accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Tubbs (JIRA)" <j...@apache.org>
Subject [jira] [Comment Edited] (ACCUMULO-1009) Support encryption over the wire
Date Fri, 20 Sep 2013 17:53:53 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-1009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13773239#comment-13773239
] 

Christopher Tubbs edited comment on ACCUMULO-1009 at 9/20/13 5:53 PM:
----------------------------------------------------------------------

*Summarizing the recent major points:*

# No bouncycastle dependency
** ~unless and until any possible legal obligations for crypto are described and satisfied
(feature *BLOCKER*)~
# Integration tests for configuration of all security options are needed
** ~We need to ensure that user-provided certificates work correctly. I recommend keytool-maven-plugin
with MAC. (feature *BLOCKER*)~
** ~Similar integration tests can be written as examples for how users can test their applications
(and we can bake these into future Instamo versions).~
# No automatic cert provisioning, even in MAC
** ~it makes decisions about the specific security environment to be used (or tested) that
does not help an informed user conscientious of security, who wants to use (or test) a specific
configuration~

*Regarding the proposed "init-ssl":*

# The proposed implementation, putting CA private certs in HDFS, is a *very* bad idea
** ~it undermines the "authority" part of the term CA. (I realize this is only one possible
way this could be implemented.)~
# The CertUtils and proposed init-ssl are attempts to make it easier for users. I think this
would better be achieved by:
** ~good documentation for how to generate and configure certs~
** ~reference existing (external) provisioning tools (like keytool, openssl, and keytool-maven-plugin)~
** ~examples~
# init-ssl would be useful, but...
** ~if added, it can easily wrap keytool or openssl, rather than custom provisioning code~
** ~it may be more useful to bake this in to the proposed Configurator (ACCUMULO-780), as
an additional prompt~
                
      was (Author: ctubbsii):
    *Summarizing the recent major points:*

# No bouncycastle dependency
** ~unless and until any possible legal obligations for crypto are described and satisfied
(feature *BLOCKER*)~
# Integration tests for configuration of all security options are needed
** ~We need to ensure that user-provided certificates work correctly. (I recommend keytool-maven-plugin
with MAC). Similar integration tests can be written as examples for how users can test their
applications (and we can bake these into future Instamo versions). (feature *BLOCKER*)~
# No automatic cert provisioning, even in MAC
** ~it makes decisions about the specific security environment to be used (or tested) that
does not help an informed user conscientious of security, who wants to use (or test) a specific
configuration~

*Regarding the proposed "init-ssl":*

# The proposed implementation, putting CA private certs in HDFS, is a *very* bad idea
** ~it undermines the "authority" part of the term CA. (I realize this is only one possible
way this could be implemented.)~
# The CertUtils and proposed init-ssl are attempts to make it easier for users. I think this
would better be achieved by:
** ~good documentation for how to generate and configure certs~
** ~reference existing (external) provisioning tools (like keytool, openssl, and keytool-maven-plugin)~
** ~examples~
# init-ssl would be useful, but...
** ~if added, it can easily wrap keytool or openssl, rather than custom provisioning code~
** ~it may be more useful to bake this in to the proposed Configurator (ACCUMULO-780), as
an additional prompt~
                  
> Support encryption over the wire
> --------------------------------
>
>                 Key: ACCUMULO-1009
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-1009
>             Project: Accumulo
>          Issue Type: New Feature
>            Reporter: Keith Turner
>            Assignee: Michael Berman
>             Fix For: 1.6.0
>
>         Attachments: ACCUMULO-1009_thriftSsl.patch
>
>
> Need to support encryption between ACCUMULO clients and servers.  Also need to encrypt
communications between server and servers.   
> Basically need to make it possible for users to enable SSL+thrift.

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message