From b375a32db3bf478e8f763efe79acf583e05f16a7 Mon Sep 17 00:00:00 2001 From: Istvan Toth Date: Tue, 24 Sep 2024 13:21:39 +0200 Subject: [PATCH 1/4] [CALCITE-6590] Remove use of Java SecurityManager in Avatica Also bump ByteBuddy version to 1.15.1 --- build.gradle.kts | 3 +++ .../apache/calcite/avatica/remote/DoAsAvaticaHttpClient.java | 4 +++- gradle.properties | 2 +- .../test/java/org/apache/calcite/avatica/SpnegoTestUtil.java | 2 ++ 4 files changed, 9 insertions(+), 2 deletions(-) diff --git a/build.gradle.kts b/build.gradle.kts index 6f1cc39512..148376f794 100644 --- a/build.gradle.kts +++ b/build.gradle.kts @@ -392,6 +392,9 @@ allprojects { options.encoding = "UTF-8" } withType().configureEach { + if (JavaVersion.current() >= JavaVersion.VERSION_23) { + jvmArgs("-Djava.security.manager=allow") + } testLogging { exceptionFormat = TestExceptionFormat.FULL showStandardStreams = true diff --git a/core/src/main/java/org/apache/calcite/avatica/remote/DoAsAvaticaHttpClient.java b/core/src/main/java/org/apache/calcite/avatica/remote/DoAsAvaticaHttpClient.java index 123f821703..b7884f4c2d 100644 --- a/core/src/main/java/org/apache/calcite/avatica/remote/DoAsAvaticaHttpClient.java +++ b/core/src/main/java/org/apache/calcite/avatica/remote/DoAsAvaticaHttpClient.java @@ -33,7 +33,9 @@ public DoAsAvaticaHttpClient(AvaticaHttpClient wrapped, KerberosConnection kerbe this.kerberosUtil = Objects.requireNonNull(kerberosUtil); } - @Override public byte[] send(final byte[] request) { + // See CALCITE-6590 + @Override @SuppressWarnings("removal") + public byte[] send(final byte[] request) { return Subject.doAs(kerberosUtil.getSubject(), new PrivilegedAction() { @Override public byte[] run() { return wrapped.send(request); diff --git a/gradle.properties b/gradle.properties index 10aac8609d..f124804f1a 100644 --- a/gradle.properties +++ b/gradle.properties @@ -56,7 +56,7 @@ spotbugs.version=3.1.11 asm.version=7.1 bouncycastle.version=1.70 -bytebuddy.version=1.14.10 +bytebuddy.version=1.15.1 dropwizard-metrics.version=4.0.5 # We support Guava versions as old as 14.0.1 (the version used by Hive) # but prefer more recent versions. diff --git a/server/src/test/java/org/apache/calcite/avatica/SpnegoTestUtil.java b/server/src/test/java/org/apache/calcite/avatica/SpnegoTestUtil.java index 03857d8e4b..bce68aaf2d 100644 --- a/server/src/test/java/org/apache/calcite/avatica/SpnegoTestUtil.java +++ b/server/src/test/java/org/apache/calcite/avatica/SpnegoTestUtil.java @@ -133,6 +133,8 @@ public static void writeSpnegoConf(File configFile, File serverKeytab) } } + // See CALCITE-6590 + @SuppressWarnings("removal") public static void refreshJaasConfiguration() { // This is *extremely* important to make sure we get the right Configuration instance. // Configuration keeps a static instance of Configuration that it will return once it From a441393f03fc0c85cc5537fecff7b3aa6802b74a Mon Sep 17 00:00:00 2001 From: Istvan Toth Date: Wed, 25 Sep 2024 11:38:20 +0200 Subject: [PATCH 2/4] revert bytebuddy version bump --- gradle.properties | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/gradle.properties b/gradle.properties index f124804f1a..10aac8609d 100644 --- a/gradle.properties +++ b/gradle.properties @@ -56,7 +56,7 @@ spotbugs.version=3.1.11 asm.version=7.1 bouncycastle.version=1.70 -bytebuddy.version=1.15.1 +bytebuddy.version=1.14.10 dropwizard-metrics.version=4.0.5 # We support Guava versions as old as 14.0.1 (the version used by Hive) # but prefer more recent versions. From 9314ae90645cb4b112dbc41bf5ec88123dbffeab Mon Sep 17 00:00:00 2001 From: Istvan Toth Date: Wed, 25 Sep 2024 12:38:04 +0200 Subject: [PATCH 3/4] update comments --- .../calcite/avatica/remote/DoAsAvaticaHttpClient.java | 6 +++++- .../java/org/apache/calcite/avatica/SpnegoTestUtil.java | 7 ++++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/core/src/main/java/org/apache/calcite/avatica/remote/DoAsAvaticaHttpClient.java b/core/src/main/java/org/apache/calcite/avatica/remote/DoAsAvaticaHttpClient.java index b7884f4c2d..c5f5e10392 100644 --- a/core/src/main/java/org/apache/calcite/avatica/remote/DoAsAvaticaHttpClient.java +++ b/core/src/main/java/org/apache/calcite/avatica/remote/DoAsAvaticaHttpClient.java @@ -33,7 +33,11 @@ public DoAsAvaticaHttpClient(AvaticaHttpClient wrapped, KerberosConnection kerbe this.kerberosUtil = Objects.requireNonNull(kerberosUtil); } - // See CALCITE-6590 + // Subject.doAs is deprecated and does not work in JDK23+ unless the (also deprecated) + // SecurityManager is enabled. However, the replacement API is not available in JDK8, + // so as a workaround we require enabling the securityManager on JDK23+. + // Also see https://issues.apache.org/jira/browse/CALCITE-6590 and https://openjdk.org/jeps/411 + // This class is used with Hadoop, which has the same issue. @Override @SuppressWarnings("removal") public byte[] send(final byte[] request) { return Subject.doAs(kerberosUtil.getSubject(), new PrivilegedAction() { diff --git a/server/src/test/java/org/apache/calcite/avatica/SpnegoTestUtil.java b/server/src/test/java/org/apache/calcite/avatica/SpnegoTestUtil.java index bce68aaf2d..32e092082e 100644 --- a/server/src/test/java/org/apache/calcite/avatica/SpnegoTestUtil.java +++ b/server/src/test/java/org/apache/calcite/avatica/SpnegoTestUtil.java @@ -133,7 +133,12 @@ public static void writeSpnegoConf(File configFile, File serverKeytab) } } - // See CALCITE-6590 + // Subject.doAs is deprecated and does not work in JDK23+ unless the (also deprecated) + // SecurityManager is enabled. However, the replacement API is not available in JDK8, + // so as a workaround we require enabling the securityManager on JDK23+. + // Also see https://issues.apache.org/jira/browse/CALCITE-6590 and https://openjdk.org/jeps/411 + // We add the "-Djava.security.manager=allow" cli option for tests when running with JDK23+ + // so that this keeps working. @SuppressWarnings("removal") public static void refreshJaasConfiguration() { // This is *extremely* important to make sure we get the right Configuration instance. From 51d9ec090fedb1c8fc1eb9c8701a19930f9c2129 Mon Sep 17 00:00:00 2001 From: Istvan Toth Date: Wed, 25 Sep 2024 13:16:35 +0200 Subject: [PATCH 4/4] checkstyle fix --- .../test/java/org/apache/calcite/avatica/SpnegoTestUtil.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/server/src/test/java/org/apache/calcite/avatica/SpnegoTestUtil.java b/server/src/test/java/org/apache/calcite/avatica/SpnegoTestUtil.java index 32e092082e..42c2c5fa4e 100644 --- a/server/src/test/java/org/apache/calcite/avatica/SpnegoTestUtil.java +++ b/server/src/test/java/org/apache/calcite/avatica/SpnegoTestUtil.java @@ -137,7 +137,7 @@ public static void writeSpnegoConf(File configFile, File serverKeytab) // SecurityManager is enabled. However, the replacement API is not available in JDK8, // so as a workaround we require enabling the securityManager on JDK23+. // Also see https://issues.apache.org/jira/browse/CALCITE-6590 and https://openjdk.org/jeps/411 - // We add the "-Djava.security.manager=allow" cli option for tests when running with JDK23+ + // We add the "-Djava.security.manager=allow" cli option for tests when running with JDK23+ // so that this keeps working. @SuppressWarnings("removal") public static void refreshJaasConfiguration() {