[jira] [Commented] (HADOOP-19869) Modernize secret manager default algorithm and key length

Wed, 22 Apr 2026 22:53:13 -0700 


    [ 
https://issues.apache.org/jira/browse/HADOOP-19869?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=18075608#comment-18075608
 ] 

ASF GitHub Bot commented on HADOOP-19869:
-----------------------------------------

pan3793 commented on PR #8453:
URL: https://github.com/apache/hadoop/pull/8453#issuecomment-4302026568

   @steveloughran as we have set up building in GitHub Actions (GHA), and it 
runs stably (I tested it dozens of times and haven't seen failure), do you want 
to disable the corresponding Jenkins tests, e.g., stop running compile on 
Debian 13 and Rocky Linux 8 when native code changes, also stop running compile 
with JDK 21. this way, we can speed up the Jenkins pipeline incrementally.
   
   an alternative is to keep Jenkins as-is and run GHA in parallel until we 
migrate all jobs to GHA, I'm afraid this will take a long time due to lots of 
flaky tests (~200 classes)




> Modernize secret manager default algorithm and key length
> ---------------------------------------------------------
>
>                 Key: HADOOP-19869
>                 URL: https://issues.apache.org/jira/browse/HADOOP-19869
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 3.5.0, 3.4.3
>            Reporter: Steve Loughran
>            Assignee: Steve Loughran
>            Priority: Minor
>              Labels: pull-request-available
>
> While doing other cleanup, I've noticed that the default checksum algorithm 
> and key length for generating secrets (block tokens, job tokens) are out of 
> date by modern standards. Not broken, just weak.
> Change the defaults to sha256 and 256 bits.
> Note that Sha 256 is becoming more vulnerable; not worrying about that as 
> these are ephemeral secrets
> [https://stateofutopia.com/papers/2/we-broke-92-percent-of-sha-256.html]
> This is the same as setting
> {{hadoop.security.secret-manager.key-length 256}}
> {{hadoop.security.secret-manager.key-generator.algorithm HmacSHA256}}



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to