Sean Busbey created ACCUMULO-3622:
-------------------------------------
Summary: admin tool for reseting passwords stored in
ZKAuthenticator
Key: ACCUMULO-3622
URL: https://issues.apache.org/jira/browse/ACCUMULO-3622
Project: Accumulo
Issue Type: Improvement
Components: zookeeper
Affects Versions: 1.6.0, 1.5.0
Reporter: Sean Busbey
Priority: Critical
Fix For: 1.5.3, 1.7.0, 1.6.3
For clusters that rely on the ZKAuthenticator, we should add an admin tool that
will do password resets outside of the shell. The tool will need to be supplied
the ZK quorum, the instance-id (or name), and the instance secret.
The main use case here is should a change management failure happen that
results in losing the root user password.
Currently, when users face this problem their only option is to access ZK's
restricted properties directly with the instance secret (via ACCUMULO-2469) and
then overwrite the contents of the node {{/accumulo/<instance id>/users/root}}
with the following byte array (per
[ZKSecurityTool|https://github.com/apache/accumulo/blob/1.6.2/server/base/src/main/java/org/apache/accumulo/server/security/handler/ZKSecurityTool.java#L87]
for 1.6.z):
{code}
[8 byte salt][32 byte output of SHA-256([UTF8 bytes of password][8 byte salt])]
{code}
The tool should live with the other non-public-api internal tools
(server/base/src/main/java/org/apache/accumulo/server/util/).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
