accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Berman (JIRA)" <>
Subject [jira] [Commented] (ACCUMULO-1009) Support encryption over the wire
Date Thu, 19 Sep 2013 17:00:54 GMT


Michael Berman commented on ACCUMULO-1009:

I'll start versioning my patches.

I wasn't thinking CertUtils would be the final interface to cert provisioning; I just provided
that for our MAC testing and to bootstrap other developers trying out my patch.  As it is,
it doesn't really do anything that keytool doesn't do, but my intention is that there would
be another layer of tool on top of it that helps with the cluster management aspects.  So,
you run {{accumulo init-ssl}} for the first time on one machine, and it generates all the
certs, and sticks the root on HDFS somewhere.  Then, if you run init-ssl on another node,
it copies the root to the local system, cuts a fresh private key off of it, and sticks both
in the default locations.  The instance secret is also used as the keystore password, and
the location in hdfs for the keystore is well known given an instance name, so there doesn't
need to be any human intervention to cut new private keys for each new node, apart from running
the script, assuming you're using all the defaults.  Of course, all of this would be optional;
you can always stick in arbitrary keys from arbitrary sources.

WRT MAC, not only do I feel comfortable supporting it, I think it's super valuable for others
to be able to test their own apps against SSL-enabled accumulo.

I'm fine getting rid of the sslEnabled constructors.

I think the proxy needs to support SSL on both sides.  A subticket definitely makes sense
to me.
> Support encryption over the wire
> --------------------------------
>                 Key: ACCUMULO-1009
>                 URL:
>             Project: Accumulo
>          Issue Type: New Feature
>            Reporter: Keith Turner
>            Assignee: Michael Berman
>             Fix For: 1.6.0
>         Attachments: ACCUMULO-1009_thriftSsl.patch
> Need to support encryption between ACCUMULO clients and servers.  Also need to encrypt
communications between server and servers.   
> Basically need to make it possible for users to enable SSL+thrift.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message