Hadoop Common
  1. Hadoop Common
  2. HADOOP-7621

alfredo config should be in a file not readable by users

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Critical Critical
    • Resolution: Fixed
    • Affects Version/s: 0.20.205.0, 0.23.0, 0.24.0
    • Fix Version/s: 1.1.0, 0.22.1, 2.0.0-alpha
    • Component/s: security
    • Labels:
      None
    • Hadoop Flags:
      Reviewed

      Description

      [thxs ATM for point this one out]

      Alfredo configuration currently is stored in the core-site.xml file, this file is readable by users (it must be as Configuration defaults must be loaded).

      One of Alfredo config values is a secret which is used by all nodes to sign/verify the authentication cookie.

      A user could get hold of this secret and forge authentication cookies for other users.

      Because of this the Alfredo configuration, should be move to a user non-readable file.

      1. hadoop-7621-022.patch
        3 kB
        Benoy Antony
      2. HADOOP-7621-branch-0.20-security.patch
        5 kB
        Aaron T. Myers
      3. HADOOP-7621-branch-0.20-security.patch
        5 kB
        Aaron T. Myers
      4. HADOOP-7621.patch
        7 kB
        Alejandro Abdelnur
      5. HADOOP-7621.patch
        7 kB
        Alejandro Abdelnur
      6. HADOOP-7621.patch
        10 kB
        Alejandro Abdelnur

        Issue Links

          Activity

          Hide
          Alejandro Abdelnur added a comment -

          Currently we have a config file for the task controller which has similar security requirements.

          We could either consolidate things in a user non-readable security-site.xml file.

          And/Or (but this is larger scope) we should decouple user config from cluster config.

          Show
          Alejandro Abdelnur added a comment - Currently we have a config file for the task controller which has similar security requirements. We could either consolidate things in a user non-readable security-site.xml file. And/Or (but this is larger scope) we should decouple user config from cluster config.
          Hide
          Alejandro Abdelnur added a comment -

          introduces a security-site.xml which is owner readable only.

          Show
          Alejandro Abdelnur added a comment - introduces a security-site.xml which is owner readable only.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12494310/HADOOP-7621.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 4 new or modified tests.

          -1 patch. The patch command could not apply the patch.

          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/176//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12494310/HADOOP-7621.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 4 new or modified tests. -1 patch. The patch command could not apply the patch. Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/176//console This message is automatically generated.
          Hide
          Aaron T. Myers added a comment -

          Hey Alejandro, I have a few issues with this approach:

          1. What's the criteria for which settings belong in which file, i.e. core-site.xml vs. security-site.xml? The specific vulnerability which prompted this JIRA was only that hadoop.http.authentication.signature.secret needs to be kept secret from users, yet you put all of the Hadoop Auth filter settings in this file.
          2. I don't think 0600 are the permissions we should be using. Since the MR and HDFS daemons are usually run as separate users, and this secret needs to be available to both, the file should probably be 0640, and have a group which is shared by both user accounts.
          3. I think we're asking for trouble by including this secret-containing file in the same directory as the other, public configuration files. security-site.xml is somewhat different from the taskcontroller.cfg file in that the latter just can't be writable by users on the cluster boxes, whereas the former must not be readable by any user anywhere. I can virtually guarantee that some unknowing admin will copy the whole contents of /etc/hadoop/conf/ on some cluster box to create a user's HADOOP_CONF_DIR, and in so doing accidentally expose the secret. For that matter, those sites which share a HADOOP_CONF_DIR over NFS will have to do something different to make sure that everything but security-site.xml gets shared.
          4. It seems like somewhere in the code (probably right before adding security-site.xml as a resource) we should check that the file doesn't have overly-permissive permissions, much as the task-controller binary currently does.

          For all these reasons I think it makes the most sense to scrap security-site.xml entirely, and change the setting "hadoop.http.authentication.signature.secret" to "hadoop.http.authentication.signature.secret.file", which would be configured to point to a file whose contents are then interpreted in their entirety as the secret for generating/validating tokens.

          Thoughts?

          Show
          Aaron T. Myers added a comment - Hey Alejandro, I have a few issues with this approach: What's the criteria for which settings belong in which file, i.e. core-site.xml vs. security-site.xml? The specific vulnerability which prompted this JIRA was only that hadoop.http.authentication.signature.secret needs to be kept secret from users, yet you put all of the Hadoop Auth filter settings in this file. I don't think 0600 are the permissions we should be using. Since the MR and HDFS daemons are usually run as separate users, and this secret needs to be available to both, the file should probably be 0640 , and have a group which is shared by both user accounts. I think we're asking for trouble by including this secret-containing file in the same directory as the other, public configuration files. security-site.xml is somewhat different from the taskcontroller.cfg file in that the latter just can't be writable by users on the cluster boxes, whereas the former must not be readable by any user anywhere. I can virtually guarantee that some unknowing admin will copy the whole contents of /etc/hadoop/conf/ on some cluster box to create a user's HADOOP_CONF_DIR , and in so doing accidentally expose the secret. For that matter, those sites which share a HADOOP_CONF_DIR over NFS will have to do something different to make sure that everything but security-site.xml gets shared. It seems like somewhere in the code (probably right before adding security-site.xml as a resource) we should check that the file doesn't have overly-permissive permissions, much as the task-controller binary currently does. For all these reasons I think it makes the most sense to scrap security-site.xml entirely, and change the setting " hadoop.http.authentication.signature.secret " to " hadoop.http.authentication.signature.secret.file ", which would be configured to point to a file whose contents are then interpreted in their entirety as the secret for generating/validating tokens. Thoughts?
          Hide
          Alejandro Abdelnur added a comment -

          #1, keep all auth config in one place

          #2, make sense. Do we have such group today?

          #3, so where would be the location of this 'secret' file?

          #4, AFAIK you can set permissions with File but you cannot check them.

          If we change to 'secret' file, what would be the location of this file by default?

          Show
          Alejandro Abdelnur added a comment - #1, keep all auth config in one place #2, make sense. Do we have such group today? #3, so where would be the location of this 'secret' file? #4, AFAIK you can set permissions with File but you cannot check them. If we change to 'secret' file, what would be the location of this file by default?
          Hide
          Alejandro Abdelnur added a comment -

          using a 'secret' file just for this secret, what if there is something else needing a secret? we don't want those 'secrets' files to proliferate.

          Show
          Alejandro Abdelnur added a comment - using a 'secret' file just for this secret, what if there is something else needing a secret? we don't want those 'secrets' files to proliferate.
          Hide
          Aaron T. Myers added a comment -

          keep all auth config in one place

          Sure, but it's called "security-site.xml", but it doesn't contain most of the Hadoop security configs, just the HTTP auth filter configs. For that matter, is it unreasonable that there might be some HTTP auth filter config which clients might need to know? It seems like we're unnecessarily overloading the purpose of this file to be both secret and to group like-configs in the same place.

          make sense. Do we have such group today?

          The answer to that is going to be specific to whatever method a user uses to install/configure Hadoop. FWIW, in CDH's packages there is a 'hadoop' group which both 'mapred' and 'hdfs' belong to. I don't know for sure, but I bet this is what the built-in Hadoop packages do, too.

          so where would be the location of this 'secret' file?

          Good question. Kerberos has two distinct files: /etc/krb5.conf and /etc/krb5kdc/kdc.conf, where the former is world-readable, and the latter is not. Maybe, then, /etc/hadoop/conf/ and /etc/hadoop/conf-secret/ ?

          AFAIK you can set permissions with File but you cannot check them.

          Ah, that could very well be. Pretty sure Hadoop has some classes with helper methods to deal with getting/setting group permissions, which might use JNI or fork a sub-process.

          using a 'secret' file just for this secret, what if there is something else needing a secret? we don't want those 'secrets' files to proliferate.

          That's totally valid, and a very good point. Still, though, I'm not sure that the solution you have here is appropriate. For example, what if something should be secret only to the MR daemons, but not to the HDFS daemons, or vice versa? We couldn't reasonably put such a secret in security-site.xml, since as previously-mentioned this file must be readable by both.

          Show
          Aaron T. Myers added a comment - keep all auth config in one place Sure, but it's called " security-site.xml ", but it doesn't contain most of the Hadoop security configs, just the HTTP auth filter configs. For that matter, is it unreasonable that there might be some HTTP auth filter config which clients might need to know? It seems like we're unnecessarily overloading the purpose of this file to be both secret and to group like-configs in the same place. make sense. Do we have such group today? The answer to that is going to be specific to whatever method a user uses to install/configure Hadoop. FWIW, in CDH's packages there is a 'hadoop' group which both 'mapred' and 'hdfs' belong to. I don't know for sure, but I bet this is what the built-in Hadoop packages do, too. so where would be the location of this 'secret' file? Good question. Kerberos has two distinct files: /etc/krb5.conf and /etc/krb5kdc/kdc.conf , where the former is world-readable, and the latter is not. Maybe, then, /etc/hadoop/conf/ and /etc/hadoop/conf-secret/ ? AFAIK you can set permissions with File but you cannot check them. Ah, that could very well be. Pretty sure Hadoop has some classes with helper methods to deal with getting/setting group permissions, which might use JNI or fork a sub-process. using a 'secret' file just for this secret, what if there is something else needing a secret? we don't want those 'secrets' files to proliferate. That's totally valid, and a very good point. Still, though, I'm not sure that the solution you have here is appropriate. For example, what if something should be secret only to the MR daemons, but not to the HDFS daemons, or vice versa? We couldn't reasonably put such a secret in security-site.xml , since as previously-mentioned this file must be readable by both.
          Hide
          Alejandro Abdelnur added a comment -

          Based on feedback, second patch uses the default config files for all properties and for the secret now there is a property pointing to a file from where the secret will be loaded instead being inline.

          This is is identical to how keytabs are handled. And it is the responsibility of the deployer to make sure those files are available and have the right permissions.

          The patch is also setting&creating the test.build.dir and test.build.data directories.

          Show
          Alejandro Abdelnur added a comment - Based on feedback, second patch uses the default config files for all properties and for the secret now there is a property pointing to a file from where the secret will be loaded instead being inline. This is is identical to how keytabs are handled. And it is the responsibility of the deployer to make sure those files are available and have the right permissions. The patch is also setting&creating the test.build.dir and test.build.data directories.
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12495088/HADOOP-7621.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 6 new or modified tests.

          -1 patch. The patch command could not apply the patch.

          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/202//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12495088/HADOOP-7621.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 6 new or modified tests. -1 patch. The patch command could not apply the patch. Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/202//console This message is automatically generated.
          Hide
          Aaron T. Myers added a comment -

          Hey Alejandro, patch looks pretty good to me. I manually tested it out on a secure cluster and it worked like a charm. Just a few nits:

          1. In the docs, you didn't update the default value. The default value is no longer "hadoop", but rather "${user.home}/hadoop-http-auth-signature-secret".
          2. I don't think including $ {user.home}

            in the default path is a good idea, since most users will be deploying the HDFS and MR daemons as separate user accounts. Perhaps the default should be /etc/hadoop/conf/hadoop-http-auth-signature-secret?

          3. Why do you read in the secret file only one character at a time? Granted, the file shouldn't be very large, but if there's no reason to go character-by-character, then we might as well read it a large-ish chunk at a time.
          4. Nit: catch(...) should be on the same line as the prior closing brace.
          Show
          Aaron T. Myers added a comment - Hey Alejandro, patch looks pretty good to me. I manually tested it out on a secure cluster and it worked like a charm. Just a few nits: In the docs, you didn't update the default value. The default value is no longer "hadoop", but rather "${user.home}/hadoop-http-auth-signature-secret". I don't think including $ {user.home} in the default path is a good idea, since most users will be deploying the HDFS and MR daemons as separate user accounts. Perhaps the default should be /etc/hadoop/conf/hadoop-http-auth-signature-secret ? Why do you read in the secret file only one character at a time? Granted, the file shouldn't be very large, but if there's no reason to go character-by-character, then we might as well read it a large-ish chunk at a time. Nit: catch(...) should be on the same line as the prior closing brace.
          Hide
          Alejandro Abdelnur added a comment -

          #1 addressed
          #2 Once HADOOP-7652 gets implemented, this config should go in the server config dir.
          #3 this is reading a 'small' text file, char by char is simpler
          #4 addressed

          Show
          Alejandro Abdelnur added a comment - #1 addressed #2 Once HADOOP-7652 gets implemented, this config should go in the server config dir. #3 this is reading a 'small' text file, char by char is simpler #4 addressed
          Hide
          Hadoop QA added a comment -

          -1 overall. Here are the results of testing the latest attachment
          http://issues.apache.org/jira/secure/attachment/12495176/HADOOP-7621.patch
          against trunk revision .

          +1 @author. The patch does not contain any @author tags.

          +1 tests included. The patch appears to include 6 new or modified tests.

          -1 patch. The patch command could not apply the patch.

          Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/206//console

          This message is automatically generated.

          Show
          Hadoop QA added a comment - -1 overall. Here are the results of testing the latest attachment http://issues.apache.org/jira/secure/attachment/12495176/HADOOP-7621.patch against trunk revision . +1 @author. The patch does not contain any @author tags. +1 tests included. The patch appears to include 6 new or modified tests. -1 patch. The patch command could not apply the patch. Console output: https://builds.apache.org/job/PreCommit-HADOOP-Build/206//console This message is automatically generated.
          Hide
          Aaron T. Myers added a comment -

          +1, the latest patch looks good to me.

          I'll commit this tomorrow if there are no comments in the mean time.

          Show
          Aaron T. Myers added a comment - +1, the latest patch looks good to me. I'll commit this tomorrow if there are no comments in the mean time.
          Hide
          Aaron T. Myers added a comment -

          I've just committed this to trunk. Thanks a lot, Alejandro.

          Show
          Aaron T. Myers added a comment - I've just committed this to trunk. Thanks a lot, Alejandro.
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Common-trunk-Commit #931 (See https://builds.apache.org/job/Hadoop-Common-trunk-Commit/931/)
          HADOOP-7621. alfredo config should be in a file not readable by users (Alejandro Abdelnur via atm)

          atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1173739
          Files :

          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-project/pom.xml
          Show
          Hudson added a comment - Integrated in Hadoop-Common-trunk-Commit #931 (See https://builds.apache.org/job/Hadoop-Common-trunk-Commit/931/ ) HADOOP-7621 . alfredo config should be in a file not readable by users (Alejandro Abdelnur via atm) atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1173739 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-project/pom.xml
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Hdfs-trunk-Commit #1009 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Commit/1009/)
          HADOOP-7621. alfredo config should be in a file not readable by users (Alejandro Abdelnur via atm)

          atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1173739
          Files :

          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-project/pom.xml
          Show
          Hudson added a comment - Integrated in Hadoop-Hdfs-trunk-Commit #1009 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk-Commit/1009/ ) HADOOP-7621 . alfredo config should be in a file not readable by users (Alejandro Abdelnur via atm) atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1173739 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-project/pom.xml
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Mapreduce-trunk-Commit #948 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Commit/948/)
          HADOOP-7621. alfredo config should be in a file not readable by users (Alejandro Abdelnur via atm)

          atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1173739
          Files :

          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-project/pom.xml
          Show
          Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk-Commit #948 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk-Commit/948/ ) HADOOP-7621 . alfredo config should be in a file not readable by users (Alejandro Abdelnur via atm) atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1173739 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-project/pom.xml
          Hide
          Aaron T. Myers added a comment -

          Here's a back-port of this patch to branch-0.20-security.

          Show
          Aaron T. Myers added a comment - Here's a back-port of this patch to branch-0.20-security.
          Hide
          Aaron T. Myers added a comment -

          Reopening this for the branch-0.20-security back-port. Assigning it to me since Alejandro is going to be offline for a while.

          Show
          Aaron T. Myers added a comment - Reopening this for the branch-0.20-security back-port. Assigning it to me since Alejandro is going to be offline for a while.
          Hide
          Harsh J added a comment -

          +1. BP looks good, but please remove whitespaces from src/core/org/apache/hadoop/security/AuthenticationFilterInitializer.java and src/docs/src/documentation/content/xdocs/HttpAuthentication.xml and supply a fresh patch before committing it!

          Modified test pass locally:

          
              [junit] Running org.apache.hadoop.security.TestAuthenticationFilter
              [junit] Tests run: 1, Failures: 0, Errors: 0, Time elapsed: 0.373 sec
          
          
          Show
          Harsh J added a comment - +1. BP looks good, but please remove whitespaces from src/core/org/apache/hadoop/security/AuthenticationFilterInitializer.java and src/docs/src/documentation/content/xdocs/HttpAuthentication.xml and supply a fresh patch before committing it! Modified test pass locally: [junit] Running org.apache.hadoop.security.TestAuthenticationFilter [junit] Tests run: 1, Failures: 0, Errors: 0, Time elapsed: 0.373 sec
          Hide
          Harsh J added a comment -

          Failed to mention, but TestAuthenticationFilter has extra whitesp too. Please remove from that as well!

          Show
          Harsh J added a comment - Failed to mention, but TestAuthenticationFilter has extra whitesp too. Please remove from that as well!
          Hide
          Aaron T. Myers added a comment -

          Thanks a lot for the review, Harsh. Here's an updated patch with the whitespace removed. I'm going to commit this momentarily.

          Show
          Aaron T. Myers added a comment - Thanks a lot for the review, Harsh. Here's an updated patch with the whitespace removed. I'm going to commit this momentarily.
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Hdfs-trunk #808 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/808/)
          HADOOP-7621. alfredo config should be in a file not readable by users (Alejandro Abdelnur via atm)

          atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1173739
          Files :

          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-project/pom.xml
          Show
          Hudson added a comment - Integrated in Hadoop-Hdfs-trunk #808 (See https://builds.apache.org/job/Hadoop-Hdfs-trunk/808/ ) HADOOP-7621 . alfredo config should be in a file not readable by users (Alejandro Abdelnur via atm) atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1173739 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-project/pom.xml
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Mapreduce-trunk #838 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/838/)
          HADOOP-7621. alfredo config should be in a file not readable by users (Alejandro Abdelnur via atm)

          atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1173739
          Files :

          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
          • /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
          • /hadoop/common/trunk/hadoop-project/pom.xml
          Show
          Hudson added a comment - Integrated in Hadoop-Mapreduce-trunk #838 (See https://builds.apache.org/job/Hadoop-Mapreduce-trunk/838/ ) HADOOP-7621 . alfredo config should be in a file not readable by users (Alejandro Abdelnur via atm) atm : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1173739 Files : /hadoop/common/trunk/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml /hadoop/common/trunk/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java /hadoop/common/trunk/hadoop-project/pom.xml
          Hide
          Alejandro Abdelnur added a comment -

          Merged into branch-0.23

          Show
          Alejandro Abdelnur added a comment - Merged into branch-0.23
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Common-0.23-Commit #609 (See https://builds.apache.org/job/Hadoop-Common-0.23-Commit/609/)
          Merge -r 1173738:1173739 from trunk to branch. FIXES: HADOOP-7621 (Revision 1294774)

          Result = SUCCESS
          tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1294774
          Files :

          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
          • /hadoop/common/branches/branch-0.23/hadoop-project/pom.xml
          Show
          Hudson added a comment - Integrated in Hadoop-Common-0.23-Commit #609 (See https://builds.apache.org/job/Hadoop-Common-0.23-Commit/609/ ) Merge -r 1173738:1173739 from trunk to branch. FIXES: HADOOP-7621 (Revision 1294774) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1294774 Files : /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java /hadoop/common/branches/branch-0.23/hadoop-project/pom.xml
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Hdfs-0.23-Commit #597 (See https://builds.apache.org/job/Hadoop-Hdfs-0.23-Commit/597/)
          Merge -r 1173738:1173739 from trunk to branch. FIXES: HADOOP-7621 (Revision 1294774)

          Result = SUCCESS
          tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1294774
          Files :

          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
          • /hadoop/common/branches/branch-0.23/hadoop-project/pom.xml
          Show
          Hudson added a comment - Integrated in Hadoop-Hdfs-0.23-Commit #597 (See https://builds.apache.org/job/Hadoop-Hdfs-0.23-Commit/597/ ) Merge -r 1173738:1173739 from trunk to branch. FIXES: HADOOP-7621 (Revision 1294774) Result = SUCCESS tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1294774 Files : /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java /hadoop/common/branches/branch-0.23/hadoop-project/pom.xml
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Mapreduce-0.23-Commit #610 (See https://builds.apache.org/job/Hadoop-Mapreduce-0.23-Commit/610/)
          Merge -r 1173738:1173739 from trunk to branch. FIXES: HADOOP-7621 (Revision 1294774)

          Result = ABORTED
          tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1294774
          Files :

          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
          • /hadoop/common/branches/branch-0.23/hadoop-project/pom.xml
          Show
          Hudson added a comment - Integrated in Hadoop-Mapreduce-0.23-Commit #610 (See https://builds.apache.org/job/Hadoop-Mapreduce-0.23-Commit/610/ ) Merge -r 1173738:1173739 from trunk to branch. FIXES: HADOOP-7621 (Revision 1294774) Result = ABORTED tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1294774 Files : /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java /hadoop/common/branches/branch-0.23/hadoop-project/pom.xml
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Hdfs-0.23-Build #183 (See https://builds.apache.org/job/Hadoop-Hdfs-0.23-Build/183/)
          Merge -r 1173738:1173739 from trunk to branch. FIXES: HADOOP-7621 (Revision 1294774)

          Result = FAILURE
          tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1294774
          Files :

          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
          • /hadoop/common/branches/branch-0.23/hadoop-project/pom.xml
          Show
          Hudson added a comment - Integrated in Hadoop-Hdfs-0.23-Build #183 (See https://builds.apache.org/job/Hadoop-Hdfs-0.23-Build/183/ ) Merge -r 1173738:1173739 from trunk to branch. FIXES: HADOOP-7621 (Revision 1294774) Result = FAILURE tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1294774 Files : /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java /hadoop/common/branches/branch-0.23/hadoop-project/pom.xml
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Mapreduce-0.23-Build #211 (See https://builds.apache.org/job/Hadoop-Mapreduce-0.23-Build/211/)
          Merge -r 1173738:1173739 from trunk to branch. FIXES: HADOOP-7621 (Revision 1294774)

          Result = FAILURE
          tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1294774
          Files :

          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
          • /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
          • /hadoop/common/branches/branch-0.23/hadoop-project/pom.xml
          Show
          Hudson added a comment - Integrated in Hadoop-Mapreduce-0.23-Build #211 (See https://builds.apache.org/job/Hadoop-Mapreduce-0.23-Build/211/ ) Merge -r 1173738:1173739 from trunk to branch. FIXES: HADOOP-7621 (Revision 1294774) Result = FAILURE tucu : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1294774 Files : /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/CHANGES.txt /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml /hadoop/common/branches/branch-0.23/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java /hadoop/common/branches/branch-0.23/hadoop-project/pom.xml
          Hide
          Benoy Antony added a comment -

          attached patch for 0.22

          Show
          Benoy Antony added a comment - attached patch for 0.22
          Hide
          Konstantin Shvachko added a comment -

          I just committed this to branch 0.22.1. Thank you Benoy.

          Show
          Konstantin Shvachko added a comment - I just committed this to branch 0.22.1. Thank you Benoy.
          Hide
          Hudson added a comment -

          Integrated in Hadoop-Common-22-branch #106 (See https://builds.apache.org/job/Hadoop-Common-22-branch/106/)
          HADOOP-7621. Alfredo config should be in a file not readable by users. Contributed by Aaron T. Myers and Benoy Antony. (Revision 1346227)

          Result = SUCCESS
          shv : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1346227
          Files :

          • /hadoop/common/branches/branch-0.22/common/CHANGES.txt
          • /hadoop/common/branches/branch-0.22/common/src/docs/src/documentation/content/xdocs/HttpAuthentication.xml
          • /hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
          Show
          Hudson added a comment - Integrated in Hadoop-Common-22-branch #106 (See https://builds.apache.org/job/Hadoop-Common-22-branch/106/ ) HADOOP-7621 . Alfredo config should be in a file not readable by users. Contributed by Aaron T. Myers and Benoy Antony. (Revision 1346227) Result = SUCCESS shv : http://svn.apache.org/viewcvs.cgi/?root=Apache-SVN&view=rev&rev=1346227 Files : /hadoop/common/branches/branch-0.22/common/CHANGES.txt /hadoop/common/branches/branch-0.22/common/src/docs/src/documentation/content/xdocs/HttpAuthentication.xml /hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java

            People

            • Assignee:
              Aaron T. Myers
              Reporter:
              Alejandro Abdelnur
            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:

                Development