This is an automated email from the ASF dual-hosted git repository.
xvrl pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/druid.git
The following commit(s) were added to refs/heads/master by this push:
new f4856bc1c1d ranger-security: exclude jackson-jaxrs from + fix outdated
documentation (#15481)
f4856bc1c1d is described below
commit f4856bc1c1d96e080bcfbb3b8d869598b3802522
Author: Jan Werner <[email protected]>
AuthorDate: Tue Dec 5 11:24:37 2023 -0500
ranger-security: exclude jackson-jaxrs from + fix outdated documentation
(#15481)
* Excluding jackson-jaxrs dependency from ranger-plugin-common to address
CVE regression introduced by ranger-upgrade: CVE-2019-10202, CVE-2019-10172
* remove the reference to outdated ranger 2.0 from the docs
---------
Co-authored-by: Xavier Léauté <[email protected]>
---
docs/development/extensions-core/druid-ranger-security.md | 11 ++++-------
extensions-core/druid-ranger-security/pom.xml | 7 +++++++
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/docs/development/extensions-core/druid-ranger-security.md
b/docs/development/extensions-core/druid-ranger-security.md
index a78e2efd45a..502358f801f 100644
--- a/docs/development/extensions-core/druid-ranger-security.md
+++ b/docs/development/extensions-core/druid-ranger-security.md
@@ -21,24 +21,21 @@ title: "Apache Ranger Security"
~ specific language governing permissions and limitations
~ under the License.
-->
-
+
This Apache Druid extension adds an Authorizer which implements access control
for Druid, backed by [Apache Ranger](https://ranger.apache.org/). Please see
[Authentication and Authorization](../../operations/auth.md) for more
information on the basic facilities this extension provides.
Make sure to [include](../../configuration/extensions.md#loading-extensions)
`druid-ranger-security` in the extensions load list.
-:::info
- The latest release of Apache Ranger is at the time of writing version 2.0.
This version has a dependency on `log4j 1.2.17` which has a vulnerability if
you configure it to use a `SocketServer` (CVE-2019-17571). Next to that, it
also includes Kafka 2.0.0 which has 2 known vulnerabilities (CVE-2019-12399,
CVE-2018-17196). Kafka can be used by the audit component in Ranger, but is not
required.
-:::
## Configuration
-Support for Apache Ranger authorization consists of three elements:
+Support for Apache Ranger authorization consists of three elements:
* configuring the extension in Apache Druid
* configuring the connection to Apache Ranger
* providing the service definition for Druid to Apache Ranger
-
+
### Enabling the extension
-Ensure that you have a valid authenticator chain and escalator set in your
`common.runtime.properties`. For every authenticator your wish to use the
authorizer for, set
`druid.auth.authenticator.<authenticatorName>.authorizerName` to the name you
will give the authorizer, e.g. `ranger`.
+Ensure that you have a valid authenticator chain and escalator set in your
`common.runtime.properties`. For every authenticator your wish to use the
authorizer for, set
`druid.auth.authenticator.<authenticatorName>.authorizerName` to the name you
will give the authorizer, e.g. `ranger`.
Then add the following and amend to your needs (in case you need to use
multiple authorizers):
diff --git a/extensions-core/druid-ranger-security/pom.xml
b/extensions-core/druid-ranger-security/pom.xml
index 4b75eaa530d..e9dfc6502bc 100644
--- a/extensions-core/druid-ranger-security/pom.xml
+++ b/extensions-core/druid-ranger-security/pom.xml
@@ -160,6 +160,13 @@
<groupId>org.elasticsearch.plugin</groupId>
<artifactId>*</artifactId>
</exclusion>
+ <!-- excluding to address CVE-2019-10202, CVE-2019-10172 in
jackson-jaxrs 1.9.x
+ jackson-jaxrs is used by ranger-plugins accessing
+ RangerRESTClient class. This should not be needed in an
authorizer -->
+ <exclusion>
+ <groupId>org.codehaus.jackson</groupId>
+ <artifactId>jackson-jaxrs</artifactId>
+ </exclusion>
</exclusions>
</dependency>
<dependency>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
