[OOZIE-1651] Oozie should mask the signature secret in the configuration output - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Critical
Resolution: Fixed
Affects Version/s: 3.3.2, 4.0.0
Fix Version/s: 4.1.0
Component/s: security
Labels:
None

Description

The value of oozie.authentication.signature.secret is the secret that's used to sign the cookies/tokens crated by Oozie for authentication after Kerberos. If a malicious user were to find out this secret, they could forge counterfeit cookies/tokens as any user with any expiration date.

Oozie exposed the configuration properties via its REST API. It currently only masks any properties that end with ".password" (i.e. oozie.service.JPAService.jdbc.password). We should expand this to also mask the signature secret.

In fact, it would be useful to generalize this ability to add a property that masks something the user can configure.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

OOZIE-1651.patch
02/Jan/14 19:55
9 kB
Robert Kanter
OOZIE-1651.patch
02/Jan/14 18:41
9 kB
Robert Kanter
OOZIE-1651.patch
26/Dec/13 21:54
14 kB
Robert Kanter
OOZIE-1651.patch
23/Dec/13 16:46
14 kB
Robert Kanter
OOZIE-1651.patch
21/Dec/13 01:07
13 kB
Robert Kanter

Activity

People

Assignee:: Robert Kanter

Reporter:: Robert Kanter

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 20/Dec/13 21:44

Updated:: 09/Dec/14 00:45

Resolved:: 02/Jan/14 21:25