[
https://issues.apache.org/jira/browse/HADOOP-10791?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Kanter updated HADOOP-10791:
-----------------------------------
Attachment: HADOOP-10791.patch
The patch addresses Tucu's comments.
I spoke with him about hist last point (the logic change) and we decided it
should be fine to leave the code where it is and instead not create new arrays
and document that these should not be modified by the caller. I also added
findbugs excludes for this.
> AuthenticationFilter should support externalizing the secret for signing and
> provide rotation support
> -----------------------------------------------------------------------------------------------------
>
> Key: HADOOP-10791
> URL: https://issues.apache.org/jira/browse/HADOOP-10791
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.4.1
> Reporter: Alejandro Abdelnur
> Assignee: Robert Kanter
> Attachments: HADOOP-10791.patch, HADOOP-10791.patch,
> HADOOP-10791.patch
>
>
> It should be possible to externalize the secret used to sign the hadoop-auth
> cookies.
> In the case of WebHDFS the shared secret used by NN and DNs could be used. In
> the case of Oozie HA, the secret could be stored in Oozie HA control data in
> ZooKeeper.
> In addition, it is desirable for the secret to change periodically, this
> means that the AuthenticationService should remember a previous secret for
> the max duration of hadoop-auth cookie.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
