accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Tubbs (JIRA)" <>
Subject [jira] [Commented] (ACCUMULO-1165) Use a unique SystemToken (credentials) for each server instance (TServer, etc.)
Date Thu, 13 Mar 2014 16:23:46 GMT


Christopher Tubbs commented on ACCUMULO-1165:

Using Kerberos could be one way of implementing this, sure.

> Use a unique SystemToken (credentials) for each server instance (TServer, etc.)
> -------------------------------------------------------------------------------
>                 Key: ACCUMULO-1165
>                 URL:
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: tserver
>            Reporter: Christopher Tubbs
>            Assignee: Christopher Tubbs
> Each component should use unique system credentials, and those credentials should only
be valid while a tablet server (or other component) holds a lock in zookeeper.
> This behavior more accurately reflects the security model for system components, and
may be able to help reduce or eliminate the possibility of multiple-assignment. It could also
help prevent problems of other "half-dead" components that have lost their lock (such as a
master), by adding an authentication check for the master in the tablet servers.
> It's important to realize that this ticket doesn't necessarily improve security (any
component with access to the configuration secret can fake it the lock ID), but it does provide
additional sanity checks by authenticating individual system components, and improves the
handling of failure conditions.

This message was sent by Atlassian JIRA

View raw message