[
https://issues.apache.org/jira/browse/HADOOP-14246?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15947846#comment-15947846
]
Robert Kanter commented on HADOOP-14246:
----------------------------------------
I did some more playing around with this, and it turns out we've actually been
using variable length secrets this whole time. The old code
{code:java}
Long.toString(rand.nextLong()).getBytes(Charset.forName("UTF-8"));
{code}
varies in length. It seems to usually be 20 bytes (160 bits) but I've also
seen it be 19 bytes (152 bits).
So it turns out we've been testing this for a long time :)
> Authentication Tokens should use SecureRandom instead of Random and 256 bit
> secrets
> -----------------------------------------------------------------------------------
>
> Key: HADOOP-14246
> URL: https://issues.apache.org/jira/browse/HADOOP-14246
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.9.0
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Attachments: HADOOP-14246.001.patch
>
>
> {{RandomSignerSecretProvider}} and {{ZKSignerSecretProvider}} currently use a
> {{long}} generated by {{Random}} (which is then converted to a {{String}} and
> is 160 bits) for secrets.
> We should improve this to use 256 bit secrets generated by {{SecureRandom}}.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
