Customer action needed: Analytics Engine behavior change coming on 18 March 2019
  • Analytics Engine
  • Frankfurt
  • Description
    After you provision an IBM Analytics Engine server instance, you can currently use the following methods to retrieve the cluster password:
    • Use the IBM Cloud CLI
    • Use the IBM Cloud REST API
    • Use the IBM Cloud Console
    • View the credentials on the Cluster Management page in the user interface
    This information enables you to work on the cluster using the SSH protocol and the Ambari user interface or access the cluster service endpoints.

    The first three ways of obtaining the cluster service credentials and service endpoints are described in the IBM Analytics Engine documentation. To date, you are able to get the cluster password at any time using any of these methods while the cluster is active. Also, if you have forgotten the cluster password or the password is compromised, you can reset the password. To reset the password, see the documentation.

    This notice announces the deprecation of these old methods of retrieving the cluster password and describes the new and more secure methods.

    Note: You can still use the methods that were described previously to retrieve the service endpoints. The change in behavior only effects how to get the cluster password.

    How will we make your cluster more secure?
    To make your cluster more secure, in the future, the cluster credentials will not be accessible after the cluster is created. Enabling users to access the cluster credentials throughout the lifecycle of a cluster increases the security risk. To prevent malicious conduct, IBM Analytics Engine will now follow security best practices and only return the cluster credentials using the reset password API when they are requested by the user.

    What does this change mean?
    After the cluster is created, you will have access only to the service endpoints using the methods described in the previous section. Cluster credentials will not be returned. The cluster password will not be displayed on the Cluster Management page in the user interface. As a result, users who had been granted permission to view the password will not be able to see the password. You must make alternate arrangements to share the password with these users. To work on the cluster, you will need to first issue the reset password API and retrieve the password from that call. Also, if you share the cluster with other users who have view only access to the cluster password, those users will not be able to work on the cluster.

    When does this change take effect?
    This change in behavior will take effect on 18 March 2019. Until that time, the current behavior of returning the credentials with the endpoints is in a deprecated mode.

    What are the required actions?
    Here are the required actions:
    • If you use automation tools or code that retrieve the cluster password immediately after the cluster is created by using any of the methods described in the first section of this notification, you must start using the reset password API and stop using the deprecated methods. The reset password API returns the current password of the cluster.
    • If you use automation tools or code that retrieves the cluster password at any point during the lifecycle of the cluster, you must cache the password securely on your end instead of using the deprecated methods.
    • If you need to share the cluster and cluster credentials with other users, you must make alternate arrangements to share the password.
    Note: This change will apply to both your existing and new instances of IBM Analytics Engine. For existing clusters, this change does not require you to reset the cluster password. You can continue to use the current password, which means that you will not be impacted by this change in behavior.

    In general, we encourage you to follow the best practices model by keeping your clusters short-lived and stateless so that you can benefit from the evolving features that we keep adding.

    This information originated in the IBM Analytics Engine: Changes to Cluster Credential Access article within the IBM Cloud platform blog.