accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Christopher Tubbs (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-2432) MAC should have an option for creating it's own ssl certs
Date Wed, 18 Jun 2014 22:14:24 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-2432?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14036511#comment-14036511
] 

Christopher Tubbs commented on ACCUMULO-2432:
---------------------------------------------

What exactly would a tester be testing if enabling *some* arbitrary SSL configuration, if
that configuration is transparent to the tester?

As far as I can tell, the use case for SSL in MAC (which is satisfied today) is:
# Configure MAC with some particular SSL configuration.
# Configure client with compatible configuration and verify successful comms.
# Configure client without compatible configuration and verify that it fails.

The use case for running with an auto-generated configuration seems to be:
# Configure MAC with an arbitrary configuration, which is transparent to the tester (but presumed
to be an analogue to a secure configuration)
# Somehow obtain a client pre-configured with a compatible configuration (another API addition?)
and verify successful comms.
# Configure client without compatible configuration and verify that it fails.

But what can you actually learn from the test with the auto-generated configuration?

As far as I can tell, the only thing you can learn is that calling a method first makes things
work. You could verify that the client without a compatible configuration fails, but since
the configuration is transparent to the tester, there can be no confidence gained that the
any security requirements were actually exercised and verified to work, to explain the failure
in any meaningful way.

Providing some "InsecureSecureEnvironment" is a bit non-sensical, isn't it? It's certainly
not intuitive, and I can't imagine such a thing's existence would actually raise confidence
in Accumulo's SSL features or encourage adoption.

> MAC should have an option for creating it's own ssl certs
> ---------------------------------------------------------
>
>                 Key: ACCUMULO-2432
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-2432
>             Project: Accumulo
>          Issue Type: Bug
>          Components: mini
>            Reporter: John Vines
>              Labels: newbie
>             Fix For: 1.7.0
>
>
> Currently ssl certs must be generated prior to starting mac, and passed in. We should
find a way to make that as seamless as possible.



--
This message was sent by Atlassian JIRA
(v6.2#6252)

Mime
View raw message