The value of oozie.authentication.signature.secret is the secret that's used to sign the cookies/tokens crated by Oozie for authentication after Kerberos. If a malicious user were to find out this secret, they could forge counterfeit cookies/tokens as any user with any expiration date.
Oozie exposed the configuration properties via its REST API. It currently only masks any properties that end with ".password" (i.e. oozie.service.JPAService.jdbc.password). We should expand this to also mask the signature secret.
In fact, it would be useful to generalize this ability to add a property that masks something the user can configure.