[
https://issues.apache.org/jira/browse/OOZIE-1608?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13837217#comment-13837217
]
Robert Kanter commented on OOZIE-1608:
--------------------------------------
Until this is resolved, {{TestZKUtilsWithSecurity}} will fail with the
following error:
{noformat}
-------------------------------------------------------------------------------
Test set: org.apache.oozie.util.TestZKUtilsWithSecurity
-------------------------------------------------------------------------------
Tests run: 2, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 29.516 sec <<<
FAILURE!
testNewUsingACLs(org.apache.oozie.util.TestZKUtilsWithSecurity) Time elapsed:
0.011 sec <<< FAILURE!
junit.framework.ComparisonFailure: expected:<[sasl]> but was:<[world]>
at junit.framework.Assert.assertEquals(Assert.java:85)
at junit.framework.Assert.assertEquals(Assert.java:91)
at
org.apache.oozie.util.TestZKUtilsWithSecurity.testNewUsingACLs(TestZKUtilsWithSecurity.java:163)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at junit.framework.TestCase.runTest(TestCase.java:168)
at junit.framework.TestCase.runBare(TestCase.java:134)
at junit.framework.TestResult$1.protect(TestResult.java:110)
at junit.framework.TestResult.runProtected(TestResult.java:128)
at junit.framework.TestResult.run(TestResult.java:113)
at junit.framework.TestCase.run(TestCase.java:124)
at junit.framework.TestSuite.runTest(TestSuite.java:243)
at junit.framework.TestSuite.run(TestSuite.java:238)
at
org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:83)
at
org.apache.maven.surefire.junitcore.ClassDemarcatingRunner.run(ClassDemarcatingRunner.java:58)
at org.junit.runners.Suite.runChild(Suite.java:128)
at org.junit.runners.Suite.runChild(Suite.java:24)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:231)
at
java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:439)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:138)
at
java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
at
java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
at java.lang.Thread.run(Thread.java:695)
{noformat}
However, it is excluded by default for other reasons anyway, so it should at
least not affect test-patch for now. As part of resolving this, it would be
good to update test-patch/Jenkins to run {{TestZKUtilsWithSecurity}} as well
(but separately in its own JVM).
> Update Curator to 2.3.1 when its available to fix security hole
> ---------------------------------------------------------------
>
> Key: OOZIE-1608
> URL: https://issues.apache.org/jira/browse/OOZIE-1608
> Project: Oozie
> Issue Type: Bug
> Components: HA, security
> Affects Versions: trunk
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Priority: Blocker
>
> As I discovered when working on OOZIE-1491, there is a Curator bug
> (CURATOR-58) without which the ZooKeeper locks will always have world ACLs
> even with Kerberos enabled. This could allow a malicious user to acquire one
> of the locks and never release it, thus preventing Oozie from continuing to
> process the job associated with that lock.
> I've verified that CURATOR-58 fixes the problem, and the locks have the
> correct "sasl" ACLs, but it won't be available until Curator 2.3.1 is
> released. We should make sure to update to Curator 2.3.1 as soon as possible
> to fix this security hole.
--
This message was sent by Atlassian JIRA
(v6.1#6144)
