You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-dev@hadoop.apache.org by "Alejandro Abdelnur (JIRA)" <ji...@apache.org> on 2014/07/07 19:44:34 UTC

[jira] [Created] (HADOOP-10791) AuthenticationFilter should support externalizing the secret for signing and provide rotation support

Alejandro Abdelnur created HADOOP-10791:
-------------------------------------------

             Summary: AuthenticationFilter should support externalizing the secret for signing and provide rotation support
                 Key: HADOOP-10791
                 URL: https://issues.apache.org/jira/browse/HADOOP-10791
             Project: Hadoop Common
          Issue Type: Improvement
          Components: security
    Affects Versions: 2.4.1
            Reporter: Alejandro Abdelnur


It should be possible to externalize the secret used to sign the hadoop-auth cookies.

In the case of WebHDFS the shared secret used by NN and DNs could be used. In the case of Oozie HA, the secret could be stored in Oozie HA control data in ZooKeeper.

In addition, it is desirable for the secret to change periodically, this means that the AuthenticationService should remember a previous secret for the max duration of hadoop-auth cookie.



--
This message was sent by Atlassian JIRA
(v6.2#6252)