[
https://issues.apache.org/jira/browse/ACCUMULO-1009?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13771958#comment-13771958
]
Alex Moundalexis commented on ACCUMULO-1009:
--------------------------------------------
I'll throw in my $0.02; in short, resist the temptation to handle certificate
provisioning.
If provisioning is included, it becomes a type of one-off product that:
* does its own thing
* has to be maintained
* security/admin folks have to address separately as a one-off
When key/truststores can be reused between services, it makes life of the admin
a lot easier. For users that require encryption in transit, certificates are
typically well understood and tooling exists to generate and provision. That
being said, trying to shoehorn those certs into an internally-provisioned piece
is usually kludgy at best.
I see "accumulo init" as a case where steps -- though complicated -- are going
to be identical across users and are required to get the thing up and running,
whereas the generation of certificates is going to vary a bit and is still
optional.
I'm fairly new to Accumulo, but I've spent a good chunk of time supporting
other systems requiring encryption in-transit.
> Support encryption over the wire
> --------------------------------
>
> Key: ACCUMULO-1009
> URL: https://issues.apache.org/jira/browse/ACCUMULO-1009
> Project: Accumulo
> Issue Type: New Feature
> Reporter: Keith Turner
> Assignee: Michael Berman
> Fix For: 1.6.0
>
> Attachments: ACCUMULO-1009_thriftSsl.patch
>
>
> Need to support encryption between ACCUMULO clients and servers. Also need
> to encrypt communications between server and servers.
> Basically need to make it possible for users to enable SSL+thrift.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
