accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Berman (JIRA)" <>
Subject [jira] [Commented] (ACCUMULO-1009) Support encryption over the wire
Date Fri, 20 Sep 2013 18:47:51 GMT


Michael Berman commented on ACCUMULO-1009:

I'm assuming by "the recent major points" you're specifically talking about your own recent
major points.  Just clarifying because it sounds like you're asserting points that I don't
believe are universally agreed upon.  Some specific responses to new points that I haven't
seen before upthread...

bq. The proposed implementation, putting CA private certs in HDFS, is a very bad idea (it
undermines the "authority" part of the term CA)

Really?  All it's saying is that anyone with the password to decrypt the key _is_ the authority.
 I don't believe there's anything fundamental about the concept of "authority" that requires
they only work from one physical machine.  As it is, if you have the instance secret, you
can do whatever you want with the accumulo cluster.  The root of trust has to start somewhere,
and for the rest of accumulo, at the moment, that root of trust is the filesystem security
on the site config.  I don't see why it would be a problem for the same to be true for the
SSL trust.

bq. init-ssl would be useful, but if added, it can easily wrap keytool or openssl, rather
than custom provisioning code

Why is wrapping keytool or openssl better than wrapping bouncycastle?  The interfaces are
pretty much the same, except that BC can be pulled in as a maven dependency and doesn't require
a brittle connection to tools separately installed on the system in varied versions and locations.
> Support encryption over the wire
> --------------------------------
>                 Key: ACCUMULO-1009
>                 URL:
>             Project: Accumulo
>          Issue Type: New Feature
>            Reporter: Keith Turner
>            Assignee: Michael Berman
>             Fix For: 1.6.0
>         Attachments: ACCUMULO-1009_thriftSsl.patch
> Need to support encryption between ACCUMULO clients and servers.  Also need to encrypt
communications between server and servers.   
> Basically need to make it possible for users to enable SSL+thrift.

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message