[
https://issues.apache.org/jira/browse/HADOOP-10880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14088198#comment-14088198
]
Daryn Sharp commented on HADOOP-10880:
--------------------------------------
I was assuming the plan was to use http authentication itself. The RFC
defined method DIGEST (circa late 90s) prevents sending the password over the
wire in plain text. I'm pretty sure the SASL DIGEST-MD5 client we use at the
RPC layer is emitting exactly what goes in the headers during the exchange.
It's also not going to play nice with HA tokens...
> Move HTTP delegation tokens out of URL querystring to a header
> --------------------------------------------------------------
>
> Key: HADOOP-10880
> URL: https://issues.apache.org/jira/browse/HADOOP-10880
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.4.1
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Priority: Blocker
> Attachments: HADOOP-10880.patch
>
>
> Following up on a discussion in HADOOP-10799.
> Because URLs are often logged, delegation tokens may end up in LOG files
> while they are still valid.
> We should move the tokens to a header.
> We should still support tokens in the querystring for backwards compatibility.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
