This is an automated email from the ASF dual-hosted git repository.
karan pushed a commit to branch 32.0.0
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/32.0.0 by this push:
new 1d7c0cbd5a2 Recommend setting a strong passphrase for druid-pac4j auth
(#17712) (#17717)
1d7c0cbd5a2 is described below
commit 1d7c0cbd5a21f5af4468999706ee7f15d560871a
Author: Kashif Faraz <[email protected]>
AuthorDate: Wed Feb 12 11:37:40 2025 +0530
Recommend setting a strong passphrase for druid-pac4j auth (#17712) (#17717)
---
docs/development/extensions-core/druid-pac4j.md | 10 ++++++++--
website/.spelling | 4 +---
2 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/docs/development/extensions-core/druid-pac4j.md
b/docs/development/extensions-core/druid-pac4j.md
index cdd2ab0cf05..243350cc51f 100644
--- a/docs/development/extensions-core/druid-pac4j.md
+++ b/docs/development/extensions-core/druid-pac4j.md
@@ -47,11 +47,17 @@ druid.auth.authenticator.jwt.type=jwt
### Properties
|Property|Description|Default|required|
|--------|---------------|-----------|-------|
-|`druid.auth.pac4j.cookiePassphrase`|passphrase for encrypting the cookies
used to manage authentication session with browser. It can be provided as
plaintext string or The [Password
Provider](../../operations/password-provider.md).|none|Yes|
+|`druid.auth.pac4j.cookiePassphrase`|Passphrase for encrypting the cookies
used to manage authentication session with browser. It can be provided as
plaintext string or the (recommended) [Password
Provider](../../operations/password-provider.md).|none|Yes|
|`druid.auth.pac4j.readTimeout`|Socket connect and read timeout duration used
when communicating with authentication server|PT5S|No|
|`druid.auth.pac4j.enableCustomSslContext`|Whether to use custom SSLContext
setup via [simple-client-sslcontext](simple-client-sslcontext.md) extension
which must be added to extensions list when this property is set to
true.|false|No|
|`druid.auth.pac4j.oidc.clientID`|OAuth Client Application id.|none|Yes|
|`druid.auth.pac4j.oidc.clientSecret`|OAuth Client Application secret. It can
be provided as plaintext string or The [Password
Provider](../../operations/password-provider.md).|none|Yes|
|`druid.auth.pac4j.oidc.discoveryURI`|discovery URI for fetching OP metadata
[see this](http://openid.net/specs/openid-connect-discovery-1_0.html).|none|Yes|
|`druid.auth.pac4j.oidc.oidcClaim`|[claim](https://openid.net/specs/openid-connect-core-1_0.html#Claims)
that will be extracted from the ID Token after validation.|name|No|
-|`druid.auth.pac4j.oidc.scope`| scope is used by an application during
authentication to authorize access to a user's details
|`openid profile email`|No
+|`druid.auth.pac4j.oidc.scope`| scope is used by an application during
authentication to authorize access to a user's details.|`openid profile
email`|No|
+
+:::info
+Users must set a strong passphrase to ensure that an attacker is not able to
guess it simply by brute force.
+A compromised passphrase may allow an attacker to read and manipulate session
cookies.
+For more details, see
[CVE-2024-45384](https://nvd.nist.gov/vuln/detail/CVE-2024-45384).
+:::
\ No newline at end of file
diff --git a/website/.spelling b/website/.spelling
index 27595a3e507..92615ad89ba 100644
--- a/website/.spelling
+++ b/website/.spelling
@@ -2191,9 +2191,7 @@ regionName
json
metastore
UserGroupInformation
-CVE-2019-17571
-CVE-2019-12399
-CVE-2018-17196
+CVE-2024-45384
bin.tar.gz
0s
1T
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
