[jira] [Commented] (OOZIE-1651) Oozie should mask the signature secret in the configuration output

Robert Kanter (JIRA) Thu, 02 Jan 2014 13:24:07 -0800

    [ 
https://issues.apache.org/jira/browse/OOZIE-1651?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13860780#comment-13860780
 ]


Robert Kanter commented on OOZIE-1651:
--------------------------------------

Test-patch keeps getting stuck on one of the tests; but I ran all the tests 
locally and everything passed:
{noformat}
[INFO] ------------------------------------------------------------------------
[INFO] Reactor Summary:
[INFO] 
[INFO] Apache Oozie Main ................................. SUCCESS [0.448s]
[INFO] Apache Oozie Client ............................... SUCCESS [4.799s]
[INFO] Apache Oozie Hadoop 1.1.1.oozie-4.1.0-SNAPSHOT .... SUCCESS [0.455s]
[INFO] Apache Oozie Hadoop Distcp 1.1.1.oozie-4.1.0-SNAPSHOT  SUCCESS [0.281s]
[INFO] Apache Oozie Hadoop 1.1.1.oozie-4.1.0-SNAPSHOT Test  SUCCESS [0.486s]
[INFO] Apache Oozie Hadoop 2.2.0.oozie-4.1.0-SNAPSHOT .... SUCCESS [0.800s]
[INFO] Apache Oozie Hadoop 2.2.0.oozie-4.1.0-SNAPSHOT Test  SUCCESS [0.564s]
[INFO] Apache Oozie Hadoop Distcp 2.2.0.oozie-4.1.0-SNAPSHOT  SUCCESS [0.283s]
[INFO] Apache Oozie Hadoop 0.23.5.oozie-4.1.0-SNAPSHOT ... SUCCESS [0.626s]
[INFO] Apache Oozie Hadoop 0.23.5.oozie-4.1.0-SNAPSHOT Test  SUCCESS [0.604s]
[INFO] Apache Oozie Hadoop Distcp 0.23.5.oozie-4.1.0-SNAPSHOT  SUCCESS [0.280s]
[INFO] Apache Oozie Hadoop Libs .......................... SUCCESS [0.067s]
[INFO] Apache Oozie Hbase 0.94.2.oozie-4.1.0-SNAPSHOT .... SUCCESS [0.294s]
[INFO] Apache Oozie Hbase Libs ........................... SUCCESS [0.015s]
[INFO] Apache Oozie HCatalog 0.5.0.oozie-4.1.0-SNAPSHOT .. SUCCESS [0.671s]
[INFO] Apache Oozie HCatalog 0.6.0.oozie-4.1.0-SNAPSHOT .. SUCCESS [0.440s]
[INFO] Apache Oozie HCatalog Libs ........................ SUCCESS [0.019s]
[INFO] Apache Oozie Share Lib Oozie ...................... SUCCESS [1.599s]
[INFO] Apache Oozie Share Lib HCatalog ................... SUCCESS [0.886s]
[INFO] Apache Oozie Core ................................. SUCCESS [43:58.085s]
[INFO] Apache Oozie Docs ................................. SUCCESS [0.620s]
[INFO] Apache Oozie Share Lib Pig ........................ SUCCESS [7:53.196s]
[INFO] Apache Oozie Share Lib Hive ....................... SUCCESS [1:59.993s]
[INFO] Apache Oozie Share Lib Sqoop ...................... SUCCESS [2:12.413s]
[INFO] Apache Oozie Share Lib Streaming .................. SUCCESS [3:37.086s]
[INFO] Apache Oozie Share Lib Distcp ..................... SUCCESS [30.925s]
[INFO] Apache Oozie WebApp ............................... SUCCESS [0.791s]
[INFO] Apache Oozie Examples ............................. SUCCESS [12.748s]
[INFO] Apache Oozie Share Lib ............................ SUCCESS [0.129s]
[INFO] Apache Oozie Tools ................................ SUCCESS [28.195s]
[INFO] Apache Oozie MiniOozie ............................ SUCCESS [12.812s]
[INFO] Apache Oozie Distro ............................... SUCCESS [3.416s]
[INFO] ------------------------------------------------------------------------
[INFO] BUILD SUCCESS
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1:01:25.321s
[INFO] Finished at: Thu Jan 02 13:19:59 PST 2014
[INFO] Final Memory: 50M/134M
[INFO] ------------------------------------------------------------------------
{noformat}

> Oozie should mask the signature secret in the configuration output
> ------------------------------------------------------------------
>
>                 Key: OOZIE-1651
>                 URL: https://issues.apache.org/jira/browse/OOZIE-1651
>             Project: Oozie
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.3.2, 4.0.0
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>            Priority: Critical
>         Attachments: OOZIE-1651.patch, OOZIE-1651.patch, OOZIE-1651.patch, 
> OOZIE-1651.patch, OOZIE-1651.patch
>
>
> The value of {{oozie.authentication.signature.secret}} is the secret that's 
> used to sign the cookies/tokens crated by Oozie for authentication after 
> Kerberos.  If a malicious user were to find out this secret, they could forge 
> counterfeit cookies/tokens as any user with any expiration date.  
> Oozie exposed the configuration properties via its REST API.  It currently 
> only masks any properties that end with ".password" (i.e. 
> {{oozie.service.JPAService.jdbc.password}}).  We should expand this to also 
> mask the signature secret.  
> In fact, it would be useful to generalize this ability to add a property that 
> masks something the user can configure.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

[jira] [Commented] (OOZIE-1651) Oozie should mask the signature secret in the configuration output

Reply via email to