Robert Kanter created OOZIE-1917:
------------------------------------

             Summary: Authentication secret should be random by default and 
needs to coordinate with HA
                 Key: OOZIE-1917
                 URL: https://issues.apache.org/jira/browse/OOZIE-1917
             Project: Oozie
          Issue Type: Improvement
          Components: HA, security
    Affects Versions: trunk
            Reporter: Robert Kanter
            Assignee: Robert Kanter


{{oozie.authentication.signature.secret}} is currently set to {{oozie}} by 
default, which is a pretty poor value for this.  We should set it to be random 
by default (i.e. blank in oozie-site/default).  

We should also make it so that with Oozie HA, we store this value in ZooKeeper 
so all Oozie servers can use the same secret.  This may get a little tricky 
because hadoop-auth's AuthenticationFilter doesn't make it easy/practical to 
change how the Signer and secret are set.  We'll likely have to have Oozie's 
AuthFilter compute it's own random secret and do all the ZK stuff and set the 
value of {{oozie.authentication.signature.secret}} before calling 
AuthenticationFilter#init



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Reply via email to