Commit Graph

880 Commits

Author SHA1 Message Date
Murali Krishna
1baf0e889f
HADOOP-18962. Upgrade kafka to 3.4.0 (#6247)
Upgrade Kafka Client due to CVEs

* CVE-2023-25194
* CVE-2021-38153
* CVE-2018-17196

Contributed by Murali Krishna
2024-05-24 17:40:37 +01:00
slfan1989
be28467374
Revert "Bump org.apache.derby:derby in /hadoop-project (#6816)" (#6841)
This reverts commit b5a90d9500.
2024-05-21 08:46:14 +08:00
Steve Loughran
cfdf1f5e8e
HADOOP-19172. S3A: upgrade AWS v1 sdk to 1.12.720 (#6823)
+remove reference in LICENSE-binary as it is no longer shipped

Contributed by Steve Loughran
2024-05-15 14:40:39 +01:00
dependabot[bot]
b5a90d9500
Bump org.apache.derby:derby in /hadoop-project (#6816)
Bumps org.apache.derby:derby from 10.14.2.0 to 10.17.1.0.

---
updated-dependencies:
- dependency-name: org.apache.derby:derby
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-13 12:47:31 +08:00
dependabot[bot]
1d09a64e34
Bump org.bouncycastle:bcprov-jdk18on in /hadoop-project (#6811)
Bumps [org.bouncycastle:bcprov-jdk18on](https://github.com/bcgit/bc-java) from 1.77 to 1.78.
- [Changelog](https://github.com/bcgit/bc-java/blob/main/docs/releasenotes.html)
- [Commits](https://github.com/bcgit/bc-java/commits)

---
updated-dependencies:
- dependency-name: org.bouncycastle:bcprov-jdk18on
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
2024-05-12 18:38:36 +05:30
Doroszlai, Attila
2645898450
HADOOP-19160. hadoop-auth should not depend on kerb-simplekdc (#6788) 2024-05-03 12:57:26 +02:00
slfan1989
88ad7db80d
HADOOP-19071. Update maven-surefire-plugin from 3.0.0 to 3.2.5. (#6664) Contributed by Shilun Fan.
Reviewed-by: Steve Loughran <stevel@cloudera.com>
Reviewed-by: Ayush Saxena <ayushsaxena@apache.org>
Signed-off-by: Shilun Fan <slfan1989@apache.org>
2024-04-27 20:30:21 +08:00
Ayush Saxena
eec9cd2997
HADOOP-19107. Drop support for HBase v1 & upgrade HBase v2 (#6629). Contributed by Ayush Saxena 2024-04-22 21:55:58 +05:30
slfan1989
a1ae35e691
HADOOP-19135. Remove Jcache 1.0-alpha. (#6695) Contributed by Shilun Fan.
Reviewed-by: Steve Loughran <stevel@cloudera.com>
Signed-off-by: Shilun Fan <slfan1989@apache.org>
2024-04-05 22:09:15 +08:00
PJ Fanning
eede5b1315
HADOOP-19114. Upgrade to commons-compress 1.26.1 due to CVEs. (#6636)
This addresses two CVEs triggered by malformed archives

Important: Denial of Service CVE-2024-25710
Moderate: Denial of Service CVE-2024-26308

Contributed by PJ Fanning
2024-04-03 19:32:15 +01:00
PJ Fanning
1357bb162d
HADOOP-19123. Update to commons-configuration2 2.10.1 due to CVE (#6661). Contributed by PJ Fanning
Reviewed-by: Shilun Fan <slfan1989@apache.org>
Signed-off-by: Ayush Saxena <ayushsaxena@apache.org>
2024-04-03 01:20:00 +05:30
PJ Fanning
06db6289cb
HADOOP-19024. Use bouncycastle jdk18 1.77 (#6410). Contributed 2024-03-30 19:58:12 +05:30
slfan1989
347521c95d
HADOOP-19124. Update org.ehcache from 3.3.1 to 3.8.2. (#6665) 2024-03-28 21:56:12 -04:00
PJ Fanning
5bfca65692
HADOOP-19115. Upgrade to nimbus-jose-jwt 9.37.2 due to CVE-2023-52428. (#6637)
Contributed by PJ Fanning
2024-03-27 10:30:55 +00:00
PJ Fanning
7653f968e5
HADOOP-19116. Update to zookeeper client 3.8.4 due to CVE-2024-23944. (#6638)
Updated ZK client dependency to 3.8.4 to address  CVE-2024-23944.

Contributed by PJ Fanning
2024-03-25 15:10:56 +00:00
PJ Fanning
e28c78f9a2
HADOOP-19088. Use jersey-json 1.22.0 (#6585)
Contributed by pjfanning
2024-03-12 20:16:47 +00:00
PJ Fanning
fc166d3aec
HADOOP-19090. Use protobuf-java 3.23.4. (#6593). Contributed by PJ Fanning. 2024-03-07 15:09:01 +05:30
HarshitGupta11
d974a12f39
HADOOP-19082: S3A: Update AWS SDK V2 to 2.24.6 (#6568)
Update the AWS SDK to 2.24.6 from 2.23.5 for latest updates in packaging w.r.t. IMDS module.

Contributed by Harshit Gupta
2024-03-05 10:15:05 +00:00
Steve Loughran
a0ce2170db
HADOOP-19084. Prune hadoop-common transitive dependencies (#6574) (#6582)
Exclude more artifacts which are dependencies of hadoop-* modules,
with the goal of keeping conflict out of downstream applications.
    
In particular we have pruned the dependencies of of:
-zookeeper
-other libraries referencing logging

This keeps slf4j-log4j12 and log4j12 off the classpath
of applications importing hadoop-common.

Somehow logback references do still surface; applications
pulling in hadoop-common directly or indirectly should
review their imports carefully.

Contributed by Steve Loughran
2024-03-01 12:51:13 +00:00
slfan1989
10ab8abccd
Revert "HADOOP-19071. Update maven-surefire-plugin from 3.0.0 to 3.2.5. (#6537)" (#6578)
This reverts commit 555faf28ce.
2024-02-23 14:25:15 +08:00
Steve Loughran
095dfcca30
HADOOP-18088. Replace log4j 1.x with reload4j. (#4052)
Co-authored-by: Wei-Chiu Chuang <weichiu@apache.org>


Includes HADOOP-18354. Upgrade reload4j to 1.22.2 due to XXE vulnerability (#4607). 

Log4j 1.2.17 has been replaced by reloadj 1.22.2
SLF4J is at 1.7.36
2024-02-13 16:33:51 +00:00
slfan1989
555faf28ce
HADOOP-19071. Update maven-surefire-plugin from 3.0.0 to 3.2.5. (#6537) Contributed by Shilun Fan
Reviewed-by: Steve Loughran <stevel@cloudera.com>
Signed-off-by: Shilun Fan <slfan1989@apache.org>
2024-02-11 07:41:46 +08:00
Adnan Hemani
50d256ef3c
HADOOP-19059. S3A: Update AWS Java SDK to 2.23.19 (#6538)
Contributed by Adnan Hemani
2024-02-08 20:38:37 +00:00
slfan1989
8011b21c52
HADOOP-19069. Use hadoop-thirdparty 1.2.0. (#6533) Contributed by Shilun Fan
Reviewed-by: He Xiaoqiao <hexiaoqiao@apache.org>
Signed-off-by: Shilun Fan <slfan1989@apache.org>
2024-02-08 19:18:04 +08:00
Takanobu Asanuma
2f1718c363
HADOOP-19056. Highlight RBF features and improvements targeting version 3.4. (#6512) Contributed by Takanobu Asanuma.
Signed-off-by: Shilun Fan <slfan1989@apache.org>
2024-01-31 13:30:35 +08:00
Steve Loughran
8261229daa
HADOOP-18830. Cut S3 Select (#6144)
Cut out S3 Select
* leave public/unstable constants alone
* s3guard tool will fail with error
* s3afs. path capability will fail
* openFile() will fail with specific error
* s3 select doc updated
* Cut eventstream jar
* New test: ITestSelectUnsupported verifies new failure
  handling above

Contributed by Steve Loughran
2024-01-30 16:12:27 +00:00
Benjamin Teke
897f446d54
HADOOP-19051: Highlight Capacity Scheduler new features in release for the release 3.4.0 (#6500) Contributed by Benjamin Teke.
Signed-off-by: Shilun Fan <slfan1989@apache.org>
2024-01-26 13:33:55 +08:00
slfan1989
38f10c657e
HADOOP-19039. Hadoop 3.4.0 Highlight big features and improvements. (#6462) Contributed by Shilun Fan.
Reviewed-by: He Xiaoqiao <hexiaoqiao@apache.org>
Signed-off-by: Shilun Fan <slfan1989@apache.org>
2024-01-25 15:42:21 +08:00
Steve Loughran
d274f778c1
HADOOP-19046. S3A: update AWS V2 SDK to 2.23.5; v1 to 1.12.599 (#6467)
This update ensures that the timeout set in fs.s3a.connection.request.timeout is passed down
to calls to CreateSession made in the AWS SDK to get S3 Express session tokens.

Contributed by Steve Loughran
2024-01-21 19:00:34 +00:00
PJ Fanning
76691dfa14
HADOOP-18894: upgrade sshd-core due to CVEs (#6060) Contributed by PJ Fanning.
Reviewed-by: He Xiaoqiao <hexiaoqiao@apache.org>
Reviewed-by: Steve Loughran <stevel@cloudera.com>
Signed-off-by: Shilun Fan <slfan1989@apache.org>
2024-01-21 08:13:25 +08:00
slfan1989
8444f69511
Preparing for 3.5.0 development (#6411)
Co-authored-by: slfan1989 <slfan1989@apache.org>
2024-01-19 15:05:22 +08:00
Murali Krishna
9edcf42c78
HADOOP-18540. Upgrade Bouncy Castle to 1.70 (#5166)
This addresses
- [sonatype-2021-4916] CWE-327: Use of a Broken or Risky Cryptographic Algorithm
- [sonatype-2019-0673] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')

Contributed by Murali Krishna
2024-01-01 19:04:06 +00:00
Ayush Saxena
9a4d10763c
HADOOP-19020. Update the year to 2024. (#6397). Contributed by Ayush Saxena.
Reviewed-by: Ashutosh Gupta <ashugpt@amazon.com>
Reviewed-by: Shilun Fan <slfan1989@apache.org>
2024-01-01 12:51:54 +05:30
BilwaST
f52c7d3e9a
HADOOP-18613. Upgrade ZooKeeper to version 3.8.3 (#6296). Contributed by Bilwa S T.
Signed-off-by: Ayush Saxena <ayushsaxena@apache.org>
2023-12-19 23:01:28 +05:30
Steve Loughran
19b9e6a97b
HADOOP-19008. S3A: update aws-sdk version to 2.21.41 (#6334)
AWS SDK is now at 2.21.41.
Key change: log4j.properties settings are picked up.
2023-12-12 15:15:32 +00:00
ahmarsuhail
d25cba7e85
S3A: Upgrade AWS SDK version to 2.21.33 for Amazon S3 Express One Zone support (#6306)
With this upgrade, it is possible to connect to an Amazon S3 Express One Zone bucket.

Some tests from the S3A test suite will currently fail against a one zone bucket, as one zone buckets
do not support some S3 standard features (eg: SSE-KMS), and certain operations behave slightly
differently (eg: listMPU will return a directory that has incomplete MPUs).

Contributed by Ahmar Suhail
2023-11-29 13:16:19 +00:00
Steve Loughran
d634deea4e
HADOOP-18487. Protobuf 2.5 removal part 2: stop exporting protobuf-2.5 (#6185)
Followup to the previous HADOOP-18487 patch: changes the scope of
protobuf-2.5 in hadoop-common and elsewhere from "compile" to "provided".

This means that protobuf-2.5 is
* No longer included in hadoop distributions
* No longer exported by hadoop common POM files
* No longer exported transitively by other hadoop modules.
* No longer listed in LICENSE-binary.

Contributed by Steve Loughran
2023-11-06 17:52:05 +00:00
PJ Fanning
b9c9c42b29
HADOOP-18936. Upgrade to jetty 9.4.53 (#6181). Contributed by PJ Fanning.
Signed-off-by: Ayush Saxena <ayushsaxena@apache.org>
2023-10-29 13:09:12 +05:30
PJ Fanning
bbf905dc99
HADOOP-18933. upgrade to netty 4.1.100 due to CVE (#6173)
Mitigates Netty security advisory GHSA-xpw8-rcwv-8f8p
"HTTP/2 Rapid Reset Attack - DDoS vector in the HTTP/2 protocol due RST frames"

Contributed by PJ Fanning
2023-10-25 14:06:13 +01:00
Masatake Iwasaki
8bf72346a5
HADOOP-18942. Upgrade ZooKeeper to 3.7.2. (#6200)
Signed-off-by: Masatake Iwasaki <iwasakims@apache.org>
2023-10-19 18:47:45 +09:00
Masatake Iwasaki
13843f4a88
HADOOP-18867. Upgrade ZooKeeper to 3.6.4. (#5988) 2023-10-18 10:31:41 +09:00
Steve Loughran
42e695d510
HADOOP-18932. S3A. upgrade AWS v2 SDK to 2.20.160 and v1 to 1.12.565 (#6178)
v1 => 1.12.565
v2 => 2.20.160
Only the v2 one is distributed; v1 is needed in deployments only to support v1 credential providers

Contributed by Steve Loughran
2023-10-17 12:59:50 +01:00
Steve Loughran
9bc159f4ac
HADOOP-18487. Make protobuf 2.5 an optional runtime dependency. (#4996)
Protobuf 2.5 JAR is no longer needed at runtime. 

The option common.protobuf.scope defines whether the protobuf 2.5.0
dependency is marked as provided or not.

* New package org.apache.hadoop.ipc.internal for internal only protobuf classes
  ...with a ShadedProtobufHelper in there which has shaded protobuf refs
  only, so guaranteed not to need protobuf-2.5 on the CP
* All uses of org.apache.hadoop.ipc.ProtobufHelper have
  been replaced by uses of org.apache.hadoop.ipc.internal.ShadedProtobufHelper
* The scope of protobuf-2.5 is set by the option common.protobuf2.scope
  In this patch is it is still "compile"
* There is explicit reference to it in modules where it may be needed.
*  The maven scope of the dependency can be set with the common.protobuf2.scope
   option. It can be set to "provided" in a build:
       -Dcommon.protobuf2.scope=provided
* Add new ipc(callable) method to catch and convert shaded protobuf
  exceptions raised during invocation of the supplied lambda expression
* This is adopted in the code where the migration is not traumatically
  over-complex. RouterAdminProtocolTranslatorPB is left alone for this
  reason.

Contributed by Steve Loughran
2023-10-13 13:48:38 +01:00
PJ Fanning
2bf5a9ed11
HADOOP-18917. Upgrade to commons-io 2.14.0 (#6133). Contributed by PJ Fanning
Signed-off-by: Ayush Saxena <ayushsaxena@apache.org>
2023-10-06 01:58:21 +05:30
PJ Fanning
35c42e4039
HADOOP-18912. upgrade snappy-java to 1.1.10.4 (#6115). Contributed by PJ Fanning.
Signed-off-by: Ayush Saxena <ayushsaxena@apache.org>
2023-09-28 11:22:31 +05:30
Masatake Iwasaki
0c153fe465
YARN-11558. Fix dependency convergence error on hbase2 profile. (#6017) 2023-09-28 10:17:29 +09:00
PJ Fanning
c16484ffb2
HADOOP-18890. Remove use of okhttp in runtime code (#6057)
Contributed by PJ Fanning
2023-09-19 12:38:36 +01:00
PJ Fanning
dea446419f
HADOOP-18895. Upgrade to commons-compress 1.24.0 (#6062)
Contributed by PJ Fanning
2023-09-14 17:49:12 +01:00
PJ Fanning
56b928b86f
YARN-11498. Add exclusion for jettison everywhere jersey-json is loaded (#5786)
All uses  of jersey-json in the yarn and other hadoop modules now
exclude the obsolete org.codehaus.jettison/jettison and so avoid
all security issues which can come from the library.

Contributed by PJ Fanning
2023-09-13 18:10:24 +01:00
Steve Loughran
81d90fd65b
HADOOP-18073. S3A: Upgrade AWS SDK to V2 (#5995)
This patch migrates the S3A connector to use the V2 AWS SDK.

This is a significant change at the source code level.
Any applications using the internal extension/override points in
the filesystem connector are likely to break.

This includes but is not limited to:
- Code invoking methods on the S3AFileSystem class
  which used classes from the V1 SDK.
- The ability to define the factory for the `AmazonS3` client, and
  to retrieve it from the S3AFileSystem. There is a new factory
  API and a special interface S3AInternals to access a limited
  set of internal classes and operations.
- Delegation token and auditing extensions.
- Classes trying to integrate with the AWS SDK.

All standard V1 credential providers listed in the option 
fs.s3a.aws.credentials.provider will be automatically remapped to their
V2 equivalent.

Other V1 Credential Providers are supported, but only if the V1 SDK is
added back to the classpath.  

The SDK Signing plugin has changed; all v1 signers are incompatible.
There is no support for the S3 "v2" signing algorithm.

Finally, the aws-sdk-bundle JAR has been replaced by the shaded V2
equivalent, "bundle.jar", which is now exported by the hadoop-aws module.

Consult the document aws_sdk_upgrade for the full details.

Contributed by Ahmar Suhail + some bits by Steve Loughran
2023-09-11 14:30:25 +01:00