ranger-security: exclude jackson-jaxrs from + fix outdated documentation (#15481)

* Excluding jackson-jaxrs dependency from ranger-plugin-common to address CVE regression introduced by ranger-upgrade: CVE-2019-10202, CVE-2019-10172 * remove the reference to outdated ranger 2.0 from the docs --------- Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
2023-12-05 11:24:37 -05:00 · 2023-12-05 11:24:37 -05:00 · f4856bc1c1
parent 77b929f494
commit f4856bc1c1
2 changed files with 11 additions and 7 deletions
--- a/docs/development/extensions-core/druid-ranger-security.md
+++ b/docs/development/extensions-core/druid-ranger-security.md
@ -21,24 +21,21 @@ title: "Apache Ranger Security"
  ~ specific language governing permissions and limitations
  ~ under the License.
  -->
-  
+
 This Apache Druid extension adds an Authorizer which implements access control for Druid, backed by [Apache Ranger](https://ranger.apache.org/). Please see [Authentication and Authorization](../../operations/auth.md) for more information on the basic facilities this extension provides.

 Make sure to [include](../../configuration/extensions.md#loading-extensions) `druid-ranger-security` in the extensions load list.

-:::info
- The latest release of Apache Ranger is at the time of writing version 2.0. This version has a dependency on `log4j 1.2.17` which has a vulnerability if you configure it to use a `SocketServer` (CVE-2019-17571). Next to that, it also includes Kafka 2.0.0 which has 2 known vulnerabilities (CVE-2019-12399, CVE-2018-17196). Kafka can be used by the audit component in Ranger, but is not required.
-:::

 ## Configuration

-Support for Apache Ranger authorization consists of three elements: 
+Support for Apache Ranger authorization consists of three elements:
 * configuring the extension in Apache Druid
 * configuring the connection to Apache Ranger
 * providing the service definition for Druid to Apache Ranger
- 
+
 ### Enabling the extension
-Ensure that you have a valid authenticator chain and escalator set in your `common.runtime.properties`. For every authenticator your wish to use the authorizer for, set `druid.auth.authenticator.<authenticatorName>.authorizerName` to the name you will give the authorizer, e.g. `ranger`. 
+Ensure that you have a valid authenticator chain and escalator set in your `common.runtime.properties`. For every authenticator your wish to use the authorizer for, set `druid.auth.authenticator.<authenticatorName>.authorizerName` to the name you will give the authorizer, e.g. `ranger`.

 Then add the following and amend to your needs (in case you need to use multiple authorizers):

--- a/extensions-core/druid-ranger-security/pom.xml
+++ b/extensions-core/druid-ranger-security/pom.xml
@ -160,6 +160,13 @@
                    <groupId>org.elasticsearch.plugin</groupId>
                    <artifactId>*</artifactId>
                </exclusion>
+                <!-- excluding to address CVE-2019-10202, CVE-2019-10172 in jackson-jaxrs 1.9.x
+                     jackson-jaxrs is used by ranger-plugins accessing
+                RangerRESTClient class. This should not be needed in an authorizer -->
+                <exclusion>
+                    <groupId>org.codehaus.jackson</groupId>
+                    <artifactId>jackson-jaxrs</artifactId>
+                </exclusion>
            </exclusions>
        </dependency>
        <dependency>