You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@oozie.apache.org by "Robert Kanter (JIRA)" <ji...@apache.org> on 2013/12/03 02:39:35 UTC
[jira] [Commented] (OOZIE-1608) Update Curator to 2.3.1 when its
available to fix security hole
[ https://issues.apache.org/jira/browse/OOZIE-1608?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13837217#comment-13837217 ]
Robert Kanter commented on OOZIE-1608:
--------------------------------------
Until this is resolved, {{TestZKUtilsWithSecurity}} will fail with the following error:
{noformat}
-------------------------------------------------------------------------------
Test set: org.apache.oozie.util.TestZKUtilsWithSecurity
-------------------------------------------------------------------------------
Tests run: 2, Failures: 1, Errors: 0, Skipped: 0, Time elapsed: 29.516 sec <<< FAILURE!
testNewUsingACLs(org.apache.oozie.util.TestZKUtilsWithSecurity) Time elapsed: 0.011 sec <<< FAILURE!
junit.framework.ComparisonFailure: expected:<[sasl]> but was:<[world]>
at junit.framework.Assert.assertEquals(Assert.java:85)
at junit.framework.Assert.assertEquals(Assert.java:91)
at org.apache.oozie.util.TestZKUtilsWithSecurity.testNewUsingACLs(TestZKUtilsWithSecurity.java:163)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:39)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:25)
at java.lang.reflect.Method.invoke(Method.java:597)
at junit.framework.TestCase.runTest(TestCase.java:168)
at junit.framework.TestCase.runBare(TestCase.java:134)
at junit.framework.TestResult$1.protect(TestResult.java:110)
at junit.framework.TestResult.runProtected(TestResult.java:128)
at junit.framework.TestResult.run(TestResult.java:113)
at junit.framework.TestCase.run(TestCase.java:124)
at junit.framework.TestSuite.runTest(TestSuite.java:243)
at junit.framework.TestSuite.run(TestSuite.java:238)
at org.junit.internal.runners.JUnit38ClassRunner.run(JUnit38ClassRunner.java:83)
at org.apache.maven.surefire.junitcore.ClassDemarcatingRunner.run(ClassDemarcatingRunner.java:58)
at org.junit.runners.Suite.runChild(Suite.java:128)
at org.junit.runners.Suite.runChild(Suite.java:24)
at org.junit.runners.ParentRunner$3.run(ParentRunner.java:231)
at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:439)
at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:303)
at java.util.concurrent.FutureTask.run(FutureTask.java:138)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:895)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:918)
at java.lang.Thread.run(Thread.java:695)
{noformat}
However, it is excluded by default for other reasons anyway, so it should at least not affect test-patch for now. As part of resolving this, it would be good to update test-patch/Jenkins to run {{TestZKUtilsWithSecurity}} as well (but separately in its own JVM).
> Update Curator to 2.3.1 when its available to fix security hole
> ---------------------------------------------------------------
>
> Key: OOZIE-1608
> URL: https://issues.apache.org/jira/browse/OOZIE-1608
> Project: Oozie
> Issue Type: Bug
> Components: HA, security
> Affects Versions: trunk
> Reporter: Robert Kanter
> Assignee: Robert Kanter
> Priority: Blocker
>
> As I discovered when working on OOZIE-1491, there is a Curator bug (CURATOR-58) without which the ZooKeeper locks will always have world ACLs even with Kerberos enabled. This could allow a malicious user to acquire one of the locks and never release it, thus preventing Oozie from continuing to process the job associated with that lock.
> I've verified that CURATOR-58 fixes the problem, and the locks have the correct "sasl" ACLs, but it won't be available until Curator 2.3.1 is released. We should make sure to update to Curator 2.3.1 as soon as possible to fix this security hole.
--
This message was sent by Atlassian JIRA
(v6.1#6144)