[
https://issues.apache.org/jira/browse/OOZIE-1651?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13857090#comment-13857090
]
Hadoop QA commented on OOZIE-1651:
----------------------------------
Testing JIRA OOZIE-1651
Cleaning local git workspace
----------------------------
{color:green}+1 PATCH_APPLIES{color}
{color:green}+1 CLEAN{color}
{color:red}-1 RAW_PATCH_ANALYSIS{color}
. {color:green}+1{color} the patch does not introduce any @author tags
. {color:green}+1{color} the patch does not introduce any tabs
. {color:red}-1{color} the patch contains 2 line(s) with trailing spaces
. {color:green}+1{color} the patch does not introduce any line longer than
132
. {color:green}+1{color} the patch does adds/modifies 2 testcase(s)
{color:green}+1 RAT{color}
. {color:green}+1{color} the patch does not seem to introduce new RAT
warnings
{color:green}+1 JAVADOC{color}
. {color:green}+1{color} the patch does not seem to introduce new Javadoc
warnings
{color:green}+1 COMPILE{color}
. {color:green}+1{color} HEAD compiles
. {color:green}+1{color} patch compiles
. {color:green}+1{color} the patch does not seem to introduce new javac
warnings
{color:green}+1 BACKWARDS_COMPATIBILITY{color}
. {color:green}+1{color} the patch does not change any JPA
Entity/Colum/Basic/Lob/Transient annotations
. {color:green}+1{color} the patch does not modify JPA files
{color:green}+1 TESTS{color}
. Tests run: 1376
{color:green}+1 DISTRO{color}
. {color:green}+1{color} distro tarball builds with the patch
----------------------------
{color:red}*-1 Overall result, please check the reported -1(s)*{color}
The full output of the test-patch run is available at
. https://builds.apache.org/job/oozie-trunk-precommit-build/970/
> Oozie should mask the signature secret in the configuration output
> ------------------------------------------------------------------
>
> Key: OOZIE-1651
> URL: https://issues.apache.org/jira/browse/OOZIE-1651
> Project: Oozie
> Issue Type: Bug
> Components: security
> Affects Versions: 3.3.2, 4.0.0
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Priority: Critical
> Attachments: OOZIE-1651.patch, OOZIE-1651.patch
>
>
> The value of {{oozie.authentication.signature.secret}} is the secret that's
> used to sign the cookies/tokens crated by Oozie for authentication after
> Kerberos. If a malicious user were to find out this secret, they could forge
> counterfeit cookies/tokens as any user with any expiration date.
> Oozie exposed the configuration properties via its REST API. It currently
> only masks any properties that end with ".password" (i.e.
> {{oozie.service.JPAService.jdbc.password}}). We should expand this to also
> mask the signature secret.
> In fact, it would be useful to generalize this ability to add a property that
> masks something the user can configure.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
