[jira] [Commented] (AMBARI-8426) Provide access to session from resource handler

Mon, 24 Nov 2014 13:45:59 -0800 

    [ 
https://issues.apache.org/jira/browse/AMBARI-8426?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14223573#comment-14223573
 ] 

Robert Levas commented on AMBARI-8426:
--------------------------------------

This feature wouldn't necessarily be directly related to the management of the 
encryption key created in #1 of the use-case, but it would facilitate it.  The 
resource provider in the Ambari server would, however, have access to the 
session and therefore be able to create the key if necessary.  If the session 
died, so would the key (and any other information stored in the session - per 
web server implementation). As far as where the session data was store, that 
would be up to the web server (or servlet container).  This is why the use-case 
proposes to store only the encryption key in session and not the unencrypted 
administrative credentials. 

> Provide access to session from resource handler
> -----------------------------------------------
>
>                 Key: AMBARI-8426
>                 URL: https://issues.apache.org/jira/browse/AMBARI-8426
>             Project: Ambari
>          Issue Type: New Feature
>          Components: ambari-server
>    Affects Versions: 2.0.0
>            Reporter: Robert Levas
>              Labels: encryption, kerberos, security, session
>             Fix For: 2.0.0
>
>
> There should be a way to get access to the web server's session data from a 
> (REST API) resource handler.  
> This will allow a resource handler to access information such as a session 
> encryption key that may be used to encrypt data during that session.  An 
> example of this would be when performing Kerberos-related activities, the 
> following flow can occur:
> # Session encryption key is created
> # User uploads KDC administrator credentials 
> # administrator credential are encrypted using the session encryption key and 
> persisted - maybe on disk, maybe in the Ambari database
> # For every Kerberos administration action that needs to occur during that 
> session, the administrative credentials may be loaded into memory, decrypted, 
> used, and removed from memory 
> # When the session terminates, the encryption key is lost and the persisted 
> administrator credentials become lost
>  



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to