flink-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From GitBox <...@apache.org>
Subject [GitHub] [flink] twalthr opened a new pull request #16012: [FLINK-21142][connector-hive] Hide Guava from Hadoop and security tools
Date Thu, 27 May 2021 12:44:12 GMT

twalthr opened a new pull request #16012:
URL: https://github.com/apache/flink/pull/16012


   ## What is the purpose of the change
   
   Some security tools complain that the Guava version in Hive has known vulnerabilities.
Also, as seen in the JIRA issue, users are complaining about the Guava version clashing with
Hadoop 3.3. There a couple of guides that simply suggest to replace the Guava version:
   
   https://kontext.tech/column/hadoop/561/apache-hive-312-installation-on-linux-guide
   
   http://www.mtitek.com/tutorials/bigdata/hive/install.php
   
   Of course this is not officially supported. But by excluding Guava in our SQL connector
JARs we make both security scanning tools and partially users happy. Apparently, Guava classes
are still present in the JAR after exclusion (some issue on the Hive side?) therefore we additionally
relocate them and have a high chance that Hive fully works after this change.
   
   The issue should be solved after Hive 4.0.0.
   
   ## Brief change log
   
   Rely on the Hadoop's Guava + relocate non-excluded Guava classes.
   
   ## Verifying this change
   
   This change is a trivial rework / code cleanup without any test coverage.
   
   ## Does this pull request potentially affect one of the following parts:
   
     - Dependencies (does it add or upgrade a dependency): yes
     - The public API, i.e., is any changed class annotated with `@Public(Evolving)`: no
     - The serializers: no
     - The runtime per-record code paths (performance sensitive): no
     - Anything that affects deployment or recovery: JobManager (and its components), Checkpointing,
Kubernetes/Yarn/Mesos, ZooKeeper: no
     - The S3 file system connector: no
   
   ## Documentation
   
     - Does this pull request introduce a new feature? no
     - If yes, how is the feature documented? not applicable
   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

For queries about this service, please contact Infrastructure at:
users@infra.apache.org



Mime
View raw message