Uploaded image for project: 'Oozie'
  1. Oozie
  2. OOZIE-1917

Authentication secret should be random by default and needs to coordinate with HA

    Details

    • Type: Improvement
    • Status: Resolved
    • Priority: Critical
    • Resolution: Fixed
    • Affects Version/s: trunk
    • Fix Version/s: 4.2.0
    • Component/s: HA, security
    • Labels:
      None

      Description

      oozie.authentication.signature.secret is currently set to oozie by default, which is a pretty poor value for this. We should set it to be random by default (i.e. blank in oozie-site/default).

      We should also make it so that with Oozie HA, we store this value in ZooKeeper so all Oozie servers can use the same secret. This may get a little tricky because hadoop-auth's AuthenticationFilter doesn't make it easy/practical to change how the Signer and secret are set. We'll likely have to have Oozie's AuthFilter compute it's own random secret and do all the ZK stuff and set the value of oozie.authentication.signature.secret before calling AuthenticationFilter#init

        Attachments

        1. OOZIE-1917.patch
          6 kB
          Robert Kanter
        2. OOZIE-1917.patch
          5 kB
          Robert Kanter

          Issue Links

            Activity

              People

              • Assignee:
                rkanter Robert Kanter
                Reporter:
                rkanter Robert Kanter
              • Votes:
                0 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: