[
https://issues.apache.org/jira/browse/SENTRY-2194?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kalyan Kalvagadda updated SENTRY-2194:
--------------------------------------
Fix Version/s: 2.2.0
> Upgrade Sentry hadoop-version dependency to 2.7.5
> -------------------------------------------------
>
> Key: SENTRY-2194
> URL: https://issues.apache.org/jira/browse/SENTRY-2194
> Project: Sentry
> Issue Type: Improvement
> Affects Versions: 2.1.0
> Reporter: Arjun Mishra
> Assignee: Arjun Mishra
> Priority: Major
> Fix For: 2.2.0
>
> Attachments: SENTRY-2194.01.patch, SENTRY-2194.02.patch
>
>
> Sentry clients use Configuration class defined in the hadoop-common code base
> to parse or read configuration files. Hadoop community had made improvements
> particularly to enhance security. The change introduces a new boolean
> attribute restrictParser. Setting restrictParser to true will
> * Limit XML parsing to conform with feature
> "http://apache.org/xml/features/disallow-doctype-decl";
> ** This is a security feature explained here -
> https://www.owasp.org/index.php/XML_External_Entity_(XXE)_Prevention_Cheat_Sheet
> * boolean restrictSystemProps is set to true
> ** Will prevent system properties from being read
> * set XML inclusion (XInclude) to false
> ** prevent merging of xml documents
> This change is currently included in hadoop-version 2.7.5. There is a new
> implementation of addResources method to allow the setting of restrictParser
> boolean. Sentry is currently using hadoop-version 2.7.2. Bumping this version
> up and making appropriate changes will allow Sentry to take advantage of this
> feature
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
