Uploaded image for project: 'Oozie'
  1. Oozie
  2. OOZIE-1651

Oozie should mask the signature secret in the configuration output

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: 3.3.2, 4.0.0
    • Fix Version/s: 4.1.0
    • Component/s: security
    • Labels:
      None

      Description

      The value of oozie.authentication.signature.secret is the secret that's used to sign the cookies/tokens crated by Oozie for authentication after Kerberos. If a malicious user were to find out this secret, they could forge counterfeit cookies/tokens as any user with any expiration date.

      Oozie exposed the configuration properties via its REST API. It currently only masks any properties that end with ".password" (i.e. oozie.service.JPAService.jdbc.password). We should expand this to also mask the signature secret.

      In fact, it would be useful to generalize this ability to add a property that masks something the user can configure.

        Attachments

        1. OOZIE-1651.patch
          9 kB
          Robert Kanter
        2. OOZIE-1651.patch
          9 kB
          Robert Kanter
        3. OOZIE-1651.patch
          14 kB
          Robert Kanter
        4. OOZIE-1651.patch
          14 kB
          Robert Kanter
        5. OOZIE-1651.patch
          13 kB
          Robert Kanter

          Activity

            People

            • Assignee:
              rkanter Robert Kanter
              Reporter:
              rkanter Robert Kanter
            • Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: