[
https://issues.apache.org/jira/browse/SENTRY-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Arjun Mishra updated SENTRY-2194:
---------------------------------
Description:
Sentry clients use Configuration class defined in the hadoop-common code base
to parse or read configuration files. Hadoop community had made improvements
particularly to enhance security. The change introduces a new boolean attribute
restrictParser. Setting restrictParser to true will
* Limit XML parsing to conform with feature
"http://apache.org/xml/features/disallow-doctype-decl";
** This is a security feature explained here -
https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
* boolean restrictSystemProps is set to true
** Will prevent system properties from being read
* set XML inclusion (XInclude) to false
** prevent merging of xml documents
This change is currently included in hadoop-version 2.7.5. There is a new
implementation of addResources method to allow the setting of restrictParser
boolean. Sentry is currently using hadoop-version 2.7.2. Bumping this version
up and making appropriate changes will allow Sentry to take advantage of this
feature
was:Hadoop 2.7.5 version has many new features and bug fixes that Sentry can
take advantage of. Currently Sentry is using 2.7.2 hadoop-version. We should
bump this to 2.7.5
> Upgrade Sentry hadoop-version dependency to 2.7.5
> -------------------------------------------------
>
> Key: SENTRY-2194
> URL: https://issues.apache.org/jira/browse/SENTRY-2194
> Project: Sentry
> Issue Type: Improvement
> Affects Versions: 2.1.0
> Reporter: Arjun Mishra
> Assignee: Arjun Mishra
> Priority: Major
> Attachments: SENTRY-2194.01.patch, SENTRY-2194.02.patch
>
>
> Sentry clients use Configuration class defined in the hadoop-common code base
> to parse or read configuration files. Hadoop community had made improvements
> particularly to enhance security. The change introduces a new boolean
> attribute restrictParser. Setting restrictParser to true will
> * Limit XML parsing to conform with feature
> "http://apache.org/xml/features/disallow-doctype-decl";
> ** This is a security feature explained here -
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
> * boolean restrictSystemProps is set to true
> ** Will prevent system properties from being read
> * set XML inclusion (XInclude) to false
> ** prevent merging of xml documents
> This change is currently included in hadoop-version 2.7.5. There is a new
> implementation of addResources method to allow the setting of restrictParser
> boolean. Sentry is currently using hadoop-version 2.7.2. Bumping this version
> up and making appropriate changes will allow Sentry to take advantage of this
> feature
--
This message was sent by Atlassian JIRA
(v7.6.3#76005)
