[ https://issues.apache.org/jira/browse/HADOOP-10791?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14078001#comment-14078001 ]
Alejandro Abdelnur commented on HADOOP-10791: --------------------------------------------- [~lmccay], on adding the persistent method, sure. Lets see how the ZK impl ends up being to see if we can generalize it for other impls in a superclass. [~owen.omalley], we are already using ZK for all HA related things in Hadoop, so ZK is already there if you care about HA & failover. Having an signature secret provider going to keystore to go to zookeeper seems unnecessary complexity. Plus hadoop-auth does not have access to hadoop-common stuff. > AuthenticationFilter should support externalizing the secret for signing and > provide rotation support > ----------------------------------------------------------------------------------------------------- > > Key: HADOOP-10791 > URL: https://issues.apache.org/jira/browse/HADOOP-10791 > Project: Hadoop Common > Issue Type: Improvement > Components: security > Affects Versions: 2.4.1 > Reporter: Alejandro Abdelnur > Assignee: Robert Kanter > Attachments: HADOOP-10791.patch, HADOOP-10791.patch > > > It should be possible to externalize the secret used to sign the hadoop-auth > cookies. > In the case of WebHDFS the shared secret used by NN and DNs could be used. In > the case of Oozie HA, the secret could be stored in Oozie HA control data in > ZooKeeper. > In addition, it is desirable for the secret to change periodically, this > means that the AuthenticationService should remember a previous secret for > the max duration of hadoop-auth cookie. -- This message was sent by Atlassian JIRA (v6.2#6252)