hbase-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Matteo Bertozzi (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HBASE-14347) Add a switch to DynamicClassLoader to disable it and make that the default
Date Fri, 02 Oct 2015 15:01:27 GMT

    [ https://issues.apache.org/jira/browse/HBASE-14347?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14941226#comment-14941226

Matteo Bertozzi commented on HBASE-14347:

+1 on the patch for 1.x branches, since it does not change any behavior.

for 2.x we probably want to do some changes. the DynamicLoader seems to not be needed on the
client side, so we should force that to "not enabled". but on the server side we probably
want that still on, to allow user filters and so on. do we have any alternative to copy local
instead of forcing that "not enable" with security reason as motivation? how one is supposed
to use custom filters in a "secure" environment otherwise?

> Add a switch to DynamicClassLoader to disable it and make that the default
> --------------------------------------------------------------------------
>                 Key: HBASE-14347
>                 URL: https://issues.apache.org/jira/browse/HBASE-14347
>             Project: HBase
>          Issue Type: Bug
>          Components: Client, defaults, regionserver
>    Affects Versions: 2.0.0, 1.2.0, 1.1.2, 0.98.15, 1.0.3
>            Reporter: Esteban Gutierrez
>            Assignee: Esteban Gutierrez
>         Attachments: HBASE-14347-v001.patch
> Since HBASE-1936 we have the option to load jars dynamically by default from HDFS or
the local filesystem, however hbase.dynamic.jars.dir points to a directory that could be world
writable it potentially opens a security problem in both the client side and the RS. We should
consider to have a switch to enable or disable this option and it should be off by default.

This message was sent by Atlassian JIRA

View raw message