[ https://issues.apache.org/jira/browse/HADOOP-7621?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13101709#comment-13101709 ]
Alejandro Abdelnur commented on HADOOP-7621: -------------------------------------------- Currently we have a config file for the task controller which has similar security requirements. We could either consolidate things in a user non-readable security-site.xml file. And/Or (but this is larger scope) we should decouple user config from cluster config. > alfredo config should be in a file not readable by users > -------------------------------------------------------- > > Key: HADOOP-7621 > URL: https://issues.apache.org/jira/browse/HADOOP-7621 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 0.20.205.0, 0.23.0, 0.24.0 > Reporter: Alejandro Abdelnur > Priority: Critical > Fix For: 0.20.205.0, 0.23.0, 0.24.0 > > > [thxs ATM for point this one out] > Alfredo configuration currently is stored in the core-site.xml file, this > file is readable by users (it must be as Configuration defaults must be > loaded). > One of Alfredo config values is a secret which is used by all nodes to > sign/verify the authentication cookie. > A user could get hold of this secret and forge authentication cookies for > other users. > Because of this the Alfredo configuration, should be move to a user > non-readable file. -- This message is automatically generated by JIRA. For more information on JIRA, see: http://www.atlassian.com/software/jira