accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Michael Allen (JIRA)" <>
Subject [jira] [Commented] (ACCUMULO-1720) Accumulo saves the root user's password in the clear in Zookeeper
Date Wed, 18 Sep 2013 07:35:51 GMT


Michael Allen commented on ACCUMULO-1720:

I think I have misread the code here; clearly, the code does salt and hash the passwords.

ZKAuthenticator.initializeSecurity(...)  ...

             constructUser(principal, ZKSecurityTool.createPass(token));

ZKSecurityTool.createPass(...) ...

    byte[] salt = generateSalt();
    return convertPass(password, salt);

ZKSecurityTool.convertPass(....) ...

    byte[] hashed = hash(plainSalt);

ZKSecurityTool.hash(...) ...

    MessageDigest md = MessageDigest.getInstance(Constants.PW_HASH_ALGORITHM);
    return md.digest();

When I was inspecting this code (with apparently too little sleep), I missed the hash() step
in convertPass().  However, when I was trying to confirm my suspicion, I tried grepping for
my usual password for root when I'm developing ("secret") in the ZooKeeper raw data files
and got more than a few hits within the binary data.  Not sure what that's about.

Anyway, this bug isn't a bug, thank goodness.

> Accumulo saves the root user's password in the clear in Zookeeper
> -----------------------------------------------------------------
>                 Key: ACCUMULO-1720
>                 URL:
>             Project: Accumulo
>          Issue Type: Bug
>          Components: tserver
>    Affects Versions: 1.5.0
>            Reporter: Michael Allen
> In reviewing some of the security around users, it came to my attention that Accumulo
stores the root user's password within Zookeeper in the clear.  Grepping through Zookeeper's
data files proves this out (as does inspecting the code).
> This passwords should be stored heavily salted and hashed, as the other user passwords
are.  Is there any reason why it isn't?

This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see:

View raw message