accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Berman (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-1009) Support encryption over the wire
Date Wed, 11 Sep 2013 15:27:51 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-1009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13764405#comment-13764405
] 

Michael Berman commented on ACCUMULO-1009:
------------------------------------------

I'm not rewriting any custom socket code...all the socket code is deep inside thrift.  There's
no way the JSSE properties can be respected automatically, since the thrift stack looks pretty
different for an SSL server, so we will end up examining and branching based on the properties
no matter how we do it.

So are you ok with properties like {{javax.net.ssl.keyStore}} being defined in accumulo-site.xml
and the Property enum?  This is not a client-side setting; the tservers themselves need to
know where to find the keyStore.

I've also noticed there is already {{monitor.ssl.keyStore}} (and associated properties) used
for configuring SSL for the monitor's webpage.  This has different requirements from the thrift
SSL settings, since there is only one monitor, but it would be good for it to be signed by
a root that browsers are likely to recognize.  This means that probably you want the monitor
to have a cert cut from a "real" CA, but enforcing that requirement for every tserver will
be unwieldy and not necessary for most deployments.

Is there any particular reason that it's ok for the monitor to have custom SSL properties,
but not the RPC connections?  Or, if the monitor _should_ use JSSE properties, how should
we resolve the different requirements between it and the RPC connections?

Or do you think we should only be using JSSE properties for clients, and use our own settings
for servers?  In which case, which side do the thrift clients created by accumulo services
fall on?
                
> Support encryption over the wire
> --------------------------------
>
>                 Key: ACCUMULO-1009
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-1009
>             Project: Accumulo
>          Issue Type: New Feature
>            Reporter: Keith Turner
>            Assignee: Michael Berman
>             Fix For: 1.6.0
>
>         Attachments: ACCUMULO-1009_thriftSsl.patch
>
>
> Need to support encryption between ACCUMULO clients and servers.  Also need to encrypt
communications between server and servers.   
> Basically need to make it possible for users to enable SSL+thrift.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message