[jira] [Commented] (SENTRY-2194) Upgrade Sentry hadoop-version dependency to 2.7.5

Thu, 10 May 2018 08:24:41 -0700 

    [ 
https://issues.apache.org/jira/browse/SENTRY-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16470549#comment-16470549
 ] 

Daryn Sharp commented on SENTRY-2194:
-------------------------------------

The trusted resource restrictions apply to conf parsing within the context of a 
proxy user.  It prevents exploits via tainted user confs to  load arbitrary 
local resources, expand system props, etc that may contain sensitive 
information.  Please ensure users have zero ability to specify the resources 
this patch now explicitly loads as "trusted".

> Upgrade Sentry hadoop-version dependency to 2.7.5
> -------------------------------------------------
>
>                 Key: SENTRY-2194
>                 URL: https://issues.apache.org/jira/browse/SENTRY-2194
>             Project: Sentry
>          Issue Type: Improvement
>    Affects Versions: 2.1.0
>            Reporter: Arjun Mishra
>            Assignee: Arjun Mishra
>            Priority: Major
>         Attachments: SENTRY-2194.01.patch, SENTRY-2194.02.patch
>
>
> Sentry clients use Configuration class defined in the hadoop-common code base 
> to parse or read configuration files. Hadoop community had made improvements 
> particularly to enhance security. The change introduces a new boolean 
> attribute restrictParser. Setting restrictParser to true will
> * Limit XML parsing to conform with feature 
> "http://apache.org/xml/features/disallow-doctype-decl";
> ** This is a security feature explained here - 
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
> * boolean restrictSystemProps is set to true
> ** Will prevent system properties from being read
> * set XML inclusion (XInclude) to false
> ** prevent merging of xml documents
> This change is currently included in hadoop-version 2.7.5. There is a new 
> implementation of addResources method to allow the setting of restrictParser 
> boolean. Sentry is currently using hadoop-version 2.7.2. Bumping this version 
> up and making appropriate changes will allow Sentry to take advantage of this 
> feature



--
This message was sent by Atlassian JIRA
(v7.6.3#76005)

Reply via email to