diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt
index fe9710f5cd..6245bcf8f9 100644
--- a/hadoop-common-project/hadoop-common/CHANGES.txt
+++ b/hadoop-common-project/hadoop-common/CHANGES.txt
@@ -23,6 +23,9 @@ Trunk (unreleased changes)
HADOOP-7641. Add Apache License to template config files (Eric Yang via atm)
+ HADOOP-7621. alfredo config should be in a file not readable by users
+ (Alejandro Abdelnur via atm)
+
Release 0.23.0 - Unreleased
INCOMPATIBLE CHANGES
diff --git a/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml b/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml
index 15abfbb044..5c756ac21c 100644
--- a/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml
+++ b/hadoop-common-project/hadoop-common/src/main/docs/src/documentation/content/xdocs/HttpAuthentication.xml
@@ -82,10 +82,12 @@
36000
.
- hadoop.http.authentication.signature.secret
: The signature secret for
- signing the authentication tokens. If not set a random secret is generated at
+
hadoop.http.authentication.signature.secret.file
: The signature secret
+ file for signing the authentication tokens. If not set a random secret is generated at
startup time. The same secret should be used for all nodes in the cluster, JobTracker,
- NameNode, DataNode and TastTracker. The default value is a hadoop
value.
+ NameNode, DataNode and TastTracker. The default value is
+ ${user.home}/hadoop-http-auth-signature-secret
.
+ IMPORTANT: This file should be readable only by the Unix user running the daemons.
hadoop.http.authentication.cookie.domain
: The domain to use for the HTTP
diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
index cd6ab7b326..666632d5bf 100644
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/AuthenticationFilterInitializer.java
@@ -22,6 +22,9 @@
import org.apache.hadoop.http.FilterContainer;
import org.apache.hadoop.http.FilterInitializer;
+import java.io.FileReader;
+import java.io.IOException;
+import java.io.Reader;
import java.util.HashMap;
import java.util.Map;
@@ -40,8 +43,10 @@
*/
public class AuthenticationFilterInitializer extends FilterInitializer {
- private static final String PREFIX = "hadoop.http.authentication.";
+ static final String PREFIX = "hadoop.http.authentication.";
+ static final String SIGNATURE_SECRET_FILE = AuthenticationFilter.SIGNATURE_SECRET + ".file";
+
/**
* Initializes Alfredo AuthenticationFilter.
*
@@ -67,6 +72,25 @@ public void initFilter(FilterContainer container, Configuration conf) {
}
}
+ String signatureSecretFile = filterConfig.get(SIGNATURE_SECRET_FILE);
+ if (signatureSecretFile == null) {
+ throw new RuntimeException("Undefined property: " + SIGNATURE_SECRET_FILE);
+ }
+
+ try {
+ StringBuilder secret = new StringBuilder();
+ Reader reader = new FileReader(signatureSecretFile);
+ int c = reader.read();
+ while (c > -1) {
+ secret.append((char)c);
+ c = reader.read();
+ }
+ reader.close();
+ filterConfig.put(AuthenticationFilter.SIGNATURE_SECRET, secret.toString());
+ } catch (IOException ex) {
+ throw new RuntimeException("Could not read HTTP signature secret file: " + signatureSecretFile);
+ }
+
container.addFilter("authentication",
AuthenticationFilter.class.getName(),
filterConfig);
diff --git a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
index d4b4030559..e34c202373 100644
--- a/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
+++ b/hadoop-common-project/hadoop-common/src/main/resources/core-default.xml
@@ -808,8 +808,8 @@
- hadoop.http.authentication.signature.secret
- hadoop
+ hadoop.http.authentication.signature.secret.file
+ ${user.home}/hadoop-http-auth-signature-secret
The signature secret for signing the authentication tokens.
If not set a random secret is generated at startup time.
diff --git a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
index 7a21e4c6b8..2d699ddcf1 100644
--- a/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
+++ b/hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/security/TestAuthenticationFilter.java
@@ -25,14 +25,28 @@
import org.mockito.invocation.InvocationOnMock;
import org.mockito.stubbing.Answer;
+import java.io.File;
+import java.io.FileWriter;
+import java.io.Writer;
import java.util.Map;
public class TestAuthenticationFilter extends TestCase {
@SuppressWarnings("unchecked")
- public void testConfiguration() {
+ public void testConfiguration() throws Exception {
Configuration conf = new Configuration();
conf.set("hadoop.http.authentication.foo", "bar");
+
+ File testDir = new File(System.getProperty("test.build.data",
+ "target/test-dir"));
+ testDir.mkdirs();
+ File secretFile = new File(testDir, "http-secret.txt");
+ Writer writer = new FileWriter(new File(testDir, "http-secret.txt"));
+ writer.write("hadoop");
+ writer.close();
+ conf.set(AuthenticationFilterInitializer.PREFIX +
+ AuthenticationFilterInitializer.SIGNATURE_SECRET_FILE,
+ secretFile.getAbsolutePath());
FilterContainer container = Mockito.mock(FilterContainer.class);
Mockito.doAnswer(
diff --git a/hadoop-project/pom.xml b/hadoop-project/pom.xml
index 290d33d02f..aa9b43f7fd 100644
--- a/hadoop-project/pom.xml
+++ b/hadoop-project/pom.xml
@@ -76,6 +76,9 @@
https://repository.apache.org/content/repositories/snapshots
1.0.3
+
+ ${project.build.directory}/test-dir
+ ${test.build.dir}
@@ -554,6 +557,25 @@
+
+ org.apache.maven.plugins
+ maven-antrun-plugin
+
+
+ create-testdirs
+ validate
+
+ run
+
+
+
+
+
+
+
+
+
+
org.apache.maven.plugins
maven-compiler-plugin