ctubbsii commented on a change in pull request #1798:
URL: https://github.com/apache/accumulo/pull/1798#discussion_r528903518
##########
File path:
server/base/src/main/java/org/apache/accumulo/server/security/handler/ZKAuthenticator.java
##########
@@ -52,6 +52,23 @@ public void initialize(ServerContext context) {
this.context = context;
zooCache = new ZooCache(context.getZooReaderWriter(), null);
ZKUserPath = Constants.ZROOT + "/" + context.getInstanceID() + "/users";
+ checkOutdatedHashes();
+ }
+
+ private void checkOutdatedHashes() {
+ try {
+ listUsers().forEach(user -> {
+ String zpath = ZKUserPath + "/" + user;
+ byte[] zkData = zooCache.get(zpath);
+ if (ZKSecurityTool.isOutdatedPass(zkData)) {
+ log.warn("Found user(s) with outdated password hash. These will be
re-hashed"
+ + " on successful authentication.");
Review comment:
The list of users in the server logs is okay. However, I just
realized... this method is only ever called when we're starting from an empty
user database (on initialize... or re-initialize), so there shouldn't be any
matching the old hashes anyway at the point this code is run. Or did I miss
something?
I do think maybe it would be worth the master server checking to see if any
users are using the old hashing, and listing them in the server logs on
startup, as an upgrade warning. In future, we can turn that into an upgrade
blocker (so we can eventually drop the code that supports reading the old
hashes).
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
