Details
-
Improvement
-
Status: Open
-
Major
-
Resolution: Unresolved
-
None
-
None
-
None
Description
Each component should use unique system credentials, and those credentials should only be valid while a tablet server (or other component) holds a lock in zookeeper.
This behavior more accurately reflects the security model for system components, and may be able to help reduce or eliminate the possibility of multiple-assignment. It could also help prevent problems of other "half-dead" components that have lost their lock (such as a master), by adding an authentication check for the master in the tablet servers.
It's important to realize that this ticket doesn't necessarily improve security (any component with access to the configuration secret can fake it the lock ID), but it does provide additional sanity checks by authenticating individual system components, and improves the handling of failure conditions.
Attachments
Issue Links
- is related to
-
ACCUMULO-1245 firewall a bad server
-
- Resolved
-
-
-
- Resolved
-
- relates to
-
-
- Open
-