accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Sean Busbey (JIRA)" <j...@apache.org>
Subject [jira] [Created] (ACCUMULO-3622) admin tool for reseting passwords stored in ZKAuthenticator
Date Tue, 24 Feb 2015 23:17:04 GMT
Sean Busbey created ACCUMULO-3622:
-------------------------------------

             Summary: admin tool for reseting passwords stored in ZKAuthenticator
                 Key: ACCUMULO-3622
                 URL: https://issues.apache.org/jira/browse/ACCUMULO-3622
             Project: Accumulo
          Issue Type: Improvement
          Components: zookeeper
    Affects Versions: 1.6.0, 1.5.0
            Reporter: Sean Busbey
            Priority: Critical
             Fix For: 1.5.3, 1.7.0, 1.6.3


For clusters that rely on the ZKAuthenticator, we should add an admin tool that will do password
resets outside of the shell. The tool will need to be supplied the ZK quorum, the instance-id
(or name), and the instance secret.

The main use case here is should a change management failure happen that results in losing
the root user password.

Currently, when users face this problem their only option is to access ZK's restricted properties
directly with the instance secret (via ACCUMULO-2469) and then overwrite the contents of the
node {{/accumulo/<instance id>/users/root}} with the following byte array (per [ZKSecurityTool|https://github.com/apache/accumulo/blob/1.6.2/server/base/src/main/java/org/apache/accumulo/server/security/handler/ZKSecurityTool.java#L87]
for 1.6.z):

{code}
[8 byte salt][32 byte output of SHA-256([UTF8 bytes of password][8 byte salt])]
{code}

The tool should live with the other non-public-api internal tools (server/base/src/main/java/org/apache/accumulo/server/util/).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message