You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Robert Kanter (JIRA)" <ji...@apache.org> on 2013/12/21 02:09:06 UTC
[jira] [Updated] (OOZIE-1651) Oozie should mask the signature
secret in the configuration output
[ https://issues.apache.org/jira/browse/OOZIE-1651?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Robert Kanter updated OOZIE-1651:
---------------------------------
Attachment: OOZIE-1651.patch
The patch adds a new property {{oozie.service.ConfigurationService.mask.properties}} that defaults to "password,secret" where Oozie will mask properties that end with those values.
Besides the unit test, I also verified it in the Web UI.
> Oozie should mask the signature secret in the configuration output
> ------------------------------------------------------------------
>
> Key: OOZIE-1651
> URL: https://issues.apache.org/jira/browse/OOZIE-1651
> Project: Oozie
> Issue Type: Bug
> Components: security
> Affects Versions: 3.3.2, 4.0.0
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Priority: Critical
> Attachments: OOZIE-1651.patch
>
>
> The value of {{oozie.authentication.signature.secret}} is the secret that's used to sign the cookies/tokens crated by Oozie for authentication after Kerberos. If a malicious user were to find out this secret, they could forge counterfeit cookies/tokens as any user with any expiration date.
> Oozie exposed the configuration properties via its REST API. It currently only masks any properties that end with ".password" (i.e. {{oozie.service.JPAService.jdbc.password}}). We should expand this to also mask the signature secret.
> In fact, it would be useful to generalize this ability to add a property that masks something the user can configure.
--
This message was sent by Atlassian JIRA
(v6.1.4#6159)