[
https://issues.apache.org/jira/browse/ACCUMULO-3622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14338442#comment-14338442
]
Sean Busbey commented on ACCUMULO-3622:
---------------------------------------
{{accumulo init --reset-security}} won't work for this. it deletes all users,
not just the root user.
{code}
[busbey@gateway ~]$ /usr/lib/accumulo/bin/accumulo shell -u root
Password: ********
Shell - Apache Accumulo Interactive Shell
-
- version: 1.7.0-SNAPSHOT
- instance name: dedicated
- instance id: 98b4f38d-c792-4ad3-b1d0-bdb119fb47f7
-
- type 'help' for a list of available commands
-
root@dedicated> createuser example_user
2015-02-26 06:14:57,271 [Shell.audit] INFO : root@dedicated> createuser
example_user
Enter new password for 'example_user': ******
Please confirm new password for 'example_user': ******
root@dedicated> createuser some_other_user
2015-02-26 06:15:06,862 [Shell.audit] INFO : root@dedicated> createuser
some_other_user
Enter new password for 'some_other_user': ******
Please confirm new password for 'some_other_user': ******
root@dedicated> users
2015-02-26 06:15:13,605 [Shell.audit] INFO : root@dedicated> users
some_other_user
root
example_user
root@dedicated> exit
2015-02-26 06:15:15,974 [Shell.audit] INFO : root@dedicated> exit
[busbey@a1021 ~]$ /usr/lib/accumulo/bin/accumulo init --reset-security
Enter initial password for root (this may not be applicable for your security
setup): ********
Confirm initial password for root: ********
2015-02-26 06:15:37,008 [conf.AccumuloConfiguration] INFO : Loaded class :
org.apache.accumulo.server.security.handler.ZKAuthorizor
2015-02-26 06:15:37,010 [conf.AccumuloConfiguration] INFO : Loaded class :
org.apache.accumulo.server.security.handler.ZKAuthenticator
2015-02-26 06:15:37,013 [conf.AccumuloConfiguration] INFO : Loaded class :
org.apache.accumulo.server.security.handler.ZKPermHandler
2015-02-26 06:15:37,307 [handler.ZKAuthenticator] INFO : Removed
/accumulo/98b4f38d-c792-4ad3-b1d0-bdb119fb47f7/users/ from zookeeper
[busbey@a1021 ~]$ /usr/lib/accumulo/bin/accumulo shell -u root
Password: ********
Shell - Apache Accumulo Interactive Shell
-
- version: 1.7.0-SNAPSHOT
- instance name: dedicated
- instance id: 98b4f38d-c792-4ad3-b1d0-bdb119fb47f7
-
- type 'help' for a list of available commands
-
root@dedicated> users
2015-02-26 06:15:52,500 [Shell.audit] INFO : root@dedicated> users
root
root@dedicated>
{code}
> admin tool for reseting passwords stored in ZKAuthenticator
> -----------------------------------------------------------
>
> Key: ACCUMULO-3622
> URL: https://issues.apache.org/jira/browse/ACCUMULO-3622
> Project: Accumulo
> Issue Type: Improvement
> Components: zookeeper
> Affects Versions: 1.5.0, 1.6.0
> Reporter: Sean Busbey
> Priority: Critical
> Labels: operations, supportability
> Fix For: 1.5.3, 1.7.0, 1.6.3
>
>
> For clusters that rely on the ZKAuthenticator, we should add an admin tool
> that will do password resets outside of the shell. The tool will need to be
> supplied the ZK quorum, the instance-id (or name), and the instance secret.
> The main use case here is should a change management failure happen that
> results in losing the root user password.
> Currently, when users face this problem their only option is to access ZK's
> restricted properties directly with the instance secret (via ACCUMULO-2469)
> and then overwrite the contents of the node {{/accumulo/<instance
> id>/users/root}} with the following byte array (per
> [ZKSecurityTool|https://github.com/apache/accumulo/blob/1.6.2/server/base/src/main/java/org/apache/accumulo/server/security/handler/ZKSecurityTool.java#L87]
> for 1.6.z):
> {code}
> [8 byte salt][32 byte output of SHA-256([UTF8 bytes of password][8 byte
> salt])]
> {code}
> The tool should live with the other non-public-api internal tools
> (server/base/src/main/java/org/apache/accumulo/server/util/).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
