[
https://issues.apache.org/jira/browse/ACCUMULO-1009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13773239#comment-13773239
]
Christopher Tubbs edited comment on ACCUMULO-1009 at 9/20/13 5:53 PM:
----------------------------------------------------------------------
*Summarizing the recent major points:*
# No bouncycastle dependency
** ~unless and until any possible legal obligations for crypto are described
and satisfied (feature *BLOCKER*)~
# Integration tests for configuration of all security options are needed
** ~We need to ensure that user-provided certificates work correctly. I
recommend keytool-maven-plugin with MAC. (feature *BLOCKER*)~
** ~Similar integration tests can be written as examples for how users can test
their applications (and we can bake these into future Instamo versions).~
# No automatic cert provisioning, even in MAC
** ~it makes decisions about the specific security environment to be used (or
tested) that does not help an informed user conscientious of security, who
wants to use (or test) a specific configuration~
*Regarding the proposed "init-ssl":*
# The proposed implementation, putting CA private certs in HDFS, is a *very*
bad idea
** ~it undermines the "authority" part of the term CA. (I realize this is only
one possible way this could be implemented.)~
# The CertUtils and proposed init-ssl are attempts to make it easier for users.
I think this would better be achieved by:
** ~good documentation for how to generate and configure certs~
** ~reference existing (external) provisioning tools (like keytool, openssl,
and keytool-maven-plugin)~
** ~examples~
# init-ssl would be useful, but...
** ~if added, it can easily wrap keytool or openssl, rather than custom
provisioning code~
** ~it may be more useful to bake this in to the proposed Configurator
(ACCUMULO-780), as an additional prompt~
was (Author: ctubbsii):
*Summarizing the recent major points:*
# No bouncycastle dependency
** ~unless and until any possible legal obligations for crypto are described
and satisfied (feature *BLOCKER*)~
# Integration tests for configuration of all security options are needed
** ~We need to ensure that user-provided certificates work correctly. (I
recommend keytool-maven-plugin with MAC). Similar integration tests can be
written as examples for how users can test their applications (and we can bake
these into future Instamo versions). (feature *BLOCKER*)~
# No automatic cert provisioning, even in MAC
** ~it makes decisions about the specific security environment to be used (or
tested) that does not help an informed user conscientious of security, who
wants to use (or test) a specific configuration~
*Regarding the proposed "init-ssl":*
# The proposed implementation, putting CA private certs in HDFS, is a *very*
bad idea
** ~it undermines the "authority" part of the term CA. (I realize this is only
one possible way this could be implemented.)~
# The CertUtils and proposed init-ssl are attempts to make it easier for users.
I think this would better be achieved by:
** ~good documentation for how to generate and configure certs~
** ~reference existing (external) provisioning tools (like keytool, openssl,
and keytool-maven-plugin)~
** ~examples~
# init-ssl would be useful, but...
** ~if added, it can easily wrap keytool or openssl, rather than custom
provisioning code~
** ~it may be more useful to bake this in to the proposed Configurator
(ACCUMULO-780), as an additional prompt~
> Support encryption over the wire
> --------------------------------
>
> Key: ACCUMULO-1009
> URL: https://issues.apache.org/jira/browse/ACCUMULO-1009
> Project: Accumulo
> Issue Type: New Feature
> Reporter: Keith Turner
> Assignee: Michael Berman
> Fix For: 1.6.0
>
> Attachments: ACCUMULO-1009_thriftSsl.patch
>
>
> Need to support encryption between ACCUMULO clients and servers. Also need
> to encrypt communications between server and servers.
> Basically need to make it possible for users to enable SSL+thrift.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
