Details
-
Improvement
-
Status: Resolved
-
Major
-
Resolution: Fixed
-
2.1.0
-
None
-
None
Description
Sentry clients use Configuration class defined in the hadoop-common code base to parse or read configuration files. Hadoop community had made improvements particularly to enhance security. The change introduces a new boolean attribute restrictParser. Setting restrictParser to true will
- Limit XML parsing to conform with feature "http://apache.org/xml/features/disallow-doctype-decl"
- This is a security feature explained here - https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
- boolean restrictSystemProps is set to true
- Will prevent system properties from being read
- set XML inclusion (XInclude) to false
- prevent merging of xml documents
This change is currently included in hadoop-version 2.7.5. There is a new implementation of addResources method to allow the setting of restrictParser boolean. Sentry is currently using hadoop-version 2.7.2. Bumping this version up and making appropriate changes will allow Sentry to take advantage of this feature
Attachments
Attachments
Issue Links
- links to