[jira] [Updated] (OOZIE-1608) Update Curator to 2.4.0 when its available to fix security hole

Fri, 03 Jan 2014 11:29:00 -0800 

     [ 
https://issues.apache.org/jira/browse/OOZIE-1608?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Robert Kanter updated OOZIE-1608:
---------------------------------

    Description: 
As I discovered when working on OOZIE-1491, there is a Curator bug (CURATOR-58) 
without which the ZooKeeper locks will always have world ACLs even with 
Kerberos enabled.  This could allow a malicious user to acquire one of the 
locks and never release it, thus preventing Oozie from continuing to process 
the job associated with that lock.  

I've verified that CURATOR-58 fixes the problem, and the locks have the correct 
"sasl" ACLs, but it won't be available until Curator 2.4.0 is released.  We 
should make sure to update to Curator 2.4.0 as soon as possible to fix this 
security hole.

  was:
As I discovered when working on OOZIE-1491, there is a Curator bug (CURATOR-58) 
without which the ZooKeeper locks will always have world ACLs even with 
Kerberos enabled.  This could allow a malicious user to acquire one of the 
locks and never release it, thus preventing Oozie from continuing to process 
the job associated with that lock.  

I've verified that CURATOR-58 fixes the problem, and the locks have the correct 
"sasl" ACLs, but it won't be available until Curator 2.3.1 is released.  We 
should make sure to update to Curator 2.3.1 as soon as possible to fix this 
security hole.

        Summary: Update Curator to 2.4.0 when its available to fix security 
hole  (was: Update Curator to 2.3.1 when its available to fix security hole)

Updating description because it they renamed Curator 2.3.1 to 2.4.0

> Update Curator to 2.4.0 when its available to fix security hole
> ---------------------------------------------------------------
>
>                 Key: OOZIE-1608
>                 URL: https://issues.apache.org/jira/browse/OOZIE-1608
>             Project: Oozie
>          Issue Type: Bug
>          Components: HA, security
>    Affects Versions: trunk
>            Reporter: Robert Kanter
>            Assignee: Robert Kanter
>            Priority: Blocker
>
> As I discovered when working on OOZIE-1491, there is a Curator bug 
> (CURATOR-58) without which the ZooKeeper locks will always have world ACLs 
> even with Kerberos enabled.  This could allow a malicious user to acquire one 
> of the locks and never release it, thus preventing Oozie from continuing to 
> process the job associated with that lock.  
> I've verified that CURATOR-58 fixes the problem, and the locks have the 
> correct "sasl" ACLs, but it won't be available until Curator 2.4.0 is 
> released.  We should make sure to update to Curator 2.4.0 as soon as possible 
> to fix this security hole.



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)

Reply via email to