[
https://issues.apache.org/jira/browse/OOZIE-1608?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Robert Kanter updated OOZIE-1608:
---------------------------------
Attachment: OOZIE-1608.patch
The patch updates Curator to the recently released 2.4.0 with CURATOR-58 in it.
I've verified locally that TestZKUtilsWithSecurity now passes; and I've
previously verified that with the security hole is fixed with the Curator patch.
> Update Curator to 2.4.0 when its available to fix security hole
> ---------------------------------------------------------------
>
> Key: OOZIE-1608
> URL: https://issues.apache.org/jira/browse/OOZIE-1608
> Project: Oozie
> Issue Type: Bug
> Components: HA, security
> Affects Versions: trunk
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Priority: Blocker
> Attachments: OOZIE-1608.patch
>
>
> As I discovered when working on OOZIE-1491, there is a Curator bug
> (CURATOR-58) without which the ZooKeeper locks will always have world ACLs
> even with Kerberos enabled. This could allow a malicious user to acquire one
> of the locks and never release it, thus preventing Oozie from continuing to
> process the job associated with that lock.
> I've verified that CURATOR-58 fixes the problem, and the locks have the
> correct "sasl" ACLs, but it won't be available until Curator 2.4.0 is
> released. We should make sure to update to Curator 2.4.0 as soon as possible
> to fix this security hole.
--
This message was sent by Atlassian JIRA
(v6.1.5#6160)
