Uploaded image for project: 'Oozie'
  1. Oozie
  2. OOZIE-1608

Update Curator to 2.4.0 when its available to fix security hole

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Blocker
    • Resolution: Fixed
    • Affects Version/s: trunk
    • Fix Version/s: 4.1.0
    • Component/s: HA, security
    • Labels:
      None

      Description

      As I discovered when working on OOZIE-1491, there is a Curator bug (CURATOR-58) without which the ZooKeeper locks will always have world ACLs even with Kerberos enabled. This could allow a malicious user to acquire one of the locks and never release it, thus preventing Oozie from continuing to process the job associated with that lock.

      I've verified that CURATOR-58 fixes the problem, and the locks have the correct "sasl" ACLs, but it won't be available until Curator 2.4.0 is released. We should make sure to update to Curator 2.4.0 as soon as possible to fix this security hole.

        Attachments

        1. OOZIE-1608.patch
          0.9 kB
          Robert Kanter

          Issue Links

            Activity

              People

              • Assignee:
                rkanter Robert Kanter
                Reporter:
                rkanter Robert Kanter
              • Votes:
                0 Vote for this issue
                Watchers:
                2 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: