xvrl commented on code in PR #15481: URL: https://github.com/apache/druid/pull/15481#discussion_r1414556682
########## docs/development/extensions-core/druid-ranger-security.md: ########## @@ -21,24 +21,21 @@ title: "Apache Ranger Security" ~ specific language governing permissions and limitations ~ under the License. --> - + This Apache Druid extension adds an Authorizer which implements access control for Druid, backed by [Apache Ranger](https://ranger.apache.org/). Please see [Authentication and Authorization](../../operations/auth.md) for more information on the basic facilities this extension provides. Make sure to [include](../../configuration/extensions.md#loading-extensions) `druid-ranger-security` in the extensions load list. -:::info - The latest release of Apache Ranger is at the time of writing version 2.0. This version has a dependency on `log4j 1.2.17` which has a vulnerability if you configure it to use a `SocketServer` (CVE-2019-17571). Next to that, it also includes Kafka 2.0.0 which has 2 known vulnerabilities (CVE-2019-12399, CVE-2018-17196). Kafka can be used by the audit component in Ranger, but is not required. Review Comment: instead of adding this disclaimer I would suggest - overriding the log4j dependency with reload4j to avoid getting flagged (see https://reload4j.qos.ch/) I don't think there would be anything controversial about that. I have seen it used in a variety of places. - override Kafka with a newer version, or exclude it entirely since it's optional. Since there is a CVE and this extension hasn't really been up to date, I think it's fair to remove the dependency unless someone steps in to fix it. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
