You are viewing a plain text version of this content. The canonical link for it is here.

Posted to notifications@accumulo.apache.org by "Christopher Tubbs (JIRA)" <ji...@apache.org> on 2019/04/23 19:12:00 UTC

[jira] [Resolved] (ACCUMULO-3622) admin tool for reseting passwords stored in ZKAuthenticator

     [ https://issues.apache.org/jira/browse/ACCUMULO-3622?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Christopher Tubbs resolved ACCUMULO-3622.
-----------------------------------------
       Resolution: Won't Fix
    Fix Version/s:     (was: 2.0.0)

The current behavior of {{accumulo init --reset-security}} is to lock down the entire cluster, in the situation where the root user's credentials are lost. Other tools can be used to backup ZooKeeper itself. So, there's at least some solution to reset, without loss (understandably, not very convenient).

If somebody is interested in picking this up, please open a new issue on https://github.com/apache/accumulo/issues

> admin tool for reseting passwords stored in ZKAuthenticator
> -----------------------------------------------------------
>
>                 Key: ACCUMULO-3622
>                 URL: https://issues.apache.org/jira/browse/ACCUMULO-3622
>             Project: Accumulo
>          Issue Type: Improvement
>          Components: zookeeper
>    Affects Versions: 1.5.0, 1.6.0, 1.7.0
>            Reporter: Sean Busbey
>            Priority: Critical
>              Labels: operations, supportability
>
> For clusters that rely on the ZKAuthenticator, we should add an admin tool that will do password resets outside of the shell. The tool will need to be supplied the ZK quorum, the instance-id (or name), and the instance secret.
> The main use case here is should a change management failure happen that results in losing the root user password.
> Currently, when users face this problem their only option is to access ZK's restricted properties directly with the instance secret (via ACCUMULO-2469) and then overwrite the contents of the node {{/accumulo/<instance id>/users/root}} with the following byte array (per [ZKSecurityTool|https://github.com/apache/accumulo/blob/1.6.2/server/base/src/main/java/org/apache/accumulo/server/security/handler/ZKSecurityTool.java#L87] for 1.6.z):
> {code}
> [8 byte salt][32 byte output of SHA-256([UTF8 bytes of password][8 byte salt])]
> {code}
> The tool should live with the other non-public-api internal tools (server/base/src/main/java/org/apache/accumulo/server/util/).



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)