[OOZIE-1917] Authentication secret should be random by default and needs to coordinate with HA - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Improvement
Status: Resolved
Priority: Critical
Resolution: Fixed
Affects Version/s: trunk
Fix Version/s: 4.2.0
Component/s: HA, security
Labels:
None

Description

oozie.authentication.signature.secret is currently set to oozie by default, which is a pretty poor value for this. We should set it to be random by default (i.e. blank in oozie-site/default).

We should also make it so that with Oozie HA, we store this value in ZooKeeper so all Oozie servers can use the same secret. This may get a little tricky because hadoop-auth's AuthenticationFilter doesn't make it easy/practical to change how the Signer and secret are set. We'll likely have to have Oozie's AuthFilter compute it's own random secret and do all the ZK stuff and set the value of oozie.authentication.signature.secret before calling AuthenticationFilter#init

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

OOZIE-1917.patch
16/Sep/14 01:13
5 kB
Robert Kanter
OOZIE-1917.patch
17/Sep/14 23:53
6 kB
Robert Kanter

Issue Links

breaks

OOZIE-2014 TestAuthFilterAuthOozieClient fails after OOZIE-1917

Resolved

depends upon

HADOOP-10868 Create a ZooKeeper-backed secret provider

Closed

HADOOP-10791 AuthenticationFilter should support externalizing the secret for signing and provide rotation support

Closed

Activity

People

Assignee:: Robert Kanter

Reporter:: Robert Kanter

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 05/Jul/14 01:46

Updated:: 18/May/15 07:11

Resolved:: 18/Sep/14 18:42