----------------------------------------------------------- This is an automatically generated e-mail. To reply, visit: https://reviews.apache.org/r/66373/#review200248 -----------------------------------------------------------
Ship it! Ship It! - Na Li On March 30, 2018, 7:05 a.m., Arjun Mishra wrote: > > ----------------------------------------------------------- > This is an automatically generated e-mail. To reply, visit: > https://reviews.apache.org/r/66373/ > ----------------------------------------------------------- > > (Updated March 30, 2018, 7:05 a.m.) > > > Review request for sentry, Alexander Kolbasov, Brian Towles, kalyan kumar > kalvagadda, Na Li, Steve Moist, Sergio Pena, Vadim Spector, and Xinran Tinney. > > > Repository: sentry > > > Description > ------- > > MapReduce team had discovered a security vulnerability in parsing Map > Reduce-Job History Server configuration. That private files owned by a user > running the cluster, could be exposed. This has been applied to versions - > 2.7.5, 2.8.3, 2.9.0, or 3.0.0. Since Sentry uses hadoop-common Configuration > class to parse xml files, this change can be accommodated by our produce as > well. Sentry upstream is currently using 2.7.2 hadoop.version and we should > bump up this version to 2.7.5 to take advantage of this feature. > > The hadoop change involves adding a new boolean attribute restrictParser. > Setting restrictParser to true will > > Limit XML parsing to conform with feature > "http://apache.org/xml/features/disallow-doctype-decl"; > This is a security feature explained here - > https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet > boolean restrictSystemProps is set to true > Will prevent system properties from being read > set XML inclusion (XInclude) to false > prevent merging of xml documents > With this change on hadoop side, only default resources, and hadoop-site.xml > have this feature turned off, so they will be read without restricted > parsing. Sentry is not listed as a default resource and would therefore have > to explicitly have this property set to true. > > > Diffs > ----- > > pom.xml 61e0f9700 > > sentry-binding/sentry-binding-hbase-indexer/src/main/java/org/apache/sentry/binding/hbaseindexer/authz/HBaseIndexerAuthzBinding.java > d919fe702 > > sentry-binding/sentry-binding-hbase-indexer/src/main/java/org/apache/sentry/binding/hbaseindexer/conf/HBaseIndexerAuthzConf.java > cfbd37bf1 > > sentry-binding/sentry-binding-hive-conf/src/main/java/org/apache/sentry/binding/hive/conf/HiveAuthzConf.java > 8d5286cd3 > > sentry-binding/sentry-binding-kafka/src/main/java/org/apache/sentry/kafka/conf/KafkaAuthConf.java > 6ca621022 > > sentry-binding/sentry-binding-solr/src/main/java/org/apache/sentry/binding/solr/conf/SolrAuthzConf.java > 0883e70fe > > sentry-binding/sentry-binding-sqoop/src/main/java/org/apache/sentry/sqoop/conf/SqoopAuthConf.java > 7836871f6 > > sentry-hdfs/sentry-hdfs-namenode-plugin/src/main/java/org/apache/sentry/hdfs/SentryINodeAttributesProvider.java > cf96df47b > > sentry-provider/sentry-provider-common/src/main/java/org/apache/sentry/provider/common/HadoopGroupMappingService.java > 00b5cf608 > > sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/PermissionsMigrationToolCommon.java > ed28b735c > > sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolIndexer.java > c2341d322 > > sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryConfigToolSolr.java > 5649f43fa > > sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/generic/tools/SentryShellGeneric.java > 907e1462c > > sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/provider/db/tools/SentryShellHive.java > 729a51865 > > sentry-provider/sentry-provider-db/src/main/java/org/apache/sentry/service/thrift/SentryService.java > bf5d85b03 > > sentry-tests/sentry-tests-hive/src/test/java/org/apache/sentry/tests/e2e/tools/CreateSentryTestScaleData.java > b234c85c5 > sentry-tools/src/main/java/org/apache/sentry/shell/SentryCli.java 8b68d0d06 > > > Diff: https://reviews.apache.org/r/66373/diff/1/ > > > Testing > ------- > > > Thanks, > > Arjun Mishra > >
