to
HADOOP-8043 KerberosAuthenticationFilter and friends have some problems
HADOOP-7119 add Kerberos HTTP SPNEGO authentication support to Hadoop JT/NN/DN/TT web-consoles