[GitHub] [accumulo] EdColeman commented on pull request #2215: WIP: Remove the use of SiteConfiguration from FateCommand

[GitBox <gi...@apache.org>]

EdColeman commented on pull request #2215:
URL: https://github.com/apache/accumulo/pull/2215#issuecomment-887926761


   These are general questions - rather than comment on the code that triggered the question for me, it seems better to just raise them in general.
   
   Would it be possible to replace passing the secret and instead use the authentication of the user that launched the shell?  Depending on granted user permissions, it may be desirable to permit certain FATE command options like print and dump to a wider group than fail or delete.  FATE fail or delete should require "root" access, but other operators would have valid use of print or dump to examine system state. This would enable more restrictive access policies for operations that change system state versus operations that examine the system state on a users granted permissions rather than needing the secret.  One down side of this approach could what is needed to perform the authentication - FATE fail requires the global lock which implies that a manager processes is not going to be available.
   
   If the client authorization cannot be used, wondering if it would be better to use char[] or a byte array instead of a string? Even better would be if the hashed digest value derived from the secret was used in the methods. If this is mirroring other places in the code, then maybe as a follow on issue as a general improvement in password best practices.
   
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: notifications-unsubscribe@accumulo.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org