Merge branch 'main' into feat/extended-request

Author: sbernauer

.github/workflows/maven.yml

@@ -19,10 +19,10 @@ jobs:
 
     steps:
       - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
-      - name: Set up JDK 11
+      - name: Set up JDK 17
         uses: actions/setup-java@99b8673ff64fbf99d8d325f52d9a5bdedb8483e9 # v4.2.1
         with:
-          java-version: '11'
+          java-version: '17'
           distribution: 'temurin'
           cache: maven
       - name: Build with Maven

CHANGELOG.md

@@ -7,15 +7,21 @@ All notable changes to this project will be documented in this file.
 ### Changed
 
 - BREAKING: Only send a subset of the fields sufficient for most use-cases to OPA for performance reasons.
-  The old behavior of sending all fields can be restored by setting `hadoop.security.authorization.opa.extended-requests` to `true` ([#49]).
-- Bump `okio` to 1.17.6 and to 3.9.1 afterwards to get rid of CVE-2023-3635 ([#46], [#49]).
+  The old behavior of sending all fields can be restored by setting `hadoop.security.authorization.opa.extended-requests`
+  to `true` ([#49]).
+- Performance fixes ([#50])
+- Updates various dependencies and do a full spotless run. This will now require JDK 17 or later to build
+  (required by later error-prone versions), the build target is still Java 11 [#51]
+- Bump okio to 1.17.6 to get rid of CVE-2023-3635 ([#46])
 
 ### Fixed
 
 - Set path to `/` when the operation `contentSummary` is called on `/`. Previously path was set to `null` ([#49]).
 
 [#46]: https://github.com/stackabletech/hdfs-utils/pull/46
 [#49]: https://github.com/stackabletech/hdfs-utils/pull/49
+[#50]: https://github.com/stackabletech/hdfs-utils/pull/50
+[#51]: https://github.com/stackabletech/hdfs-utils/pull/51
 
 ## [0.3.0] - 2024-07-04
 
@@ -26,3 +32,4 @@ All notable changes to this project will be documented in this file.
 
 [#28]: https://github.com/stackabletech/hdfs-utils/pull/28
 [#29]: https://github.com/stackabletech/hdfs-utils/pull/29
+

pom.xml

@@ -35,23 +35,29 @@
     <maven.compiler.release>${java.version}</maven.compiler.release>
     <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
 
-    <!-- Tip: Use "mvn versions:display-dependency-updates" to check for updates -->
-    <cleanthat.version>2.17</cleanthat.version>
-    <error-prone.version>2.28.0</error-prone.version>
-    <google-java-format.version>1.19.2</google-java-format.version>
+    <!-- Tip:
+     Use "mvn versions:display-dependency-updates" and
+     "mvn versions:display-plugin-updates"
+     to check for updates -->
+    <cleanthat.version>2.22</cleanthat.version>
+    <error-prone.version>2.35.1</error-prone.version>
+    <google-java-format.version>1.24.0</google-java-format.version>
 
+    <cyclonedx-maven-plugin.version>2.9.0</cyclonedx-maven-plugin.version>
     <maven-clean-plugin.version>3.4.0</maven-clean-plugin.version>
     <maven-compiler-plugin.version>3.13.0</maven-compiler-plugin.version>
-    <maven-deploy-plugin.version>3.1.2</maven-deploy-plugin.version>
+    <maven-deploy-plugin.version>3.1.3</maven-deploy-plugin.version>
     <maven-enforcer-plugin.version>3.5.0</maven-enforcer-plugin.version>
-    <maven-install-plugin.version>3.1.2</maven-install-plugin.version>
+    <maven-install-plugin.version>3.1.3</maven-install-plugin.version>
     <maven-jar-plugin.version>3.4.2</maven-jar-plugin.version>
     <maven-resources-plugin.version>3.3.1</maven-resources-plugin.version>
+    <maven-shade-plugin.version>3.6.0</maven-shade-plugin.version>
     <maven-site-plugin.version>3.12.1</maven-site-plugin.version>
-    <maven-surefire-plugin.version>3.3.1</maven-surefire-plugin.version>
+    <maven-surefire-plugin.version>3.5.2</maven-surefire-plugin.version>
     <spotless-maven-plugin.version>2.43.0</spotless-maven-plugin.version>
-    <kubernetes-client.version>6.13.4</kubernetes-client.version>
-    <okio.version>3.9.1</okio.version>
+
+    <kubernetes-client.version>6.13.1</kubernetes-client.version>
+    <okio.version>1.17.6</okio.version>
   </properties>
 
   <dependencies>
@@ -129,6 +135,7 @@
         <configuration>
           <compilerArgs>
             <arg>-XDcompilePolicy=simple</arg>
+            <arg>--should-stop=ifError=FLOW</arg>
             <arg>-Xplugin:ErrorProne</arg>
           </compilerArgs>
           <annotationProcessorPaths>
@@ -159,7 +166,7 @@
               <version>${java.version}</version>
             </requireJavaVersion>
             <requireMavenVersion>
-              <version>3.3.9</version>
+              <version>3.6.3</version>
             </requireMavenVersion>
             <requirePluginVersions/>
           </rules>
@@ -190,7 +197,7 @@
       <plugin>
         <groupId>org.apache.maven.plugins</groupId>
         <artifactId>maven-shade-plugin</artifactId>
-        <version>3.6.0</version>
+        <version>${maven-shade-plugin.version}</version>
         <executions>
           <execution>
             <goals>
@@ -252,14 +259,14 @@
             <goals>
               <goal>apply</goal>
             </goals>
-            <phase>verify</phase>
+            <phase>compile</phase>
           </execution>
         </executions>
       </plugin>
       <plugin>
         <groupId>org.cyclonedx</groupId>
         <artifactId>cyclonedx-maven-plugin</artifactId>
-        <version>2.8.0</version>
+        <version>${cyclonedx-maven-plugin.version}</version>
         <configuration>
           <projectType>application</projectType>
           <schemaVersion>1.5</schemaVersion>

src/main/java/tech/stackable/hadoop/HadoopConfigSingleton.java

@@ -3,10 +3,10 @@
 import org.apache.hadoop.conf.Configuration;
 
 public enum HadoopConfigSingleton {
-    INSTANCE;
-    private final Configuration configuration = new Configuration();
+  INSTANCE;
+  private final Configuration configuration = new Configuration();
 
-    public Configuration getConfiguration() {
-        return this.configuration;
-    }
+  public Configuration getConfiguration() {
+    return this.configuration;
+  }
 }

src/main/java/tech/stackable/hadoop/OpaAllowQuery.java

@@ -1,6 +1,10 @@
 package tech.stackable.hadoop;
 
+import org.apache.hadoop.fs.permission.FsAction;
+import org.apache.hadoop.hdfs.server.namenode.INode;
 import org.apache.hadoop.hdfs.server.namenode.INodeAttributeProvider;
+import org.apache.hadoop.hdfs.server.namenode.INodeAttributes;
+import org.apache.hadoop.ipc.CallerContext;
 import org.apache.hadoop.security.UserGroupInformation;
 
 public class OpaAllowQuery {
@@ -11,47 +15,47 @@ public OpaAllowQuery(OpaAllowQueryInput input) {
   }
 
   /**
-   * Wrapper around {@link INodeAttributeProvider.AuthorizationContext}, which uses our custom wrapper around
-   * {@link UserGroupInformation}, {@link OpaQueryUgi}.
+   * Wrapper around {@link INodeAttributeProvider.AuthorizationContext}, which uses our custom
+   * wrapper around {@link UserGroupInformation}, {@link OpaQueryUgi}.
    */
   public static class OpaAllowQueryInput {
-    public java.lang.String fsOwner;
-    public java.lang.String supergroup;
+    public String fsOwner;
+    public String supergroup;
     // Wrapping this
     public OpaQueryUgi callerUgi;
-    public org.apache.hadoop.hdfs.server.namenode.INodeAttributes[] inodeAttrs;
-    public org.apache.hadoop.hdfs.server.namenode.INode[] inodes;
+    public INodeAttributes[] inodeAttrs;
+    public INode[] inodes;
     public byte[][] pathByNameArr;
     public int snapshotId;
-    public java.lang.String path;
+    public String path;
     public int ancestorIndex;
     public boolean doCheckOwner;
-    public org.apache.hadoop.fs.permission.FsAction ancestorAccess;
-    public org.apache.hadoop.fs.permission.FsAction parentAccess;
-    public org.apache.hadoop.fs.permission.FsAction access;
-    public org.apache.hadoop.fs.permission.FsAction subAccess;
+    public FsAction ancestorAccess;
+    public FsAction parentAccess;
+    public FsAction access;
+    public FsAction subAccess;
     public boolean ignoreEmptyDir;
-    public java.lang.String operationName;
-    public org.apache.hadoop.ipc.CallerContext callerContext;
+    public String operationName;
+    public CallerContext callerContext;
 
     public OpaAllowQueryInput(INodeAttributeProvider.AuthorizationContext context) {
-      this.fsOwner = context.getFsOwner();
-      this.supergroup = context.getSupergroup();
-      this.callerUgi = new OpaQueryUgi(context.getCallerUgi());
-      this.inodeAttrs = context.getInodeAttrs();
-      this.inodes = context.getInodes();
-      this.pathByNameArr = context.getPathByNameArr();
-      this.snapshotId = context.getSnapshotId();
-      this.path = context.getPath();
-      this.ancestorIndex = context.getAncestorIndex();
-      this.doCheckOwner = context.isDoCheckOwner();
-      this.ancestorAccess = context.getAncestorAccess();
-      this.parentAccess = context.getParentAccess();
-      this.access = context.getAccess();
-      this.subAccess = context.getSubAccess();
-      this.ignoreEmptyDir = context.isIgnoreEmptyDir();
-      this.operationName = context.getOperationName();
-      this.callerContext = context.getCallerContext();
+      fsOwner = context.getFsOwner();
+      supergroup = context.getSupergroup();
+      callerUgi = new OpaQueryUgi(context.getCallerUgi());
+      inodeAttrs = context.getInodeAttrs();
+      inodes = context.getInodes();
+      pathByNameArr = context.getPathByNameArr();
+      snapshotId = context.getSnapshotId();
+      path = context.getPath();
+      ancestorIndex = context.getAncestorIndex();
+      doCheckOwner = context.isDoCheckOwner();
+      ancestorAccess = context.getAncestorAccess();
+      parentAccess = context.getParentAccess();
+      access = context.getAccess();
+      subAccess = context.getSubAccess();
+      ignoreEmptyDir = context.isIgnoreEmptyDir();
+      operationName = context.getOperationName();
+      callerContext = context.getCallerContext();
     }
   }
 }

src/main/java/tech/stackable/hadoop/OpaException.java

@@ -1,9 +1,7 @@
 package tech.stackable.hadoop;
 
-import static tech.stackable.hadoop.StackableAccessControlEnforcer.EXTENDED_REQUESTS_PROP;
 import static tech.stackable.hadoop.StackableGroupMapper.OPA_MAPPING_URL_PROP;
 
-import java.net.URI;
 import java.net.http.HttpResponse;
 
 public abstract class OpaException extends RuntimeException {
@@ -15,32 +13,21 @@ protected OpaException(String message, Throwable cause) {
   public static final class UriMissing extends OpaException {
     public UriMissing(String configuration) {
       super(
-              "No Open Policy Agent URI provided (must be set in the configuration \""
-                + configuration
-                + "\")",
+          "No Open Policy Agent URI provided (must be set in the configuration \""
+              + configuration
+              + "\")",
           null);
     }
   }
 
   public static final class UriInvalid extends OpaException {
     public UriInvalid(String uri, Throwable cause) {
       super(
-              "Open Policy Agent URI is invalid (see configuration property \""
-                      + OPA_MAPPING_URL_PROP
-                      + "\"): "
-                      + uri,
-              cause);
-    }
-  }
-
-  public static final class ExtendedRequestsConfigNotABoolean extends OpaException {
-    public ExtendedRequestsConfigNotABoolean(String extendedRequests, Throwable cause) {
-      super(
-              "The extended-requests property is not a boolean (see configuration property \""
-                      + EXTENDED_REQUESTS_PROP
-                      + "\"): "
-                      + extendedRequests,
-              cause);
+          "Open Policy Agent URI is invalid (see configuration property \""
+              + OPA_MAPPING_URL_PROP
+              + "\"): "
+              + uri,
+          cause);
     }
   }
 

src/main/java/tech/stackable/hadoop/OpaQueryUgi.java

@@ -1,43 +1,44 @@
 package tech.stackable.hadoop;
 
-import org.apache.hadoop.security.UserGroupInformation;
-
 import java.io.IOException;
 import java.util.List;
+import org.apache.hadoop.security.UserGroupInformation;
 
 public class OpaQueryUgi {
-    // Wrapping this
-    public OpaQueryUgi realUser;
-    public String userName;
-    public String shortUserName;
+  // Wrapping this
+  public OpaQueryUgi realUser;
+  public String userName;
+  public String shortUserName;
 
-    public String primaryGroup;
-    public List<String> groups;
+  public String primaryGroup;
+  public List<String> groups;
 
-    public UserGroupInformation.AuthenticationMethod authenticationMethod;
-    public UserGroupInformation.AuthenticationMethod realAuthenticationMethod;
+  public UserGroupInformation.AuthenticationMethod authenticationMethod;
+  public UserGroupInformation.AuthenticationMethod realAuthenticationMethod;
 
-    /**
-     * Wrapper around {@link UserGroupInformation}, which does not throw random errors during serialization when no primary
-     * group is known for the user.
-     * "Caused by: com.fasterxml.jackson.databind.JsonMappingException: Unexpected IOException (of type java.io.IOException): There is no primary group for UGI hive/[email protected] (auth:KERBEROS)"
-     */
-    public OpaQueryUgi(UserGroupInformation ugi) {
-        UserGroupInformation realUser = ugi.getRealUser();
-        if (realUser != null) {
-            this.realUser = new OpaQueryUgi(ugi.getRealUser());
-        } else {
-            this.realUser = null;
-        }
-        this.userName = ugi.getUserName();
-        this.shortUserName = ugi.getShortUserName();
-        try {
-            this.primaryGroup = ugi.getPrimaryGroupName();
-        } catch (IOException e) {
-            this.primaryGroup = null;
-        }
-        this.groups = ugi.getGroups();
-        this.authenticationMethod = ugi.getAuthenticationMethod();
-        this.realAuthenticationMethod = ugi.getRealAuthenticationMethod();
+  /**
+   * Wrapper around {@link UserGroupInformation}, which does not throw random errors during
+   * serialization when no primary group is known for the user. "Caused by:
+   * com.fasterxml.jackson.databind.JsonMappingException: Unexpected IOException (of type
+   * java.io.IOException): There is no primary group for UGI
+   * hive/[email protected] (auth:KERBEROS)"
+   */
+  public OpaQueryUgi(UserGroupInformation ugi) {
+    UserGroupInformation realUser = ugi.getRealUser();
+    if (realUser != null) {
+      this.realUser = new OpaQueryUgi(ugi.getRealUser());
+    } else {
+      this.realUser = null;
+    }
+    userName = ugi.getUserName();
+    shortUserName = ugi.getShortUserName();
+    try {
+      primaryGroup = ugi.getPrimaryGroupName();
+    } catch (IOException e) {
+      primaryGroup = null;
     }
+    groups = ugi.getGroups();
+    authenticationMethod = ugi.getAuthenticationMethod();
+    realAuthenticationMethod = ugi.getRealAuthenticationMethod();
+  }
 }

src/main/java/tech/stackable/hadoop/OpaReducedAllowQuery.java

@@ -1,7 +1,6 @@
 package tech.stackable.hadoop;
 
 import org.apache.hadoop.hdfs.server.namenode.INodeAttributeProvider;
-import org.apache.hadoop.security.UserGroupInformation;
 
 public class OpaReducedAllowQuery {
   public final OpaReducedAllowQueryInput input;
@@ -12,8 +11,8 @@ public OpaReducedAllowQuery(OpaReducedAllowQueryInput input) {
 
   /**
    * Similar to {@link OpaAllowQuery.OpaAllowQueryInput}, but this class only contains a subset of
-   * fields that should be sufficient for most use-cases, but offer a much better performance.
-   * See <a href="https://github.com/stackabletech/hdfs-utils/issues/48">this issue</a> for details.
+   * fields that should be sufficient for most use-cases, but offer a much better performance. See
+   * <a href="https://github.com/stackabletech/hdfs-utils/issues/48">this issue</a> for details.
    */
   public static class OpaReducedAllowQueryInput {
     public String fsOwner;