Re: [DISCUSS] Feature Branch Merge and Security Audits

New revision... I have incorporated additions from Mike and added a [DEFAULT] tag to those items that should be considered for Secure by Default settings. I am hoping that we can close down on the actual lists shortly and move to discussing the meta points on how/when to require the completion of

Re: [DISCUSS] Feature Branch Merge and Security Audits

Thanks for the examples, Mike. I think some of those should actually just be added to the checklist in other places as they are best practices. Which raises an interesting point that some of those items can be enabled by default and maybe indicating so throughout the list makes sense. Then we

Re: [DISCUSS] Feature Branch Merge and Security Audits

Terrific additions, Mike! I will spin a new revision and incorporate your additions. #8 is a great topic - given that Hadoop is insecure by default. Actual movement to Secure by Default would be a challenge both technically (given the need for kerberos) and discussion-wise. Asking whether you

Re: [DISCUSS] Feature Branch Merge and Security Audits

Looks good and +1 for markdown documentations to provide per release specific information. On Sat, Oct 21, 2017 at 8:47 AM, larry mccay wrote: > New Revision... > > This revision acknowledges the reality that we often have multiple phases > of feature lifecycle and that we

Re: [DISCUSS] Feature Branch Merge and Security Audits

New Revision... This revision acknowledges the reality that we often have multiple phases of feature lifecycle and that we need to account for each phase. It has also been made more generic. I have created a Tech Preview Security Audit list and a GA Readiness Security Audit list. I've also

Re: [DISCUSS] Feature Branch Merge and Security Audits

Hi Marton - I don't think there is any denying that it would be great to have such documentation for all of those reasons. If it is a natural extension of getting the checklist information as an assertion of security state when merging then we can certainly include it. I think that backfilling

Re: [DISCUSS] Feature Branch Merge and Security Audits

On 10/21/2017 02:41 AM, larry mccay wrote: "We might want to start a security section for Hadoop wiki for each of the services and components. This helps to track what has been completed." Do you mean to keep the audit checklist for each service and component there? Interesting idea, I

Re: [DISCUSS] Feature Branch Merge and Security Audits

Hi Eric - Thanks for the additional item suggestions! "We might want to start a security section for Hadoop wiki for each of the services and components. This helps to track what has been completed." Do you mean to keep the audit checklist for each service and component there? Interesting idea,

Re: [DISCUSS] Feature Branch Merge and Security Audits

The check list looks good. Some more items to add: Kerberos TGT renewal SPNEGO support Delegation token Proxy User ACL CVE tracking list We might want to start a security section for Hadoop wiki for each of the services and components. This helps to track what has been completed. How

Re: [DISCUSS] Feature Branch Merge and Security Audits

Adding security@hadoop list as well... On Fri, Oct 20, 2017 at 2:29 PM, larry mccay wrote: > All - > > Given the maturity of Hadoop at this point, I would like to propose that > we start doing explicit security audits of features at merge time. > > There are a few reasons