From 39103f099cd81cf7a8d5ca3f8abcde43d1131657 Mon Sep 17 00:00:00 2001 From: Jan Werner <105367074+janjwerner-confluent@users.noreply.github.com> Date: Tue, 5 Dec 2023 11:24:37 -0500 Subject: [PATCH] ranger-security: exclude jackson-jaxrs from + fix outdated documentation (#15481) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit * Excluding jackson-jaxrs dependency from ranger-plugin-common to address CVE regression introduced by ranger-upgrade: CVE-2019-10202, CVE-2019-10172 * remove the reference to outdated ranger 2.0 from the docs --------- Co-authored-by: Xavier Léauté --- .../extensions-core/druid-ranger-security.md | 11 ++++------- extensions-core/druid-ranger-security/pom.xml | 7 +++++++ 2 files changed, 11 insertions(+), 7 deletions(-) diff --git a/docs/development/extensions-core/druid-ranger-security.md b/docs/development/extensions-core/druid-ranger-security.md index a78e2efd45a8..502358f801f4 100644 --- a/docs/development/extensions-core/druid-ranger-security.md +++ b/docs/development/extensions-core/druid-ranger-security.md @@ -21,24 +21,21 @@ title: "Apache Ranger Security" ~ specific language governing permissions and limitations ~ under the License. --> - + This Apache Druid extension adds an Authorizer which implements access control for Druid, backed by [Apache Ranger](https://ranger.apache.org/). Please see [Authentication and Authorization](../../operations/auth.md) for more information on the basic facilities this extension provides. Make sure to [include](../../configuration/extensions.md#loading-extensions) `druid-ranger-security` in the extensions load list. -:::info - The latest release of Apache Ranger is at the time of writing version 2.0. This version has a dependency on `log4j 1.2.17` which has a vulnerability if you configure it to use a `SocketServer` (CVE-2019-17571). Next to that, it also includes Kafka 2.0.0 which has 2 known vulnerabilities (CVE-2019-12399, CVE-2018-17196). Kafka can be used by the audit component in Ranger, but is not required. -::: ## Configuration -Support for Apache Ranger authorization consists of three elements: +Support for Apache Ranger authorization consists of three elements: * configuring the extension in Apache Druid * configuring the connection to Apache Ranger * providing the service definition for Druid to Apache Ranger - + ### Enabling the extension -Ensure that you have a valid authenticator chain and escalator set in your `common.runtime.properties`. For every authenticator your wish to use the authorizer for, set `druid.auth.authenticator..authorizerName` to the name you will give the authorizer, e.g. `ranger`. +Ensure that you have a valid authenticator chain and escalator set in your `common.runtime.properties`. For every authenticator your wish to use the authorizer for, set `druid.auth.authenticator..authorizerName` to the name you will give the authorizer, e.g. `ranger`. Then add the following and amend to your needs (in case you need to use multiple authorizers): diff --git a/extensions-core/druid-ranger-security/pom.xml b/extensions-core/druid-ranger-security/pom.xml index 809dc25e9a0d..919bec334828 100644 --- a/extensions-core/druid-ranger-security/pom.xml +++ b/extensions-core/druid-ranger-security/pom.xml @@ -160,6 +160,13 @@ org.elasticsearch.plugin * + + + org.codehaus.jackson + jackson-jaxrs +