[jira] [Updated] (OOZIE-1917) Authentication secret should be random by default and needs to coordinate with HA

Mon, 15 Sep 2014 18:14:01 -0700 

     [ 
https://issues.apache.org/jira/browse/OOZIE-1917?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robert Kanter updated OOZIE-1917:
---------------------------------
    Attachment: OOZIE-1917.patch

When using Hadoop 2.6.0+, this works without any additional configuration by 
the user (though the user can overwrite the configs if they want).  The 
AuthFilter does the configs for you, and also gives our Curator client from 
ZKUtils to the ZKSignerSecretProvider so it will inherit all the security 
settings and other configs that we already set in ZKUtils.

When using an earlier Hadoop, this will basically do nothing and the existing 
behavior will occur.  

I had to use the property strings (e.g. "signer.secret.provider.zookeeper.foo") 
instead of the constants (e.g. ZKSignerSecretProvider.FOO) to be able to 
compile pre-Hadoop 2.6.0.

> Authentication secret should be random by default and needs to coordinate 
> with HA
> ---------------------------------------------------------------------------------
>
>                 Key: OOZIE-1917
>                 URL: https://issues.apache.org/jira/browse/OOZIE-1917
>             Project: Oozie
>          Issue Type: Improvement
>          Components: HA, security
>    Affects Versions: trunk
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>            Priority: Critical
>         Attachments: OOZIE-1917.patch
>
>
> {{oozie.authentication.signature.secret}} is currently set to {{oozie}} by 
> default, which is a pretty poor value for this.  We should set it to be 
> random by default (i.e. blank in oozie-site/default).  
> We should also make it so that with Oozie HA, we store this value in 
> ZooKeeper so all Oozie servers can use the same secret.  This may get a 
> little tricky because hadoop-auth's AuthenticationFilter doesn't make it 
> easy/practical to change how the Signer and secret are set.  We'll likely 
> have to have Oozie's AuthFilter compute it's own random secret and do all the 
> ZK stuff and set the value of {{oozie.authentication.signature.secret}} 
> before calling AuthenticationFilter#init



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to