[OOZIE-1608] Update Curator to 2.4.0 when its available to fix security hole - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Blocker
Resolution: Fixed
Affects Version/s: trunk
Fix Version/s: 4.1.0
Component/s: HA, security
Labels:
None

Description

As I discovered when working on ~~OOZIE-1491~~, there is a Curator bug (~~CURATOR-58~~) without which the ZooKeeper locks will always have world ACLs even with Kerberos enabled. This could allow a malicious user to acquire one of the locks and never release it, thus preventing Oozie from continuing to process the job associated with that lock.

I've verified that ~~CURATOR-58~~ fixes the problem, and the locks have the correct "sasl" ACLs, but it won't be available until Curator 2.4.0 is released. We should make sure to update to Curator 2.4.0 as soon as possible to fix this security hole.

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending

OOZIE-1608.patch
10/Feb/14 18:33
0.9 kB
Robert Kanter

Issue Links

is related to

OOZIE-1491 Make sure HA works with a secure ZooKeeper

Closed

Activity

People

Assignee:: Robert Kanter

Reporter:: Robert Kanter

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Dates

Created:: 08/Nov/13 18:50

Updated:: 09/Dec/14 00:45

Resolved:: 10/Feb/14 21:26