[
https://issues.apache.org/jira/browse/ACCUMULO-3631?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14343904#comment-14343904
]
Josh Elser commented on ACCUMULO-3631:
--------------------------------------
I thought about this some more over the weekend, and came up with the
following. The value for this property will be the default value when
{{accumulo-site.xml}} is not on the classpath or {{general.classpaths}} was
omitted from the file (regardless of the execution context -- client or server).
I could see the former leading to "unexpected" consequences (a user is
"tricked" into not having accumulo-site.xml on their classpath, a malicious
user places their own jar in one of the added paths, and code is executed
unintentionally). The mitigation here is that all of the newly added paths are
rooted under "/usr" which is typically only writable by root, so this risk is
low.
The latter (general.classpaths not being defined at all) is probably not valid
for security-minded users because someone who has any concern WRT security
knows how bad it is to not control the classpath being used. In other words, if
{{general.classpaths}} is not defined, I believe it can reasonably asserted
that the user doesn't really care about this instance.
I'm willing to remove the additional classpath entries, I just want to make
sure we're removing them for sensible reasons and not just a knee-jerk reaction.
> Exclude 'slf4j' artifacts from classpath in default value for
> general.classpaths
> --------------------------------------------------------------------------------
>
> Key: ACCUMULO-3631
> URL: https://issues.apache.org/jira/browse/ACCUMULO-3631
> Project: Accumulo
> Issue Type: Bug
> Affects Versions: 1.6.0, 1.6.1, 1.6.2
> Reporter: Josh Elser
> Assignee: Josh Elser
> Priority: Blocker
> Fix For: 1.7.0, 1.6.3
>
> Time Spent: 20m
> Remaining Estimate: 0h
>
> Was testing out some Ambari integration for Accumulo that [~billie.rinaldi]
> and [~mwaineo] have been working on (AMBARI-5265) and found that, despite
> accumulo-site.xml having jars starting with slf4j excluded from the
> classpath, the shell would complain about duplicate slf4j-log4j12 jars on the
> classpath.
> Turns out, because access to accumulo-site.xml was restricted (and we only
> had client.conf to use), we fell back on the default value for
> general.classpaths defined in AccumuloClassLoader. A short-term fix is to
> update the value there to match what's in our site template.
> I'll add another issue for a long term fix to add classpath support to client
> configuration.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
