[
https://issues.apache.org/jira/browse/HADOOP-10880?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14096334#comment-14096334
]
Daryn Sharp commented on HADOOP-10880:
--------------------------------------
Is it reasonable to implement this with digest auth now rather than later? I
think you've already got the hooks to do it. We've already got insecure token
in the query string, this would be insecure token in a header, whereas digest
will be secure token in a header on par with rpc. Taking away functionality
once it's unleashed is hard and requires complicated backwards compatibility.
When it comes to authentication code, more so than anywhere else, less is
better. It's too easy to make subtle mistakes that compromise the system...
> Move HTTP delegation tokens out of URL querystring to a header
> --------------------------------------------------------------
>
> Key: HADOOP-10880
> URL: https://issues.apache.org/jira/browse/HADOOP-10880
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.4.1
> Reporter: Alejandro Abdelnur
> Assignee: Alejandro Abdelnur
> Priority: Blocker
> Attachments: HADOOP-10880.patch, HADOOP-10880.patch,
> HADOOP-10880.patch
>
>
> Following up on a discussion in HADOOP-10799.
> Because URLs are often logged, delegation tokens may end up in LOG files
> while they are still valid.
> We should move the tokens to a header.
> We should still support tokens in the querystring for backwards compatibility.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
