Uploaded image for project: 'Oozie'
  1. Oozie
  2. OOZIE-1608

Update Curator to 2.4.0 when its available to fix security hole

VotersWatch issueWatchersCreate sub-taskLinkCloneUpdate Comment AuthorReplace String in CommentUpdate Comment VisibilityDelete Comments
    XMLWordPrintableJSON

Details

    • Bug
    • Status: Closed
    • Blocker
    • Resolution: Fixed
    • trunk
    • 4.1.0
    • HA, security
    • None

    Description

      As I discovered when working on OOZIE-1491, there is a Curator bug (CURATOR-58) without which the ZooKeeper locks will always have world ACLs even with Kerberos enabled. This could allow a malicious user to acquire one of the locks and never release it, thus preventing Oozie from continuing to process the job associated with that lock.

      I've verified that CURATOR-58 fixes the problem, and the locks have the correct "sasl" ACLs, but it won't be available until Curator 2.4.0 is released. We should make sure to update to Curator 2.4.0 as soon as possible to fix this security hole.

      Attachments

        1. OOZIE-1608.patch
          0.9 kB
          Robert Kanter

        Issue Links

        is related to

        Improvement - An improvement or enhancement to an existing feature or task. OOZIE-1491 Make sure HA works with a secure ZooKeeper

        • Major - Major loss of function.
        • Closed

        Activity
          This comment will be Viewable by All Users Viewable by All Users
          Cancel

          People

            rkanter Robert Kanter
            rkanter Robert Kanter
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Slack

                Issue deployment