Robert Kanter created OOZIE-1608:
------------------------------------
Summary: Update Curator to 2.3.1 when its available to fix
security hole
Key: OOZIE-1608
URL: https://issues.apache.org/jira/browse/OOZIE-1608
Project: Oozie
Issue Type: Bug
Components: HA, security
Affects Versions: trunk
Reporter: Robert Kanter
Assignee: Robert Kanter
Priority: Blocker
As I discovered when working on OOZIE-1491, there is a Curator bug (CURATOR-58)
without which the ZooKeeper locks will always have world ACLs even with
Kerberos enabled. This could allow a malicious user to acquire one of the
locks and never release it, thus preventing Oozie from continuing to process
the job associated with that lock.
I've verified that CURATOR-58 fixes the problem, and the locks have the correct
"sasl" ACLs, but it won't be available until Curator 2.3.1 is released. We
should make sure to update to Curator 2.3.1 as soon as possible to fix this
security hole.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
