[
https://issues.apache.org/jira/browse/OOZIE-1917?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Kanter updated OOZIE-1917:
---------------------------------
Attachment: OOZIE-1917.patch
The new patch removes the signature.secret property from oozie-site/default. I
left it in the docs for completeness, but updated the description to recommend
users not set it; and I removed it from the HA part.
[~rohini], does that sound good?
> Authentication secret should be random by default and needs to coordinate
> with HA
> ---------------------------------------------------------------------------------
>
> Key: OOZIE-1917
> URL: https://issues.apache.org/jira/browse/OOZIE-1917
> Project: Oozie
> Issue Type: Improvement
> Components: HA, security
> Affects Versions: trunk
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Priority: Critical
> Attachments: OOZIE-1917.patch, OOZIE-1917.patch
>
>
> {{oozie.authentication.signature.secret}} is currently set to {{oozie}} by
> default, which is a pretty poor value for this. We should set it to be
> random by default (i.e. blank in oozie-site/default).
> We should also make it so that with Oozie HA, we store this value in
> ZooKeeper so all Oozie servers can use the same secret. This may get a
> little tricky because hadoop-auth's AuthenticationFilter doesn't make it
> easy/practical to change how the Signer and secret are set. We'll likely
> have to have Oozie's AuthFilter compute it's own random secret and do all the
> ZK stuff and set the value of {{oozie.authentication.signature.secret}}
> before calling AuthenticationFilter#init
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
