[jira] [Updated] (ACCUMULO-3622) admin tool for reseting passwords stored in ZKAuthenticator

Thu, 21 May 2015 14:16:44 -0700 

     [ 
https://issues.apache.org/jira/browse/ACCUMULO-3622?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Christopher Tubbs updated ACCUMULO-3622:
----------------------------------------
    Affects Version/s: 1.7.0
        Fix Version/s:     (was: 1.7.1)
                           (was: 1.6.3)
                           (was: 1.5.3)

Dropping older bugfix versions, since it's not a bug, and I don't want to keep 
bumping if nobody's working on a patch for those older versions when we release 
bugfixes for them.

We can revisit the question of which version to add this tool in when somebody 
steps up to do the work.

> admin tool for reseting passwords stored in ZKAuthenticator
> -----------------------------------------------------------
>
>                 Key: ACCUMULO-3622
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-3622
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: zookeeper
>    Affects Versions: 1.5.0, 1.6.0, 1.7.0
>            Reporter: Sean Busbey
>            Priority: Critical
>              Labels: operations, supportability
>             Fix For: 1.8.0
>
>
> For clusters that rely on the ZKAuthenticator, we should add an admin tool 
> that will do password resets outside of the shell. The tool will need to be 
> supplied the ZK quorum, the instance-id (or name), and the instance secret.
> The main use case here is should a change management failure happen that 
> results in losing the root user password.
> Currently, when users face this problem their only option is to access ZK's 
> restricted properties directly with the instance secret (via ACCUMULO-2469) 
> and then overwrite the contents of the node {{/accumulo/<instance 
> id>/users/root}} with the following byte array (per 
> [ZKSecurityTool|https://github.com/apache/accumulo/blob/1.6.2/server/base/src/main/java/org/apache/accumulo/server/security/handler/ZKSecurityTool.java#L87]
>  for 1.6.z):
> {code}
> [8 byte salt][32 byte output of SHA-256([UTF8 bytes of password][8 byte 
> salt])]
> {code}
> The tool should live with the other non-public-api internal tools 
> (server/base/src/main/java/org/apache/accumulo/server/util/).



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to