accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Busbey (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (ACCUMULO-3622) admin tool for reseting passwords stored in ZKAuthenticator
Date Thu, 26 Feb 2015 14:24:04 GMT

    [ https://issues.apache.org/jira/browse/ACCUMULO-3622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14338442#comment-14338442
] 

Sean Busbey commented on ACCUMULO-3622:
---------------------------------------

{{accumulo init --reset-security}} won't work for this. it deletes all users, not just the
root user.

{code}
[busbey@gateway ~]$ /usr/lib/accumulo/bin/accumulo shell -u root
Password: ********

Shell - Apache Accumulo Interactive Shell
- 
- version: 1.7.0-SNAPSHOT
- instance name: dedicated
- instance id: 98b4f38d-c792-4ad3-b1d0-bdb119fb47f7
- 
- type 'help' for a list of available commands
- 
root@dedicated> createuser example_user
2015-02-26 06:14:57,271 [Shell.audit] INFO : root@dedicated> createuser example_user
Enter new password for 'example_user': ******
Please confirm new password for 'example_user': ******
root@dedicated> createuser some_other_user
2015-02-26 06:15:06,862 [Shell.audit] INFO : root@dedicated> createuser some_other_user
Enter new password for 'some_other_user': ******
Please confirm new password for 'some_other_user': ******
root@dedicated> users
2015-02-26 06:15:13,605 [Shell.audit] INFO : root@dedicated> users
some_other_user
root
example_user
root@dedicated> exit
2015-02-26 06:15:15,974 [Shell.audit] INFO : root@dedicated> exit
[busbey@a1021 ~]$ /usr/lib/accumulo/bin/accumulo init --reset-security
Enter initial password for root (this may not be applicable for your security setup): ********
Confirm initial password for root: ********
2015-02-26 06:15:37,008 [conf.AccumuloConfiguration] INFO : Loaded class : org.apache.accumulo.server.security.handler.ZKAuthorizor
2015-02-26 06:15:37,010 [conf.AccumuloConfiguration] INFO : Loaded class : org.apache.accumulo.server.security.handler.ZKAuthenticator
2015-02-26 06:15:37,013 [conf.AccumuloConfiguration] INFO : Loaded class : org.apache.accumulo.server.security.handler.ZKPermHandler
2015-02-26 06:15:37,307 [handler.ZKAuthenticator] INFO : Removed /accumulo/98b4f38d-c792-4ad3-b1d0-bdb119fb47f7/users/
from zookeeper
[busbey@a1021 ~]$ /usr/lib/accumulo/bin/accumulo shell -u root
Password: ********

Shell - Apache Accumulo Interactive Shell
- 
- version: 1.7.0-SNAPSHOT
- instance name: dedicated
- instance id: 98b4f38d-c792-4ad3-b1d0-bdb119fb47f7
- 
- type 'help' for a list of available commands
- 
root@dedicated> users
2015-02-26 06:15:52,500 [Shell.audit] INFO : root@dedicated> users
root
root@dedicated> 
{code}

> admin tool for reseting passwords stored in ZKAuthenticator
> -----------------------------------------------------------
>
>                 Key: ACCUMULO-3622
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-3622
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: zookeeper
>    Affects Versions: 1.5.0, 1.6.0
>            Reporter: Sean Busbey
>            Priority: Critical
>              Labels: operations, supportability
>             Fix For: 1.5.3, 1.7.0, 1.6.3
>
>
> For clusters that rely on the ZKAuthenticator, we should add an admin tool that will
do password resets outside of the shell. The tool will need to be supplied the ZK quorum,
the instance-id (or name), and the instance secret.
> The main use case here is should a change management failure happen that results in losing
the root user password.
> Currently, when users face this problem their only option is to access ZK's restricted
properties directly with the instance secret (via ACCUMULO-2469) and then overwrite the contents
of the node {{/accumulo/<instance id>/users/root}} with the following byte array (per
[ZKSecurityTool|https://github.com/apache/accumulo/blob/1.6.2/server/base/src/main/java/org/apache/accumulo/server/security/handler/ZKSecurityTool.java#L87]
for 1.6.z):
> {code}
> [8 byte salt][32 byte output of SHA-256([UTF8 bytes of password][8 byte salt])]
> {code}
> The tool should live with the other non-public-api internal tools (server/base/src/main/java/org/apache/accumulo/server/util/).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message