[
https://issues.apache.org/jira/browse/HADOOP-10791?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Kanter updated HADOOP-10791:
-----------------------------------
Attachment: HADOOP-10791.patch
The patch adds the {{SignerSecretProvider}} class, which can be subclassed for
different providers. There’s also a {{StringSignerSecretProvider}}, which just
provides a configured string, and a {{RandomSignerSecretProvider}}, which
provides a random number that rolls over. These are equivalent to the current
behavior (minus that the random secret rolls over now) and are enabled the same
way as before. In addition, an arbitrary subclass of {{SignerSecretProvider}}
can be provided programmatically by any subclasses of {{AuthenticationFilter}}.
There’s also a {{RolloverSignerSecretProvider}} (which
{{RandomSignerSecretProvider}} and HADOOP-10868 use); it supports rolling
secrets and handles a bunch of stuff for its subclasses. It rolls over at the
same interval as the token expiration.
> AuthenticationFilter should support externalizing the secret for signing and
> provide rotation support
> -----------------------------------------------------------------------------------------------------
>
> Key: HADOOP-10791
> URL: https://issues.apache.org/jira/browse/HADOOP-10791
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
> Affects Versions: 2.4.1
> Reporter: Alejandro Abdelnur
> Assignee: Robert Kanter
> Attachments: HADOOP-10791.patch
>
>
> It should be possible to externalize the secret used to sign the hadoop-auth
> cookies.
> In the case of WebHDFS the shared secret used by NN and DNs could be used. In
> the case of Oozie HA, the secret could be stored in Oozie HA control data in
> ZooKeeper.
> In addition, it is desirable for the secret to change periodically, this
> means that the AuthenticationService should remember a previous secret for
> the max duration of hadoop-auth cookie.
--
This message was sent by Atlassian JIRA
(v6.2#6252)
