Author: shv Date: Tue Jun 5 03:51:15 2012 New Revision: 1346227 URL: http://svn.apache.org/viewvc?rev=1346227&view=rev Log: HADOOP-7621. Alfredo config should be in a file not readable by users. Contributed by Aaron T. Myers and Benoy Antony.
Modified: hadoop/common/branches/branch-0.22/common/CHANGES.txt hadoop/common/branches/branch-0.22/common/src/docs/src/documentation/content/xdocs/HttpAuthentication.xml hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java Modified: hadoop/common/branches/branch-0.22/common/CHANGES.txt URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.22/common/CHANGES.txt?rev=1346227&r1=1346226&r2=1346227&view=diff ============================================================================== --- hadoop/common/branches/branch-0.22/common/CHANGES.txt (original) +++ hadoop/common/branches/branch-0.22/common/CHANGES.txt Tue Jun 5 03:51:15 2012 @@ -34,6 +34,9 @@ Release 0.22.1 - Unreleased HADOOP-7645. Disable TestKerberosAuthenticator and TestKerberosAuthenticationHandler. (Benoy Antony via shv) + HADOOP-7621. Alfredo config should be in a file not readable by users. + (Aaron T. Myers and Benoy Antony via shv) + Release 0.22.0 - 2011-11-29 INCOMPATIBLE CHANGES Modified: hadoop/common/branches/branch-0.22/common/src/docs/src/documentation/content/xdocs/HttpAuthentication.xml URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.22/common/src/docs/src/documentation/content/xdocs/HttpAuthentication.xml?rev=1346227&r1=1346226&r2=1346227&view=diff ============================================================================== --- hadoop/common/branches/branch-0.22/common/src/docs/src/documentation/content/xdocs/HttpAuthentication.xml (original) +++ hadoop/common/branches/branch-0.22/common/src/docs/src/documentation/content/xdocs/HttpAuthentication.xml Tue Jun 5 03:51:15 2012 @@ -82,10 +82,12 @@ <code>36000</code>. </p> - <p><code>hadoop.http.authentication.signature.secret</code>: The signature secret for - signing the authentication tokens. If not set a random secret is generated at - startup time. The same secret should be used for all nodes in the cluster, JobTracker, - NameNode, DataNode and TastTracker. The default value is a <code>hadoop</code> value. + <p><code>hadoop.http.authentication.signature.secret.file</code>: The signature secret + file for signing the authentication tokens. If not set a random secret is generated at + startup time. The same secret should be used for all nodes in the cluster, JobTracker, + NameNode, DataNode and TastTracker. The default value is + <code>${user.home}/hadoop-http-auth-signature-secret</code>. + IMPORTANT: This file should be readable only by the Unix user running the daemons. </p> <p><code>hadoop.http.authentication.cookie.domain</code>: The domain to use for the HTTP Modified: hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java URL: http://svn.apache.org/viewvc/hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java?rev=1346227&r1=1346226&r2=1346227&view=diff ============================================================================== --- hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java (original) +++ hadoop/common/branches/branch-0.22/common/src/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java Tue Jun 5 03:51:15 2012 @@ -22,6 +22,9 @@ import org.apache.hadoop.conf.Configurat import org.apache.hadoop.http.FilterContainer; import org.apache.hadoop.http.FilterInitializer; +import java.io.FileReader; +import java.io.IOException; +import java.io.Reader; import java.util.HashMap; import java.util.Map; @@ -40,7 +43,9 @@ import java.util.Map; */ public class AuthenticationFilterInitializer extends FilterInitializer { - private static final String PREFIX = "hadoop.http.authentication."; + static final String PREFIX = "hadoop.http.authentication."; + + static final String SIGNATURE_SECRET_FILE = AuthenticationFilter.SIGNATURE_SECRET + ".file"; /** * Initializes Alfredo AuthenticationFilter. @@ -67,6 +72,25 @@ public class AuthenticationFilterInitial } } + String signatureSecretFile = filterConfig.get(SIGNATURE_SECRET_FILE); + if (signatureSecretFile == null) { + throw new RuntimeException("Undefined property: " + SIGNATURE_SECRET_FILE); + } + + try { + StringBuilder secret = new StringBuilder(); + Reader reader = new FileReader(signatureSecretFile); + int c = reader.read(); + while (c > -1) { + secret.append((char)c); + c = reader.read(); + } + reader.close(); + filterConfig.put(AuthenticationFilter.SIGNATURE_SECRET, secret.toString()); + } catch (IOException ex) { + throw new RuntimeException("Could not read HTTP signature secret file: " + signatureSecretFile); + } + container.addFilter("authentication", AuthenticationFilter.class.getName(), filterConfig);