[
https://issues.apache.org/jira/browse/ACCUMULO-2464?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14044926#comment-14044926
]
Josh Elser commented on ACCUMULO-2464:
--------------------------------------
Looks like HADOOP-10607 would be what we want to use. Still waiting on a patch
to be applied to branch-2 which means we'll be waiting for that to be released
before we can use it.
> Trace user password required in plaintext in accumulo-site.xml
> --------------------------------------------------------------
>
> Key: ACCUMULO-2464
> URL: https://issues.apache.org/jira/browse/ACCUMULO-2464
> Project: Accumulo
> Issue Type: Improvement
> Components: trace
> Affects Versions: 1.5.1
> Reporter: Josh Elser
> Assignee: Josh Elser
> Fix For: 1.5.2, 1.6.1, 1.7.0
>
>
> The {{trace.password}} property is used by the Tracer to authenticate with
> Accumulo and persist the traces in the trace table. Presently, this is
> required to be in plaintext which is rather sub-par, but has been overlooked
> mostly because that password is for an isolated user account which shouldn't
> have access to any sensitive data.
> I'm thinking of the following: provide some new storage in ZK akin to the acl
> + salt that's currently done for the passwd db and instance.secret (with a
> new secret for this, of course)
> Another option might be to provide a hashing command that will hash the
> password, store that instead of the plaintext, and then use the hash with a
> salt to authenticate (not exposing the hash-authentication method to users).
> Not sure how I feel about that.
> Leveraging some BCrypt library might be nice too (if there's an ASF license
> compatible lib somewhere).
--
This message was sent by Atlassian JIRA
(v6.2#6252)
