Uploaded image for project: 'Accumulo'
  1. Accumulo
  2. ACCUMULO-3622

admin tool for reseting passwords stored in ZKAuthenticator

    XMLWordPrintableJSON

Details

    • Improvement
    • Status: Resolved
    • Critical
    • Resolution: Won't Fix
    • 1.5.0, 1.6.0, 1.7.0
    • None
    • zookeeper

    Description

      For clusters that rely on the ZKAuthenticator, we should add an admin tool that will do password resets outside of the shell. The tool will need to be supplied the ZK quorum, the instance-id (or name), and the instance secret.

      The main use case here is should a change management failure happen that results in losing the root user password.

      Currently, when users face this problem their only option is to access ZK's restricted properties directly with the instance secret (via ACCUMULO-2469) and then overwrite the contents of the node /accumulo/<instance id>/users/root with the following byte array (per ZKSecurityTool for 1.6.z):

      [8 byte salt][32 byte output of SHA-256([UTF8 bytes of password][8 byte salt])]

      The tool should live with the other non-public-api internal tools (server/base/src/main/java/org/apache/accumulo/server/util/).

      Attachments

        Issue Links

          is related to

          Improvement - An improvement or enhancement to an existing feature or task. ACCUMULO-3694 Include root password recovery steps in docs

          • Minor - Minor loss of function, or other problem where easy workaround is present.
          • Resolved

          Activity

            People

              Unassigned Unassigned
              busbey Sean Busbey
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: