Share this post:
IBM Analytics Engine: Changes to methods for retrieval of cluster credentials
Currently, after you have provisioned an IBM Analytics Engine server instance, you can use the following methods to retrieve the cluster password to enable working on the cluster using the SSH protocol and the Ambari UI, or to access the cluster service endpoints:
- Use the IBM Cloud CLI
- Use the IBM Cloud REST API
- Use the IBM Cloud console
- View the credentials on the Cluster Management page in the UI
The first three ways of obtaining the cluster service credentials and service endpoints are described in the IBM Analytics Engine documentation. To date, you are able to get the cluster password at any time using any of these methods while the cluster is active. Also, if you have forgotten the cluster password or the password is compromised, you can reset the password.
This notice announces the deprecation of these old methods of retrieving the cluster password and describes the new and more secure way to use going forward.
Note that you can still use the methods described above to retrieve the service endpoints. The change in behavior only effects how to get the cluster password.
Making your cluster more secure
To make your cluster more secure, in the future, the cluster credentials will not be accessible after the cluster is created. Enabling users to access the cluster credentials throughout the lifecycle of a cluster increases the security risk. To prevent malicious conduct, IBM Analytics Engine will now follow security best practices and only return the cluster credentials via the reset password API when requested by the user.
What this means
After the cluster is created, you will have access only to the service endpoints using the methods described in the previous section. No cluster credentials will be returned.
The cluster password will not be displayed on the Cluster Management page in the UI. This means that users who had been granted permission to view the password will no longer see the password. You must make alternate arrangements to share the password with these users.
To work on the cluster, you will need to first issue the reset password API and retrieve the password from that call.
This also means that if you share the service instance with other users by granting Viewer IAM access permissions, then those users will not be able to work on the cluster unless you share the password with them.
Timeframe for this change to take effect
This change in behavior will take effect on March 18, 2019. Until that time, the current behavior of returning the credentials with the endpoints is in deprecated mode.
If you use automation tools or code that retrieve the cluster password immediately after the cluster was created by using any of the methods described in the first section of this post, you must start using the reset password API and stop using the deprecated methods. The reset password API returns the newly reset password of the cluster.
If you use automation tools or code that retrieve the cluster password at any point during the lifecycle of the cluster, you must cache the password securely at your end instead of using the deprecated methods.
If you need to share the cluster and cluster credentials with other users, make alternate arrangements to share the password.
Note: This change will apply to both your existing and new instances of IBM Analytics Engine. For existing clusters, it does not require resetting the cluster password. You can continue to use the current password, meaning you will not be impacted by this change in behavior.
In general, we encourage you to follow the best practices model by keeping your clusters short-lived and stateless so that you can benefit from the evolving features that we keep adding.
Please reach out to customer support if you have any questions.