ranger-security: exclude jackson-jaxrs from + fix outdated documentat…

…ion (apache#15481) * Excluding jackson-jaxrs dependency from ranger-plugin-common to address CVE regression introduced by ranger-upgrade: CVE-2019-10202, CVE-2019-10172 * remove the reference to outdated ranger 2.0 from the docs --------- Co-authored-by: Xavier Léauté <xl+github@xvrl.net>
confluentinc · Dec 19, 2023 · 39103f0 · 39103f0
1 parent b1b897b
commit 39103f0
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 7 deletions.
diff --git a/docs/development/extensions-core/druid-ranger-security.md b/docs/development/extensions-core/druid-ranger-security.md
@@ -21,24 +21,21 @@ title: "Apache Ranger Security"
   ~ specific language governing permissions and limitations
   ~ under the License.
   -->
-  
+
 This Apache Druid extension adds an Authorizer which implements access control for Druid, backed by [Apache Ranger](https://ranger.apache.org/). Please see [Authentication and Authorization](../../operations/auth.md) for more information on the basic facilities this extension provides.
 
 Make sure to [include](../../configuration/extensions.md#loading-extensions) `druid-ranger-security` in the extensions load list.
 
-:::info
- The latest release of Apache Ranger is at the time of writing version 2.0. This version has a dependency on `log4j 1.2.17` which has a vulnerability if you configure it to use a `SocketServer` (CVE-2019-17571). Next to that, it also includes Kafka 2.0.0 which has 2 known vulnerabilities (CVE-2019-12399, CVE-2018-17196). Kafka can be used by the audit component in Ranger, but is not required.
-:::
 
 ## Configuration
 
-Support for Apache Ranger authorization consists of three elements: 
+Support for Apache Ranger authorization consists of three elements:
 * configuring the extension in Apache Druid
 * configuring the connection to Apache Ranger
 * providing the service definition for Druid to Apache Ranger
- 
+
 ### Enabling the extension
-Ensure that you have a valid authenticator chain and escalator set in your `common.runtime.properties`. For every authenticator your wish to use the authorizer for, set `druid.auth.authenticator.<authenticatorName>.authorizerName` to the name you will give the authorizer, e.g. `ranger`. 
+Ensure that you have a valid authenticator chain and escalator set in your `common.runtime.properties`. For every authenticator your wish to use the authorizer for, set `druid.auth.authenticator.<authenticatorName>.authorizerName` to the name you will give the authorizer, e.g. `ranger`.
 
 Then add the following and amend to your needs (in case you need to use multiple authorizers):
 

diff --git a/extensions-core/druid-ranger-security/pom.xml b/extensions-core/druid-ranger-security/pom.xml
@@ -160,6 +160,13 @@
                     <groupId>org.elasticsearch.plugin</groupId>
                     <artifactId>*</artifactId>
                 </exclusion>
+                <!-- excluding to address CVE-2019-10202, CVE-2019-10172 in jackson-jaxrs 1.9.x
+                     jackson-jaxrs is used by ranger-plugins accessing
+                RangerRESTClient class. This should not be needed in an authorizer -->
+                <exclusion>
+                    <groupId>org.codehaus.jackson</groupId>
+                    <artifactId>jackson-jaxrs</artifactId>
+                </exclusion>
             </exclusions>
         </dependency>
         <dependency>