accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Tubbs (JIRA)" <>
Subject [jira] [Commented] (ACCUMULO-1009) Support encryption over the wire
Date Fri, 20 Sep 2013 17:53:51 GMT


Christopher Tubbs commented on ACCUMULO-1009:

*Summarizing the recent major points:*

# No bouncycastle dependency
** ~unless and until any possible legal obligations for crypto are described and satisfied
(feature *BLOCKER*)~
# Integration tests for configuration of all security options are needed
** ~We need to ensure that user-provided certificates work correctly. (I recommend keytool-maven-plugin
with MAC). Similar integration tests can be written as examples for how users can test their
applications (and we can bake these into future Instamo versions). (feature *BLOCKER*)~
# No automatic cert provisioning, even in MAC
** ~it makes decisions about the specific security environment to be used (or tested) that
does not help an informed user conscientious of security, who wants to use (or test) a specific

*Regarding the proposed "init-ssl":*

# The proposed implementation, putting CA private certs in HDFS, is a *very* bad idea
** ~it undermines the "authority" part of the term CA. (I realize this is only one possible
way this could be implemented.)~
# The CertUtils and proposed init-ssl are attempts to make it easier for users. I think this
would better be achieved by:
** ~good documentation for how to generate and configure certs~
** ~reference existing (external) provisioning tools (like keytool, openssl, and keytool-maven-plugin)~
** ~examples~
# init-ssl would be useful, but...
** ~if added, it can easily wrap keytool or openssl, rather than custom provisioning code~
** ~it may be more useful to bake this in to the proposed Configurator (ACCUMULO-780), as
an additional prompt~
> Support encryption over the wire
> --------------------------------
>                 Key: ACCUMULO-1009
>                 URL:
>             Project: Accumulo
>          Issue Type: New Feature
>            Reporter: Keith Turner
>            Assignee: Michael Berman
>             Fix For: 1.6.0
>         Attachments: ACCUMULO-1009_thriftSsl.patch
> Need to support encryption between ACCUMULO clients and servers.  Also need to encrypt
communications between server and servers.   
> Basically need to make it possible for users to enable SSL+thrift.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message