Address security vulnerabilities ()

* Address security vulnerabilities

Security vulnerabilities addressed by upgrading 3rd party libs:

- Upgrade avro-ipc to 1.9.1
  - sonatype-2019-0115
- Upgrade caffeine to 2.8.0
  - sonatype-2019-0282
- Upgrade commons-beanutils to 1.9.4
  - CVE-2014-0114
- Upgrade commons-codec to 1.13
  - sonatype-2012-0050
- Upgrade commons-compress to 1.19
  - CVE-2019-12402
  - sonatype-2018-0293
- Upgrade hadoop-common to 2.8.5
  - CVE-2018-11767
- Upgrade hadoop-mapreduce-client-core to 2.8.5
  - CVE-2017-3166
- Upgrade hibernate-validator to 5.2.5
  - CVE-2017-7536
- Upgrade httpclient to 4.5.10
  - sonatype-2017-0359
- Upgrade icu4j to 55.1
  - CVE-2014-8147
- Upgrade jackson-databind to 2.6.7.3:
  - CVE-2017-7525
- Upgrade jetty-http to 9.4.12:
  - CVE-2017-7657
  - CVE-2017-7658
  - CVE-2017-7656
  - CVE-2018-12545
- Upgrade log4j-core to 2.8.2
  - CVE-2017-5645:
- Upgrade netty to 3.10.6
  - CVE-2015-2156
- Upgrade netty-common to 4.1.42
  - CVE-2019-9518
- Upgrade netty-codec-http to 4.1.42
  - CVE-2019-16869
- Upgrade nimbus-jose-jwt to 4.41.1
  - CVE-2017-12972
  - CVE-2017-12974
- Upgrade plexus-utils to 3.0.24
  - CVE-2017-1000487
  - sonatype-2015-0173
  - sonatype-2016-0398
- Upgrade postgresql to 42.2.8
  - CVE-2018-10936

Note that if users are using JDBC lookups with postgres, they may need
to update the JDBC jar used by the lookup extension.

* Fix license for postgresql
This commit is contained in:
Chi Cao Minh 2019-11-19 09:14:33 -08:00 committed by Gian Merlino
parent 98580ffe71
commit 8365bdf62a
18 changed files with 127 additions and 140 deletions
NOTICE
distribution/bin
docs
configuration
operations
tutorials
examples/quickstart/tutorial
extensions-core
druid-kerberos
hdfs-storage
postgresql-metadata-storage
indexing-service/src/main/java/org/apache/druid/indexing/common/config
licenses.yaml
licenses/bin
pom.xml
server/src/test/java/org/apache/druid
services/src/main/java/org/apache/druid/cli

2
NOTICE
View File

@ -26,7 +26,7 @@ Copyright 2014-2019 The Apache Software Foundation
================= Apache Hadoop 2.8.3 =================
================= Apache Hadoop 2.8.5 =================
Apache Hadoop
Copyright 2009-2017 The Apache Software Foundation

View File

@ -227,6 +227,7 @@ def build_compatible_license_names():
compatible_licenses['Public Domain'] = 'Public Domain'
compatible_licenses['BSD-2-Clause License'] = 'BSD-2-Clause License'
compatible_licenses['BSD-2-Clause'] = 'BSD-2-Clause License'
compatible_licenses['BSD-3-Clause License'] = 'BSD-3-Clause License'
compatible_licenses['New BSD license'] = 'BSD-3-Clause License'
@ -408,4 +409,4 @@ if __name__ == "__main__":
check_licenses(license_yaml, dependency_reports_root)
except KeyboardInterrupt:
print('Interrupted, closing.')
print('Interrupted, closing.')

View File

@ -1193,7 +1193,7 @@ Additional peon configs include:
|`druid.peon.mode`|Choices are "local" and "remote". Setting this to local means you intend to run the peon as a standalone process (Not recommended).|remote|
|`druid.indexer.task.baseDir`|Base temporary working directory.|`System.getProperty("java.io.tmpdir")`|
|`druid.indexer.task.baseTaskDir`|Base temporary working directory for tasks.|`${druid.indexer.task.baseDir}/persistent/tasks`|
|`druid.indexer.task.defaultHadoopCoordinates`|Hadoop version to use with HadoopIndexTasks that do not request a particular version.|org.apache.hadoop:hadoop-client:2.8.3|
|`druid.indexer.task.defaultHadoopCoordinates`|Hadoop version to use with HadoopIndexTasks that do not request a particular version.|org.apache.hadoop:hadoop-client:2.8.5|
|`druid.indexer.task.defaultRowFlushBoundary`|Highest row count before persisting to disk. Used for indexing generating tasks.|75000|
|`druid.indexer.task.directoryLockTimeout`|Wait this long for zombie peons to exit before giving up on their replacements.|PT10M|
|`druid.indexer.task.gracefulShutdownTimeout`|Wait this long on middleManager restart for restorable tasks to gracefully exit.|PT5M|
@ -1254,7 +1254,7 @@ then the value from the configuration below is used:
|`druid.worker.numConcurrentMerges`|Maximum number of segment persist or merge operations that can run concurrently across all tasks.|`druid.worker.capacity` / 2, rounded down|
|`druid.indexer.task.baseDir`|Base temporary working directory.|`System.getProperty("java.io.tmpdir")`|
|`druid.indexer.task.baseTaskDir`|Base temporary working directory for tasks.|`${druid.indexer.task.baseDir}/persistent/tasks`|
|`druid.indexer.task.defaultHadoopCoordinates`|Hadoop version to use with HadoopIndexTasks that do not request a particular version.|org.apache.hadoop:hadoop-client:2.8.3|
|`druid.indexer.task.defaultHadoopCoordinates`|Hadoop version to use with HadoopIndexTasks that do not request a particular version.|org.apache.hadoop:hadoop-client:2.8.5|
|`druid.indexer.task.gracefulShutdownTimeout`|Wait this long on Indexer restart for restorable tasks to gracefully exit.|PT5M|
|`druid.indexer.task.hadoopWorkingPath`|Temporary working directory for Hadoop tasks.|`/tmp/druid-indexing`|
|`druid.indexer.task.restoreTasksOnRestart`|If true, the Indexer will attempt to stop tasks gracefully on shutdown and restore them on restart.|false|

View File

@ -89,7 +89,7 @@ classloader.
2. Batch ingestion uses jars from `hadoop-dependencies/` to submit Map/Reduce jobs (location customizable via the
`druid.extensions.hadoopDependenciesDir` runtime property; see [Configuration](../configuration/index.html#extensions)).
`hadoop-client:2.8.3` is the default version of the Hadoop client bundled with Druid for both purposes. This works with
`hadoop-client:2.8.5` is the default version of the Hadoop client bundled with Druid for both purposes. This works with
many Hadoop distributions (the version does not necessarily need to match), but if you run into issues, you can instead
have Druid load libraries that exactly match your distribution. To do this, either copy the jars from your Hadoop
cluster, or use the `pull-deps` tool to download the jars from a Maven repository.

View File

@ -38,18 +38,18 @@ Once the Docker install is complete, please proceed to the next steps in the tut
## Build the Hadoop docker image
For this tutorial, we've provided a Dockerfile for a Hadoop 2.8.3 cluster, which we'll use to run the batch indexing task.
For this tutorial, we've provided a Dockerfile for a Hadoop 2.8.5 cluster, which we'll use to run the batch indexing task.
This Dockerfile and related files are located at `quickstart/tutorial/hadoop/docker`.
From the apache-druid-{{DRUIDVERSION}} package root, run the following commands to build a Docker image named "druid-hadoop-demo" with version tag "2.8.3":
From the apache-druid-{{DRUIDVERSION}} package root, run the following commands to build a Docker image named "druid-hadoop-demo" with version tag "2.8.5":
```bash
cd quickstart/tutorial/hadoop/docker
docker build -t druid-hadoop-demo:2.8.3 .
docker build -t druid-hadoop-demo:2.8.5 .
```
This will start building the Hadoop image. Once the image build is done, you should see the message `Successfully tagged druid-hadoop-demo:2.8.3` printed to the console.
This will start building the Hadoop image. Once the image build is done, you should see the message `Successfully tagged druid-hadoop-demo:2.8.5` printed to the console.
## Setup the Hadoop docker cluster
@ -77,7 +77,7 @@ On the host machine, add the following entry to `/etc/hosts`:
Once the `/tmp/shared` folder has been created and the `etc/hosts` entry has been added, run the following command to start the Hadoop container.
```bash
docker run -it -h druid-hadoop-demo --name druid-hadoop-demo -p 2049:2049 -p 2122:2122 -p 8020:8020 -p 8021:8021 -p 8030:8030 -p 8031:8031 -p 8032:8032 -p 8033:8033 -p 8040:8040 -p 8042:8042 -p 8088:8088 -p 8443:8443 -p 9000:9000 -p 10020:10020 -p 19888:19888 -p 34455:34455 -p 49707:49707 -p 50010:50010 -p 50020:50020 -p 50030:50030 -p 50060:50060 -p 50070:50070 -p 50075:50075 -p 50090:50090 -p 51111:51111 -v /tmp/shared:/shared druid-hadoop-demo:2.8.3 /etc/bootstrap.sh -bash
docker run -it -h druid-hadoop-demo --name druid-hadoop-demo -p 2049:2049 -p 2122:2122 -p 8020:8020 -p 8021:8021 -p 8030:8030 -p 8031:8031 -p 8032:8032 -p 8033:8033 -p 8040:8040 -p 8042:8042 -p 8088:8088 -p 8443:8443 -p 9000:9000 -p 10020:10020 -p 19888:19888 -p 34455:34455 -p 49707:49707 -p 50010:50010 -p 50020:50020 -p 50030:50030 -p 50060:50060 -p 50070:50070 -p 50075:50075 -p 50090:50090 -p 51111:51111 -v /tmp/shared:/shared druid-hadoop-demo:2.8.5 /etc/bootstrap.sh -bash
```
Once the container is started, your terminal will attach to a bash shell running inside the container:

View File

@ -14,11 +14,11 @@
# See the License for the specific language governing permissions and
# limitations under the License.
# Creates pseudo distributed hadoop 2.8.3 with java 8
# Creates pseudo distributed hadoop 2.8.5 with java 8
#
# Modified from the SequenceIQ Dockerfiles at https://github.com/sequenceiq/hadoop-docker
#
# docker build -t druid-hadoop-demo:2.8.3 .
# docker build -t druid-hadoop-demo:2.8.5 .
FROM sequenceiq/pam:centos-6.5
MAINTAINER SequenceIQ
@ -51,8 +51,8 @@ ENV JAVA_HOME /usr/lib/jvm/zulu-8
ENV PATH $PATH:$JAVA_HOME/bin
# hadoop
RUN curl -s https://archive.apache.org/dist/hadoop/core/hadoop-2.8.3/hadoop-2.8.3.tar.gz | tar -xz -C /usr/local/
RUN cd /usr/local && ln -s ./hadoop-2.8.3 hadoop
RUN curl -s https://archive.apache.org/dist/hadoop/core/hadoop-2.8.5/hadoop-2.8.5.tar.gz | tar -xz -C /usr/local/
RUN cd /usr/local && ln -s ./hadoop-2.8.5 hadoop
ENV HADOOP_PREFIX /usr/local/hadoop
ENV HADOOP_COMMON_HOME /usr/local/hadoop

View File

@ -75,5 +75,5 @@
}
}
},
"hadoopDependencyCoordinates": ["org.apache.hadoop:hadoop-client:2.8.3"]
"hadoopDependencyCoordinates": ["org.apache.hadoop:hadoop-client:2.8.5"]
}

View File

@ -227,6 +227,11 @@
<groupId>com.nimbusds</groupId>
<artifactId>nimbus-jose-jwt</artifactId>
</exclusion>
<exclusion>
<!-- excluded to remove security vulnerabilities; jackson-mapper-asl is renamed to jackson-databind -->
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-mapper-asl</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>

View File

@ -249,6 +249,11 @@
<groupId>com.sun.jersey</groupId>
<artifactId>jersey-server</artifactId>
</exclusion>
<exclusion>
<!-- excluded to remove security vulnerabilities; jackson-mapper-asl is renamed to jackson-databind -->
<groupId>org.codehaus.jackson</groupId>
<artifactId>jackson-mapper-asl</artifactId>
</exclusion>
</exclusions>
</dependency>
<dependency>

View File

@ -50,7 +50,7 @@
<dependency>
<groupId>org.postgresql</groupId>
<artifactId>postgresql</artifactId>
<version>9.4.1208.jre7</version>
<version>42.2.8</version>
</dependency>
<dependency>
<groupId>org.jdbi</groupId>

View File

@ -34,7 +34,7 @@ import java.util.List;
public class TaskConfig
{
public static final List<String> DEFAULT_DEFAULT_HADOOP_COORDINATES = ImmutableList.of(
"org.apache.hadoop:hadoop-client:2.8.3"
"org.apache.hadoop:hadoop-client:2.8.5"
);
private static final Period DEFAULT_DIRECTORY_LOCK_TIMEOUT = new Period("PT10M");

View File

@ -179,7 +179,7 @@ name: ClassMate
license_category: binary
module: java-core
license_name: Apache License version 2.0
version: 1.0.0
version: 1.1.0
libraries:
- com.fasterxml: classmate
notices:
@ -200,7 +200,6 @@ version: 2.6.7
libraries:
- com.fasterxml.jackson.core: jackson-annotations
- com.fasterxml.jackson.core: jackson-core
- com.fasterxml.jackson.core: jackson-databind
- com.fasterxml.jackson.dataformat: jackson-dataformat-cbor
- com.fasterxml.jackson.dataformat: jackson-dataformat-smile
- com.fasterxml.jackson.datatype: jackson-datatype-guava
@ -233,11 +232,42 @@ notice: |
---
name: Jackson
license_category: binary
module: java-core
license_name: Apache License version 2.0
version: 2.6.7.3
libraries:
- com.fasterxml.jackson.core: jackson-databind
notice: |
# Jackson JSON processor
Jackson is a high-performance, Free/Open Source JSON processing library.
It was originally written by Tatu Saloranta (tatu.saloranta@iki.fi), and has
been in development since 2007.
It is currently developed by a community of developers, as well as supported
commercially by FasterXML.com.
## Licensing
Jackson core and extension components may licensed under different licenses.
To find the details that apply to this artifact see the accompanying LICENSE file.
For more information, including possible other licensing options, contact
FasterXML.com (http://fasterxml.com).
## Credits
A list of contributors may be found from CREDITS file, which is included
in some artifacts (usually source distributions); but is always available
from the source code management (SCM) system project uses.
---
name: Caffeine
license_category: binary
module: java-core
license_name: Apache License version 2.0
version: 2.5.5
version: 2.8.0
libraries:
- com.github.ben-manes.caffeine: caffeine
@ -375,7 +405,7 @@ name: Apache Commons BeanUtils
license_category: binary
module: java-core
license_name: Apache License version 2.0
version: 1.9.3
version: 1.9.4
libraries:
- commons-beanutils: commons-beanutils
notices:
@ -389,7 +419,7 @@ name: Apache Commons Codec
license_category: binary
module: java-core
license_name: Apache License version 2.0
version: 1.12
version: 1.13
libraries:
- commons-codec: commons-codec
notices:
@ -758,7 +788,7 @@ name: Netty
license_category: binary
module: java-core
license_name: Apache License version 2.0
version: 4.1.30.Final
version: 4.1.42.Final
libraries:
- io.netty: netty-buffer
- io.netty: netty-codec
@ -1317,7 +1347,7 @@ name: Apache Log4j
license_category: binary
module: java-core
license_name: Apache License version 2.0
version: 2.5
version: 2.8.2
libraries:
- org.apache.logging.log4j: log4j-1.2-api
- org.apache.logging.log4j: log4j-api
@ -1479,7 +1509,7 @@ name: Plexus Common Utilities
license_category: binary
module: java-core
license_name: Apache License version 2.0
version: 3.0.15
version: 3.0.24
libraries:
- org.codehaus.plexus: plexus-utils
notices:
@ -1501,7 +1531,7 @@ name: Jetty
license_category: binary
module: java-core
license_name: Apache License version 2.0
version: 9.4.10.v20180503
version: 9.4.12.v20180830
libraries:
- org.eclipse.jetty: jetty-client
- org.eclipse.jetty: jetty-continuation
@ -1650,7 +1680,7 @@ name: Hibernate Validator Engine
license_category: binary
module: java-core
license_name: Apache License version 2.0
version: 5.1.3.Final
version: 5.2.5.Final
libraries:
- org.hibernate: hibernate-validator
@ -1789,7 +1819,7 @@ name: JBoss Logging 3
license_category: binary
module: java-core
license_name: Apache License version 2.0
version: 3.1.3.GA
version: 3.2.1.Final
libraries:
- org.jboss.logging: jboss-logging
@ -1880,7 +1910,7 @@ name: Apache Hadoop
license_category: binary
module: hadoop-client
license_name: Apache License version 2.0
version: 2.8.3
version: 2.8.5
libraries:
- org.apache.hadoop: hadoop-annotations
- org.apache.hadoop: hadoop-auth
@ -2355,7 +2385,7 @@ name: Nimbus JOSE+JWT
license_category: binary
module: hadoop-client
license_name: Apache License version 2.0
version: 3.9
version: 4.41.1
libraries:
- com.nimbusds: nimbus-jose-jwt
@ -2503,7 +2533,7 @@ name: Apache Commons Compress
license_category: binary
module: hadoop-client
license_name: Apache License version 2.0
version: 1.4.1
version: 1.19
libraries:
- org.apache.commons: commons-compress
notices:
@ -2917,7 +2947,7 @@ name: Apache Avro
license_category: binary
module: extensions/druid-avro-extensions
license_name: Apache License version 2.0
version: 1.9.0
version: 1.9.1
libraries:
- org.apache.avro: avro
- org.apache.avro: avro-mapred
@ -3431,10 +3461,10 @@ libraries:
name: PostgreSQL JDBC Driver
license_category: binary
module: extensions/postgresql-metadata-storage
license_name: BSD-3-Clause License
version: 9.4.1208.jre7
license_name: BSD-2-Clause License
version: 42.2.8
copyright: PostgreSQL Global Development Group
license_file_path: licenses/bin/postgresql.BSD3
license_file_path: licenses/bin/postgresql.BSD2
libraries:
- org.postgresql: postgresql
@ -3457,7 +3487,7 @@ name: ICU4J
license_category: binary
module: java-core
license_name: ICU License
version: 54.1.1
version: 55.1
copyright: International Business Machines Corporation and others
license_file_path: licenses/bin/icu4j.ICU
libraries:
@ -3747,15 +3777,13 @@ libraries:
---
name: \"Java Concurrency In Practice\" Book Annotations
name: JCIP Annotations Under Apache License
license_category: binary
module: hadoop-client
license_name: Creative Commons Attribution 2.5
version: 1.0
copyright: Brian Goetz and Tim Peierls
license_file_path: licenses/bin/creative-commons-2.5.LICENSE
module: extensions/druid-hdfs-storage
license_name: Apache License version 2.0
version: 1.0-1
libraries:
- net.jcip: jcip-annotations
- com.github.stephenc.jcip: jcip-annotations
---

View File

@ -1,60 +0,0 @@
Attribution-NonCommercial 2.5
CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE LEGAL SERVICES. DISTRIBUTION OF THIS LICENSE DOES NOT CREATE AN ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES REGARDING THE INFORMATION PROVIDED, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM ITS USE.
License
THE WORK (AS DEFINED BELOW) IS PROVIDED UNDER THE TERMS OF THIS CREATIVE COMMONS PUBLIC LICENSE ("CCPL" OR "LICENSE"). THE WORK IS PROTECTED BY COPYRIGHT AND/OR OTHER APPLICABLE LAW. ANY USE OF THE WORK OTHER THAN AS AUTHORIZED UNDER THIS LICENSE OR COPYRIGHT LAW IS PROHIBITED.
BY EXERCISING ANY RIGHTS TO THE WORK PROVIDED HERE, YOU ACCEPT AND AGREE TO BE BOUND BY THE TERMS OF THIS LICENSE. THE LICENSOR GRANTS YOU THE RIGHTS CONTAINED HERE IN CONSIDERATION OF YOUR ACCEPTANCE OF SUCH TERMS AND CONDITIONS.
1. Definitions
"Collective Work" means a work, such as a periodical issue, anthology or encyclopedia, in which the Work in its entirety in unmodified form, along with a number of other contributions, constituting separate and independent works in themselves, are assembled into a collective whole. A work that constitutes a Collective Work will not be considered a Derivative Work (as defined below) for the purposes of this License.
"Derivative Work" means a work based upon the Work or upon the Work and other pre-existing works, such as a translation, musical arrangement, dramatization, fictionalization, motion picture version, sound recording, art reproduction, abridgment, condensation, or any other form in which the Work may be recast, transformed, or adapted, except that a work that constitutes a Collective Work will not be considered a Derivative Work for the purpose of this License. For the avoidance of doubt, where the Work is a musical composition or sound recording, the synchronization of the Work in timed-relation with a moving image ("synching") will be considered a Derivative Work for the purpose of this License.
"Licensor" means the individual or entity that offers the Work under the terms of this License.
"Original Author" means the individual or entity who created the Work.
"Work" means the copyrightable work of authorship offered under the terms of this License.
"You" means an individual or entity exercising rights under this License who has not previously violated the terms of this License with respect to the Work, or who has received express permission from the Licensor to exercise rights under this License despite a previous violation.
2. Fair Use Rights. Nothing in this license is intended to reduce, limit, or restrict any rights arising from fair use, first sale or other limitations on the exclusive rights of the copyright owner under copyright law or other applicable laws.
3. License Grant. Subject to the terms and conditions of this License, Licensor hereby grants You a worldwide, royalty-free, non-exclusive, perpetual (for the duration of the applicable copyright) license to exercise the rights in the Work as stated below:
to reproduce the Work, to incorporate the Work into one or more Collective Works, and to reproduce the Work as incorporated in the Collective Works;
to create and reproduce Derivative Works;
to distribute copies or phonorecords of, display publicly, perform publicly, and perform publicly by means of a digital audio transmission the Work including as incorporated in Collective Works;
to distribute copies or phonorecords of, display publicly, perform publicly, and perform publicly by means of a digital audio transmission Derivative Works;
The above rights may be exercised in all media and formats whether now known or hereafter devised. The above rights include the right to make such modifications as are technically necessary to exercise the rights in other media and formats. All rights not expressly granted by Licensor are hereby reserved, including but not limited to the rights set forth in Sections 4(d) and 4(e).
4. Restrictions.The license granted in Section 3 above is expressly made subject to and limited by the following restrictions:
You may distribute, publicly display, publicly perform, or publicly digitally perform the Work only under the terms of this License, and You must include a copy of, or the Uniform Resource Identifier for, this License with every copy or phonorecord of the Work You distribute, publicly display, publicly perform, or publicly digitally perform. You may not offer or impose any terms on the Work that alter or restrict the terms of this License or the recipients' exercise of the rights granted hereunder. You may not sublicense the Work. You must keep intact all notices that refer to this License and to the disclaimer of warranties. You may not distribute, publicly display, publicly perform, or publicly digitally perform the Work with any technological measures that control access or use of the Work in a manner inconsistent with the terms of this License Agreement. The above applies to the Work as incorporated in a Collective Work, but this does not require the Collective Work apart from the Work itself to be made subject to the terms of this License. If You create a Collective Work, upon notice from any Licensor You must, to the extent practicable, remove from the Collective Work any credit as required by clause 4(c), as requested. If You create a Derivative Work, upon notice from any Licensor You must, to the extent practicable, remove from the Derivative Work any credit as required by clause 4(c), as requested.
You may not exercise any of the rights granted to You in Section 3 above in any manner that is primarily intended for or directed toward commercial advantage or private monetary compensation. The exchange of the Work for other copyrighted works by means of digital file-sharing or otherwise shall not be considered to be intended for or directed toward commercial advantage or private monetary compensation, provided there is no payment of any monetary compensation in connection with the exchange of copyrighted works.
If you distribute, publicly display, publicly perform, or publicly digitally perform the Work or any Derivative Works or Collective Works, You must keep intact all copyright notices for the Work and provide, reasonable to the medium or means You are utilizing: (i) the name of Original Author (or pseudonym, if applicable) if supplied, and/or (ii) if the Original Author and/or Licensor designate another party or parties (e.g. a sponsor institute, publishing entity, journal) for attribution in Licensor's copyright notice, terms of service or by other reasonable means, the name of such party or parties; the title of the Work if supplied; to the extent reasonably practicable, the Uniform Resource Identifier, if any, that Licensor specifies to be associated with the Work, unless such URI does not refer to the copyright notice or licensing information for the Work; and in the case of a Derivative Work, a credit identifying the use of the Work in the Derivative Work (e.g., "French translation of the Work by Original Author," or "Screenplay based on original Work by Original Author"). Such credit may be implemented in any reasonable manner; provided, however, that in the case of a Derivative Work or Collective Work, at a minimum such credit will appear where any other comparable authorship credit appears and in a manner at least as prominent as such other comparable authorship credit.
For the avoidance of doubt, where the Work is a musical composition:
Performance Royalties Under Blanket Licenses. Licensor reserves the exclusive right to collect, whether individually or via a performance rights society (e.g. ASCAP, BMI, SESAC), royalties for the public performance or public digital performance (e.g. webcast) of the Work if that performance is primarily intended for or directed toward commercial advantage or private monetary compensation.
Mechanical Rights and Statutory Royalties. Licensor reserves the exclusive right to collect, whether individually or via a music rights agency or designated agent (e.g. Harry Fox Agency), royalties for any phonorecord You create from the Work ("cover version") and distribute, subject to the compulsory license created by 17 USC Section 115 of the US Copyright Act (or the equivalent in other jurisdictions), if Your distribution of such cover version is primarily intended for or directed toward commercial advantage or private monetary compensation.
Webcasting Rights and Statutory Royalties. For the avoidance of doubt, where the Work is a sound recording, Licensor reserves the exclusive right to collect, whether individually or via a performance-rights society (e.g. SoundExchange), royalties for the public digital performance (e.g. webcast) of the Work, subject to the compulsory license created by 17 USC Section 114 of the US Copyright Act (or the equivalent in other jurisdictions), if Your public digital performance is primarily intended for or directed toward commercial advantage or private monetary compensation.
5. Representations, Warranties and Disclaimer
UNLESS OTHERWISE MUTUALLY AGREED TO BY THE PARTIES IN WRITING, LICENSOR OFFERS THE WORK AS-IS AND MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND CONCERNING THE WORK, EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING, WITHOUT LIMITATION, WARRANTIES OF TITLE, MERCHANTIBILITY, FITNESS FOR A PARTICULAR PURPOSE, NONINFRINGEMENT, OR THE ABSENCE OF LATENT OR OTHER DEFECTS, ACCURACY, OR THE PRESENCE OF ABSENCE OF ERRORS, WHETHER OR NOT DISCOVERABLE. SOME JURISDICTIONS DO NOT ALLOW THE EXCLUSION OF IMPLIED WARRANTIES, SO SUCH EXCLUSION MAY NOT APPLY TO YOU.
6. Limitation on Liability. EXCEPT TO THE EXTENT REQUIRED BY APPLICABLE LAW, IN NO EVENT WILL LICENSOR BE LIABLE TO YOU ON ANY LEGAL THEORY FOR ANY SPECIAL, INCIDENTAL, CONSEQUENTIAL, PUNITIVE OR EXEMPLARY DAMAGES ARISING OUT OF THIS LICENSE OR THE USE OF THE WORK, EVEN IF LICENSOR HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
7. Termination
This License and the rights granted hereunder will terminate automatically upon any breach by You of the terms of this License. Individuals or entities who have received Derivative Works or Collective Works from You under this License, however, will not have their licenses terminated provided such individuals or entities remain in full compliance with those licenses. Sections 1, 2, 5, 6, 7, and 8 will survive any termination of this License.
Subject to the above terms and conditions, the license granted here is perpetual (for the duration of the applicable copyright in the Work). Notwithstanding the above, Licensor reserves the right to release the Work under different license terms or to stop distributing the Work at any time; provided, however that any such election will not serve to withdraw this License (or any other license that has been, or is required to be, granted under the terms of this License), and this License will continue in full force and effect unless terminated as stated above.
8. Miscellaneous
Each time You distribute or publicly digitally perform the Work or a Collective Work, the Licensor offers to the recipient a license to the Work on the same terms and conditions as the license granted to You under this License.
Each time You distribute or publicly digitally perform a Derivative Work, Licensor offers to the recipient a license to the original Work on the same terms and conditions as the license granted to You under this License.
If any provision of this License is invalid or unenforceable under applicable law, it shall not affect the validity or enforceability of the remainder of the terms of this License, and without further action by the parties to this agreement, such provision shall be reformed to the minimum extent necessary to make such provision valid and enforceable.
No term or provision of this License shall be deemed waived and no breach consented to unless such waiver or consent shall be in writing and signed by the party to be charged with such waiver or consent.
This License constitutes the entire agreement between the parties with respect to the Work licensed here. There are no understandings, agreements or representations with respect to the Work not specified here. Licensor shall not be bound by any additional provisions that may appear in any communication from You. This License may not be modified without the mutual written agreement of the Licensor and You.
Creative Commons is not a party to this License, and makes no warranty whatsoever in connection with the Work. Creative Commons will not be liable to You or any party on any legal theory for any damages whatsoever, including without limitation any general, special, incidental or consequential damages arising in connection to this license. Notwithstanding the foregoing two (2) sentences, if Creative Commons has expressly identified itself as the Licensor hereunder, it shall have all rights and obligations of Licensor.
Except for the limited purpose of indicating to the public that the Work is licensed under the CCPL, neither party will use the trademark "Creative Commons" or any related trademark or logo of Creative Commons without the prior written consent of Creative Commons. Any permitted use will be in compliance with Creative Commons' then-current trademark usage guidelines, as may be published on its website or otherwise made available upon request from time to time.
Creative Commons may be contacted at https://creativecommons.org/.

View File

@ -1,4 +1,4 @@
Copyright (c) 1997-2011, PostgreSQL Global Development Group
Copyright (c) 1997, PostgreSQL Global Development Group
All rights reserved.
Redistribution and use in source and binary forms, with or without
@ -9,9 +9,6 @@ modification, are permitted provided that the following conditions are met:
2. Redistributions in binary form must reproduce the above copyright notice,
this list of conditions and the following disclaimer in the documentation
and/or other materials provided with the distribution.
3. Neither the name of the PostgreSQL Global Development Group nor the names
of its contributors may be used to endorse or promote products derived
from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

41
pom.xml
View File

@ -79,30 +79,30 @@
<apache.curator.version>4.1.0</apache.curator.version>
<apache.curator.test.version>2.12.0</apache.curator.test.version>
<avatica.version>1.12.0</avatica.version>
<avro.version>1.9.0</avro.version>
<avro.version>1.9.1</avro.version>
<calcite.version>1.17.0</calcite.version>
<derby.version>10.14.2.0</derby.version>
<dropwizard.metrics.version>4.0.0</dropwizard.metrics.version>
<guava.version>16.0.1</guava.version>
<guice.version>4.1.0</guice.version>
<hamcrest.version>1.3</hamcrest.version>
<jetty.version>9.4.10.v20180503</jetty.version>
<jetty.version>9.4.12.v20180830</jetty.version>
<jersey.version>1.19.3</jersey.version>
<!-- jackson 2.7.x causes injection error and 2.8.x can't be used because avatica is using 2.6.3 -->
<jackson.version>2.6.7</jackson.version>
<codehaus.jackson.version>1.9.13</codehaus.jackson.version>
<log4j.version>2.5</log4j.version>
<log4j.version>2.8.2</log4j.version>
<netty3.version>3.10.6.Final</netty3.version>
<!-- Spark updated in https://github.com/apache/spark/pull/19884 -->
<netty4.version>4.1.30.Final</netty4.version>
<netty4.version>4.1.42.Final</netty4.version>
<node.version>v10.14.2</node.version>
<npm.version>6.5.0</npm.version>
<slf4j.version>1.7.12</slf4j.version>
<!-- If compiling with different hadoop version also modify default hadoop coordinates in TaskConfig.java -->
<hadoop.compile.version>2.8.3</hadoop.compile.version>
<hadoop.compile.version>2.8.5</hadoop.compile.version>
<powermock.version>2.0.2</powermock.version>
<aws.sdk.version>1.11.199</aws.sdk.version>
<caffeine.version>2.5.5</caffeine.version>
<caffeine.version>2.8.0</caffeine.version>
<!-- When upgrading ZK, edit docs and integration tests as well (integration-tests/docker-base/setup.sh) -->
<zookeeper.version>3.4.14</zookeeper.version>
<checkerframework.version>2.5.7</checkerframework.version>
@ -201,7 +201,7 @@
<dependency>
<groupId>commons-codec</groupId>
<artifactId>commons-codec</artifactId>
<version>1.12</version>
<version>1.13</version>
</dependency>
<dependency>
<groupId>commons-io</groupId>
@ -322,9 +322,14 @@
</exclusions>
</dependency>
<dependency>
<groupId>org.apache.curator</groupId>
<artifactId>curator-x-discovery</artifactId>
<version>${apache.curator.version}</version>
<!--
~ TODO: This dependency transitively pulls in org.codehaus.jackson:jackson-mapper.asl.1.9.13 which has
~ security vulnerability CVE-2017-7525. https://github.com/apache/incubator-druid/pull/8177 tracks
~ upgrading to a newer curator version.
-->
<groupId>org.apache.curator</groupId>
<artifactId>curator-x-discovery</artifactId>
<version>${apache.curator.version}</version>
</dependency>
<dependency>
<groupId>org.apache.calcite</groupId>
@ -389,7 +394,7 @@
<dependency>
<groupId>com.ibm.icu</groupId>
<artifactId>icu4j</artifactId>
<version>54.1.1</version>
<version>55.1</version>
</dependency>
<dependency>
<groupId>org.mozilla</groupId>
@ -399,7 +404,7 @@
<dependency>
<groupId>org.apache.commons</groupId>
<artifactId>commons-compress</artifactId>
<version>1.18</version>
<version>1.19</version>
</dependency>
<dependency>
<groupId>org.tukaani</groupId>
@ -424,7 +429,7 @@
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>${jackson.version}</version>
<version>${jackson.version}.3</version>
</dependency>
<dependency>
<groupId>com.fasterxml.jackson.datatype</groupId>
@ -454,7 +459,7 @@
<dependency>
<groupId>org.hibernate</groupId>
<artifactId>hibernate-validator</artifactId>
<version>5.1.3.Final</version>
<version>5.2.5.Final</version>
</dependency>
<dependency>
<groupId>javax.validation</groupId>
@ -860,6 +865,12 @@
<artifactId>opencsv</artifactId>
<version>4.6</version>
</dependency>
<dependency>
<groupId>commons-beanutils</groupId>
<artifactId>commons-beanutils</artifactId>
<!-- override the transitive dependency from com.opencsv:opensv:4.6 to version 1.9.3 to address CVE-2014-0114 -->
<version>1.9.4</version>
</dependency>
<dependency>
<groupId>com.jayway.jsonpath</groupId>
<artifactId>json-path</artifactId>
@ -939,7 +950,7 @@
<dependency>
<groupId>org.codehaus.plexus</groupId>
<artifactId>plexus-utils</artifactId>
<version>3.0.15</version>
<version>3.0.24</version>
</dependency>
<dependency>
<groupId>com.github.ben-manes.caffeine</groupId>

View File

@ -36,8 +36,6 @@ import org.junit.Assert;
import org.junit.Before;
import org.junit.Test;
import java.lang.reflect.Field;
import java.lang.reflect.Method;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Map;
@ -48,7 +46,6 @@ import java.util.concurrent.ForkJoinPool;
public class CaffeineCacheTest
{
private static final int RANDOM_SEED = 3478178;
private static final byte[] HI = StringUtils.toUtf8("hiiiiiiiiiiiiiiiiiii");
private static final byte[] HO = StringUtils.toUtf8("hooooooooooooooooooo");
@ -194,7 +191,6 @@ public class CaffeineCacheTest
final Cache.NamedKey key1 = new Cache.NamedKey("the", s1);
final Cache.NamedKey key2 = new Cache.NamedKey("the", s2);
final CaffeineCache cache = CaffeineCache.create(config, Runnable::run);
forceRandomSeed(cache);
Assert.assertNull(cache.get(key1));
Assert.assertNull(cache.get(key2));
@ -475,18 +471,6 @@ public class CaffeineCacheTest
{
cache.put(key, Ints.toByteArray(value));
}
// See
public static void forceRandomSeed(CaffeineCache cache) throws Exception
{
final Map map = cache.getCache().asMap();
final Method getFrequencySketch = map.getClass().getDeclaredMethod("frequencySketch");
getFrequencySketch.setAccessible(true);
final Object frequencySketch = getFrequencySketch.invoke(map);
final Field seedField = frequencySketch.getClass().getDeclaredField("randomSeed");
seedField.setAccessible(true);
seedField.setInt(frequencySketch, RANDOM_SEED);
}
}
class CaffeineCacheProviderWithConfig extends CaffeineCacheProvider

View File

@ -42,7 +42,9 @@ import org.apache.druid.server.RequestLogLine;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.core.Appender;
import org.apache.logging.log4j.core.Logger;
import org.apache.logging.log4j.core.LoggerContext;
import org.apache.logging.log4j.core.appender.OutputStreamAppender;
import org.apache.logging.log4j.core.config.Configuration;
import org.apache.logging.log4j.core.layout.JsonLayout;
import org.joda.time.DateTime;
import org.joda.time.Interval;
@ -154,11 +156,25 @@ public class LoggingRequestLoggerTest
@BeforeClass
public static void setUpStatic()
{
LoggerContext loggerContext = (LoggerContext) LogManager.getContext(false);
Configuration configuration = loggerContext.getConfiguration();
appender = OutputStreamAppender
.newBuilder()
.setName("test stream")
.setTarget(BAOS)
.setLayout(JsonLayout.createLayout(false, true, false, true, true, StandardCharsets.UTF_8))
.setLayout(JsonLayout.createLayout(
configuration,
false,
true,
true,
false,
true,
true,
"[",
"]",
StandardCharsets.UTF_8,
true
))
.build();
final Logger logger = (Logger)
LogManager.getLogger(LoggingRequestLogger.class);

View File

@ -168,7 +168,7 @@ public class PullDependencies implements Runnable
@Option(
name = "--no-default-hadoop",
description = "Don't pull down the default hadoop coordinate, i.e., org.apache.hadoop:hadoop-client:2.8.3. If `-h` option is supplied, then default hadoop coordinate will not be downloaded.",
description = "Don't pull down the default hadoop coordinate, i.e., org.apache.hadoop:hadoop-client:2.8.5. If `-h` option is supplied, then default hadoop coordinate will not be downloaded.",
required = false)
public boolean noDefaultHadoop = false;