[jira] [Commented] (HADOOP-10670) Allow AuthenticationFilter to respect signature secret file even without AuthenticationFilterInitializer

Wed, 25 Mar 2015 11:04:32 -0700 

    [ 
https://issues.apache.org/jira/browse/HADOOP-10670?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14380372#comment-14380372
 ] 

Haohui Mai commented on HADOOP-10670:
-------------------------------------

bq.  it's a side effect of the original implementation, which simply loaded the 
secret from a config property, or used a random one if not set.

My understanding is that the use case of inlining the secret is never 
supported. The property is used to pass the secret internally. The way it works 
before HADOOP-10868 is the following:

* Users specify the initializer of the authentication filter in the 
configuration.
* {{AuthenticationFilterInitializer}} reads the secret file. The server will 
not start if the secret file does not exists. The initializer will set the 
property if it read the file correctly.
* There is no way to specify the secret in the configuration out-of-the-box -- 
the secret is always overwritten by {{AuthenticationFilterInitializer}}.

It looks like that there might be some misunderstandings in the above work flow 
in HADOOP-10868. We can remove {{StringSecretProvider}} in a separate jira. 
[~rkanter] what do you think?



> Allow AuthenticationFilter to respect signature secret file even without 
> AuthenticationFilterInitializer
> --------------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-10670
>                 URL: https://issues.apache.org/jira/browse/HADOOP-10670
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>            Reporter: Kai Zheng
>            Assignee: Kai Zheng
>            Priority: Minor
>         Attachments: HADOOP-10670-v4.patch, HADOOP-10670-v5.patch, 
> HADOOP-10670-v6.patch, hadoop-10670-v2.patch, hadoop-10670-v3.patch, 
> hadoop-10670.patch
>
>
> In Hadoop web console, by using AuthenticationFilterInitializer, it's allowed 
> to configure AuthenticationFilter for the required signature secret by 
> specifying signature.secret.file property. This improvement would also allow 
> this when AuthenticationFilterInitializer isn't used in situations like 
> webhdfs.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to