[ https://issues.apache.org/jira/browse/HADOOP-10791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14077904#comment-14077904 ]
Owen O'Malley commented on HADOOP-10791: ---------------------------------------- Alejandro, It looks like it would make sense to use the KeyProvider for this. Having a KeyProvider implementation that reads from Zookeeper would be pretty easy. > AuthenticationFilter should support externalizing the secret for signing and > provide rotation support > ----------------------------------------------------------------------------------------------------- > > Key: HADOOP-10791 > URL: https://issues.apache.org/jira/browse/HADOOP-10791 > Project: Hadoop Common > Issue Type: Improvement > Components: security > Affects Versions: 2.4.1 > Reporter: Alejandro Abdelnur > Assignee: Robert Kanter > Attachments: HADOOP-10791.patch, HADOOP-10791.patch > > > It should be possible to externalize the secret used to sign the hadoop-auth > cookies. > In the case of WebHDFS the shared secret used by NN and DNs could be used. In > the case of Oozie HA, the secret could be stored in Oozie HA control data in > ZooKeeper. > In addition, it is desirable for the secret to change periodically, this > means that the AuthenticationService should remember a previous secret for > the max duration of hadoop-auth cookie. -- This message was sent by Atlassian JIRA (v6.2#6252)