[
https://issues.apache.org/jira/browse/HBASE-14347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14941226#comment-14941226
]
Matteo Bertozzi commented on HBASE-14347:
-----------------------------------------
+1 on the patch for 1.x branches, since it does not change any behavior.
for 2.x we probably want to do some changes. the DynamicLoader seems to not be
needed on the client side, so we should force that to "not enabled". but on the
server side we probably want that still on, to allow user filters and so on. do
we have any alternative to copy local instead of forcing that "not enable" with
security reason as motivation? how one is supposed to use custom filters in a
"secure" environment otherwise?
> Add a switch to DynamicClassLoader to disable it and make that the default
> --------------------------------------------------------------------------
>
> Key: HBASE-14347
> URL: https://issues.apache.org/jira/browse/HBASE-14347
> Project: HBase
> Issue Type: Bug
> Components: Client, defaults, regionserver
> Affects Versions: 2.0.0, 1.2.0, 1.1.2, 0.98.15, 1.0.3
> Reporter: Esteban Gutierrez
> Assignee: Esteban Gutierrez
> Attachments: HBASE-14347-v001.patch
>
>
> Since HBASE-1936 we have the option to load jars dynamically by default from
> HDFS or the local filesystem, however hbase.dynamic.jars.dir points to a
> directory that could be world writable it potentially opens a security
> problem in both the client side and the RS. We should consider to have a
> switch to enable or disable this option and it should be off by default.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
