[jira] [Updated] (SENTRY-2194) Upgrade Sentry hadoop-version dependency to 2.7.5

Sat, 31 Mar 2018 17:12:03 -0700 

     [ 
https://issues.apache.org/jira/browse/SENTRY-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Arjun Mishra updated SENTRY-2194:
---------------------------------
    Description: Hadoop 2.7.5 version has many new features and bug fixes that 
Sentry can take advantage of. Currently Sentry is using 2.7.2 hadoop-version. 
We should bump this to 2.7.5  (was: MapReduce team had discovered a security 
vulnerability in parsing Map Reduce-Job History Server configuration. That 
private files owned by a user running the cluster, could be exposed. This has 
been applied to versions - 2.7.5, 2.8.3, 2.9.0, or 3.0.0. Since Sentry uses 
hadoop-common Configuration class to parse xml files, this change can be 
accommodated by our produce as well. Sentry upstream is currently using 2.7.2 
hadoop.version  and we should bump up this version to 2.7.5 to take advantage 
of this feature. 

The hadoop change involves adding a new boolean attribute restrictParser. 
Setting restrictParser to true will
* Limit XML parsing to conform with feature 
"http://apache.org/xml/features/disallow-doctype-decl";
** This is a security feature explained here - 
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
 (Look under the General Guidance section)
* boolean restrictSystemProps is set to true
** Will prevent system properties from being read
* set XML inclusion (XInclude) to false
** prevent merging of xml documents

With this change on hadoop side, only default resources, and hadoop-site.xml 
have this feature turned off, so they will be read without restricted parsing. 
Sentry is not listed as a default resource and would therefore have to 
explicitly have this property set to true. )

> Upgrade Sentry hadoop-version dependency to 2.7.5
> -------------------------------------------------
>
>                 Key: SENTRY-2194
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2194
>             Project: Sentry
>          Issue Type: Improvement
>    Affects Versions: 2.1.0
>            Reporter: Arjun Mishra
>            Assignee: Arjun Mishra
>            Priority: Major
>         Attachments: SENTRY-2194.01.patch
>
>
> Hadoop 2.7.5 version has many new features and bug fixes that Sentry can take 
> advantage of. Currently Sentry is using 2.7.2 hadoop-version. We should bump 
> this to 2.7.5



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to