accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Alex Moundalexis (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-1009) Support encryption over the wire
Date Thu, 19 Sep 2013 15:07:54 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-1009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13771958#comment-13771958
] 

Alex Moundalexis commented on ACCUMULO-1009:
--------------------------------------------

I'll throw in my $0.02; in short, resist the temptation to handle certificate provisioning.


If provisioning is included, it becomes a type of one-off product that:
* does its own thing
* has to be maintained
* security/admin folks have to address separately as a one-off

When key/truststores can be reused between services, it makes life of the admin a lot easier.
For users that require encryption in transit, certificates are typically well understood and
tooling exists to generate and provision. That being said, trying to shoehorn those certs
into an internally-provisioned piece is usually kludgy at best.

I see "accumulo init" as a case where steps -- though complicated -- are going to be identical
across users and are required to get the thing up and running, whereas the generation of certificates
is going to vary a bit and is still optional.

I'm fairly new to Accumulo, but I've spent a good chunk of time supporting other systems requiring
encryption in-transit.

                
> Support encryption over the wire
> --------------------------------
>
>                 Key: ACCUMULO-1009
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-1009
>             Project: Accumulo
>          Issue Type: New Feature
>            Reporter: Keith Turner
>            Assignee: Michael Berman
>             Fix For: 1.6.0
>
>         Attachments: ACCUMULO-1009_thriftSsl.patch
>
>
> Need to support encryption between ACCUMULO clients and servers.  Also need to encrypt
communications between server and servers.   
> Basically need to make it possible for users to enable SSL+thrift.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message