[jira] [Commented] (OOZIE-1917) Authentication secret should be random by default and needs to coordinate with HA

Wed, 17 Sep 2014 17:34:30 -0700 

    [ 
https://issues.apache.org/jira/browse/OOZIE-1917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14138274#comment-14138274
 ] 

Robert Kanter commented on OOZIE-1917:
--------------------------------------

Currently, regardless of the Hadoop version, each Oozie server will use a 
different random secret.  This means that if you talk to a different server, it 
will cause your auth token to be deleted and reauthenticate you with Kerberos; 
this is all transparent to the user.  The downside of this is that it adds 
extra back and forth between the client and the Oozie server, and also the KDC. 
 The new changes are written such that if you have Hadoop auth 2.6, it will use 
the new code and sync the secrets across the servers, but if you don't have 
2.6, it will still behave as it does today (though the AuthFilter class will 
unnecessarily hold onto a ZKUtils object, but that's ok).  Makes sense?


> Authentication secret should be random by default and needs to coordinate 
> with HA
> ---------------------------------------------------------------------------------
>
>                 Key: OOZIE-1917
>                 URL: https://issues.apache.org/jira/browse/OOZIE-1917
>             Project: Oozie
>          Issue Type: Improvement
>          Components: HA, security
>    Affects Versions: trunk
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>            Priority: Critical
>         Attachments: OOZIE-1917.patch, OOZIE-1917.patch
>
>
> {{oozie.authentication.signature.secret}} is currently set to {{oozie}} by 
> default, which is a pretty poor value for this.  We should set it to be 
> random by default (i.e. blank in oozie-site/default).  
> We should also make it so that with Oozie HA, we store this value in 
> ZooKeeper so all Oozie servers can use the same secret.  This may get a 
> little tricky because hadoop-auth's AuthenticationFilter doesn't make it 
> easy/practical to change how the Signer and secret are set.  We'll likely 
> have to have Oozie's AuthFilter compute it's own random secret and do all the 
> ZK stuff and set the value of {{oozie.authentication.signature.secret}} 
> before calling AuthenticationFilter#init



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to