accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "John Vines (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-1720) Accumulo saves the root user's password in the clear in Zookeeper
Date Wed, 18 Sep 2013 05:05:56 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-1720?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13770438#comment-13770438
] 

John Vines commented on ACCUMULO-1720:
--------------------------------------

It's still protected by file system permissions of the ZooKeeper users, so I don't see it
as a giant concern, WRT making a private ticket. If a user has access to the disk image of
ZooKeeper's data, then yes, it is an insecurity in spite of it being ACLed by ZooKeeper, as
well as anyone listening to the connection between Accumulo and ZK ( can be mitigated with
Kerberozied ZooKeeper).
                
> Accumulo saves the root user's password in the clear in Zookeeper
> -----------------------------------------------------------------
>
>                 Key: ACCUMULO-1720
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-1720
>             Project: Accumulo
>          Issue Type: Bug
>          Components: tserver
>    Affects Versions: 1.5.0
>            Reporter: Michael Allen
>
> In reviewing some of the security around users, it came to my attention that Accumulo
stores the root user's password within Zookeeper in the clear.  Grepping through Zookeeper's
data files proves this out (as does inspecting the code).
> This passwords should be stored heavily salted and hashed, as the other user passwords
are.  Is there any reason why it isn't?

--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira

Mime
View raw message