You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Robert Kanter (JIRA)" <ji...@apache.org> on 2014/07/05 03:56:33 UTC
[jira] [Commented] (OOZIE-1917) Authentication secret should be
random by default and needs to coordinate with HA
[ https://issues.apache.org/jira/browse/OOZIE-1917?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14052753#comment-14052753 ]
Robert Kanter commented on OOZIE-1917:
--------------------------------------
It also looks like we can't change the secret on the fly without restarting Oozie, unless there's some trick we can do to reinit the filter...
We'll need to think of a good way to handle this as I imagine never updating the secret isn't ideal.
> Authentication secret should be random by default and needs to coordinate with HA
> ---------------------------------------------------------------------------------
>
> Key: OOZIE-1917
> URL: https://issues.apache.org/jira/browse/OOZIE-1917
> Project: Oozie
> Issue Type: Improvement
> Components: HA, security
> Affects Versions: trunk
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Priority: Critical
>
> {{oozie.authentication.signature.secret}} is currently set to {{oozie}} by default, which is a pretty poor value for this. We should set it to be random by default (i.e. blank in oozie-site/default).
> We should also make it so that with Oozie HA, we store this value in ZooKeeper so all Oozie servers can use the same secret. This may get a little tricky because hadoop-auth's AuthenticationFilter doesn't make it easy/practical to change how the Signer and secret are set. We'll likely have to have Oozie's AuthFilter compute it's own random secret and do all the ZK stuff and set the value of {{oozie.authentication.signature.secret}} before calling AuthenticationFilter#init
--
This message was sent by Atlassian JIRA
(v6.2#6252)