[
https://issues.apache.org/jira/browse/ACCUMULO-3622?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14395468#comment-14395468
]
Josh Elser commented on ACCUMULO-3622:
--------------------------------------
Not sure about how semver would (or would not) support this in older versions.
Leaving fixVersion for the older versions for now.
> admin tool for reseting passwords stored in ZKAuthenticator
> -----------------------------------------------------------
>
> Key: ACCUMULO-3622
> URL: https://issues.apache.org/jira/browse/ACCUMULO-3622
> Project: Accumulo
> Issue Type: Improvement
> Components: zookeeper
> Affects Versions: 1.5.0, 1.6.0
> Reporter: Sean Busbey
> Priority: Critical
> Labels: operations, supportability
> Fix For: 1.5.3, 1.6.3, 1.8.0, 1.7.1
>
>
> For clusters that rely on the ZKAuthenticator, we should add an admin tool
> that will do password resets outside of the shell. The tool will need to be
> supplied the ZK quorum, the instance-id (or name), and the instance secret.
> The main use case here is should a change management failure happen that
> results in losing the root user password.
> Currently, when users face this problem their only option is to access ZK's
> restricted properties directly with the instance secret (via ACCUMULO-2469)
> and then overwrite the contents of the node {{/accumulo/<instance
> id>/users/root}} with the following byte array (per
> [ZKSecurityTool|https://github.com/apache/accumulo/blob/1.6.2/server/base/src/main/java/org/apache/accumulo/server/security/handler/ZKSecurityTool.java#L87]
> for 1.6.z):
> {code}
> [8 byte salt][32 byte output of SHA-256([UTF8 bytes of password][8 byte
> salt])]
> {code}
> The tool should live with the other non-public-api internal tools
> (server/base/src/main/java/org/apache/accumulo/server/util/).
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
