[jira] [Updated] (SENTRY-2194) Upgrade Sentry hadoop-version dependency to 2.7.5

Sat, 31 Mar 2018 17:10:53 -0700 

     [ 
https://issues.apache.org/jira/browse/SENTRY-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Arjun Mishra updated SENTRY-2194:
---------------------------------
    Summary: Upgrade Sentry hadoop-version dependency to 2.7.5  (was: Upgrade 
Sentry hadoop-version dependency to 2.7.5 to take advantage of security 
vulnerability fix)

> Upgrade Sentry hadoop-version dependency to 2.7.5
> -------------------------------------------------
>
>                 Key: SENTRY-2194
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2194
>             Project: Sentry
>          Issue Type: Improvement
>    Affects Versions: 2.1.0
>            Reporter: Arjun Mishra
>            Assignee: Arjun Mishra
>            Priority: Major
>
> MapReduce team had discovered a security vulnerability in parsing Map 
> Reduce-Job History Server configuration. That private files owned by a user 
> running the cluster, could be exposed. This has been applied to versions - 
> 2.7.5, 2.8.3, 2.9.0, or 3.0.0. Since Sentry uses hadoop-common Configuration 
> class to parse xml files, this change can be accommodated by our produce as 
> well. Sentry upstream is currently using 2.7.2 hadoop.version  and we should 
> bump up this version to 2.7.5 to take advantage of this feature. 
> The hadoop change involves adding a new boolean attribute restrictParser. 
> Setting restrictParser to true will
> * Limit XML parsing to conform with feature 
> "http://apache.org/xml/features/disallow-doctype-decl";
> ** This is a security feature explained here - 
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
>  (Look under the General Guidance section)
> * boolean restrictSystemProps is set to true
> ** Will prevent system properties from being read
> * set XML inclusion (XInclude) to false
> ** prevent merging of xml documents
> With this change on hadoop side, only default resources, and hadoop-site.xml 
> have this feature turned off, so they will be read without restricted 
> parsing. Sentry is not listed as a default resource and would therefore have 
> to explicitly have this property set to true. 



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to