accumulo-notifications mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Josh Elser (JIRA)" <>
Subject [jira] [Commented] (ACCUMULO-3631) Exclude 'slf4j' artifacts from classpath in default value for general.classpaths
Date Mon, 02 Mar 2015 22:29:05 GMT


Josh Elser commented on ACCUMULO-3631:

I thought about this some more over the weekend, and came up with the following. The value
for this property will be the default value when {{accumulo-site.xml}} is not on the classpath
or {{general.classpaths}} was omitted from the file (regardless of the execution context --
client or server).

I could see the former leading to "unexpected" consequences (a user is "tricked" into not
having accumulo-site.xml on their classpath, a malicious user places their own jar in one
of the added paths, and code is executed unintentionally). The mitigation here is that all
of the newly added paths are rooted under "/usr" which is typically only writable by root,
so this risk is low.

The latter (general.classpaths not being defined at all) is probably not valid for security-minded
users because someone who has any concern WRT security knows how bad it is to not control
the classpath being used. In other words, if {{general.classpaths}} is not defined, I believe
it can reasonably asserted that the user doesn't really care about this instance.

I'm willing to remove the additional classpath entries, I just want to make sure we're removing
them for sensible reasons and not just a knee-jerk reaction.

> Exclude 'slf4j' artifacts from classpath in default value for general.classpaths
> --------------------------------------------------------------------------------
>                 Key: ACCUMULO-3631
>                 URL:
>             Project: Accumulo
>          Issue Type: Bug
>    Affects Versions: 1.6.0, 1.6.1, 1.6.2
>            Reporter: Josh Elser
>            Assignee: Josh Elser
>            Priority: Blocker
>             Fix For: 1.7.0, 1.6.3
>          Time Spent: 20m
>  Remaining Estimate: 0h
> Was testing out some Ambari integration for Accumulo that [~billie.rinaldi] and [~mwaineo]
have been working on (AMBARI-5265) and found that, despite accumulo-site.xml having jars starting
with slf4j excluded from the classpath, the shell would complain about duplicate slf4j-log4j12
jars on the classpath.
> Turns out, because access to accumulo-site.xml was restricted (and we only had client.conf
to use), we fell back on the default value for general.classpaths defined in AccumuloClassLoader.
A short-term fix is to update the value there to match what's in our site template.
> I'll add another issue for a long term fix to add classpath support to client configuration.

This message was sent by Atlassian JIRA

View raw message