You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Hadoop QA (JIRA)" <ji...@apache.org> on 2013/12/22 03:08:50 UTC

[jira] [Commented] (OOZIE-1651) Oozie should mask the signature secret in the configuration output

    [ https://issues.apache.org/jira/browse/OOZIE-1651?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13855060#comment-13855060 ] 

Hadoop QA commented on OOZIE-1651:
----------------------------------

Testing JIRA OOZIE-1651

Cleaning local svn workspace

----------------------------

{color:green}+1 PATCH_APPLIES{color}
{color:green}+1 CLEAN{color}
{color:green}+1 RAW_PATCH_ANALYSIS{color}
.    {color:green}+1{color} the patch does not introduce any @author tags
.    {color:green}+1{color} the patch does not introduce any tabs
.    {color:green}+1{color} the patch does not introduce any trailing spaces
.    {color:green}+1{color} the patch does not introduce any line longer than 132
.    {color:green}+1{color} the patch does adds/modifies 1 testcase(s)
{color:green}+1 RAT{color}
.    {color:green}+1{color} the patch does not seem to introduce new RAT warnings
{color:green}+1 JAVADOC{color}
.    {color:green}+1{color} the patch does not seem to introduce new Javadoc warnings
{color:green}+1 COMPILE{color}
.    {color:green}+1{color} HEAD compiles
.    {color:green}+1{color} patch compiles
.    {color:green}+1{color} the patch does not seem to introduce new javac warnings
{color:green}+1 BACKWARDS_COMPATIBILITY{color}
.    {color:green}+1{color} the patch does not change any JPA Entity/Colum/Basic/Lob/Transient annotations
.    {color:green}+1{color} the patch does not modify JPA files
{color:red}-1 TESTS{color}
.    Tests run: 1376
.    Tests failed: 0
.    Tests errors: 1

.    The patch failed the following testcases:

.      

{color:green}+1 DISTRO{color}
.    {color:green}+1{color} distro tarball builds with the patch 

----------------------------
{color:red}*-1 Overall result, please check the reported -1(s)*{color}


The full output of the test-patch run is available at

.   https://builds.apache.org/job/oozie-trunk-precommit-build/959/

> Oozie should mask the signature secret in the configuration output
> ------------------------------------------------------------------
>
>                 Key: OOZIE-1651
>                 URL: https://issues.apache.org/jira/browse/OOZIE-1651
>             Project: Oozie
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 3.3.2, 4.0.0
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>            Priority: Critical
>         Attachments: OOZIE-1651.patch
>
>
> The value of {{oozie.authentication.signature.secret}} is the secret that's used to sign the cookies/tokens crated by Oozie for authentication after Kerberos.  If a malicious user were to find out this secret, they could forge counterfeit cookies/tokens as any user with any expiration date.  
> Oozie exposed the configuration properties via its REST API.  It currently only masks any properties that end with ".password" (i.e. {{oozie.service.JPAService.jdbc.password}}).  We should expand this to also mask the signature secret.  
> In fact, it would be useful to generalize this ability to add a property that masks something the user can configure.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)