Skip to content

[BEAM-13616][BEAM-13646] Update vendored calcite 1.28.0 with protobuf 3.19.2 #16473

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
emilymye merged 4 commits into from
Jan 12, 2022
Merged

[BEAM-13616][BEAM-13646] Update vendored calcite 1.28.0 with protobuf 3.19.2 #16473

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
2caf4d6
update protobuf on calcite
emilymye Jan 10, 2022
832dc3d
comments
emilymye Jan 11, 2022
bad9151
add guide in README.md
emilymye Jan 12, 2022
76d2118
whitespace
emilymye Jan 12, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 37 additions & 1 deletion vendor/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -28,6 +28,7 @@ The upgrading of the vendored dependencies should be performed in two steps:

# How to validate the vendored dependencies

## Linkage Tool
The [linkage tool](https://lists.apache.org/thread.html/eb5d95b9a33d7e32dc9bcd0f7d48ba8711d42bd7ed03b9cf0f1103f1%40%3Cdev.beam.apache.org%3E)
is useful for the vendored dependency upgrades. It reports the linkage errors across multiple Apache Beam artifact ids.

Expand All @@ -48,7 +49,7 @@ $ mvn install:install-file \
$ ./gradlew -PvendoredDependenciesOnly -Ppublishing -PjavaLinkageArtifactIds=beam-vendor-grpc-1_36_0:0.1 :checkJavaLinkage
```

## Known Linkage Errors in the Vendored gRPC Dependencies
### Known Linkage Errors in the Vendored gRPC Dependencies

It's expected that the task outputs some linkage errors.
While the `checkJavaLinkage` task does not retrieve optional dependencies to avoid bloated
Expand Down Expand Up @@ -78,3 +79,38 @@ references to the missing classes. Here are the known linkage errors:
to be included in the vendored artifact. Slf4j-api is available at Beam's runtime.
- References to `reactor.blockhound`: When enabled, Netty's BlockHound integration can detect
unexpected blocking calls. Beam does not use it.

## Create testing PR against new artifacts

Once you've verified using the linkage tool, you can test new artifacts by running unit and integration tests against a PR.

Example PRs:
- Updating gRPC version (large) https://github.com/apache/beam/pull/16460
- Updating protobuf for calcite (minor version update): https://github.com/apache/beam/pull/16476

Steps:

1. Generate new artifact files with `publishMavenJavaPublicationToMavenLocal`, e.g.

```
./gradlew -p vendor/grpc-1_43_2 publishMavenJavaPublicationToMavenLocal -Ppublishing -PvendoredDependenciesOnly

# Copy files (jar/poms/metadata) to your beam repository
cp -R ~/.m2/repository/org/apache/beam/beam-vendor-grpc-1_43_2/ \
$BEAMDIR/tempLib/org/apache/beam/beam-vendor-grpc-1_43_2
```

2. Add whatever folder (here I use `tempLib`) to the expected project repositories, e.g.

```
repositories {
maven { url "${project.rootDir}/tempLib" }
maven {
...
}
}
```

3. Migrate all references from the old dependency to the new dependency, including imports if needed.

4. Commit any added or changed files and create a PR (can be a draft, as you will not merge this PR) to test on.
Copy link
Member

@TheNeuralBit TheNeuralBit Jan 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you for documenting this!

22 changes: 21 additions & 1 deletion vendor/calcite-1_28_0/build.gradle
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,21 +16,35 @@
* limitations under the License.
*/

/**
* Vendored version of calcite.
*
* To upgrade:
* 1. Use mvn dependency:tree and/or https://search.maven.org/search?q=g:org.apache.calcite%20AND%20a:calcite-core
* to determine dependency tree. You may need to search for optional transitive dependencies
* and determine if they need to be added or upgraded (e.g. protobuf)
* 3. Validate built artifacts by running linkage tool
Copy link
Member

@lukecwik lukecwik Jan 12, 2022

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think the number here should be 2. and not 3.

* (https://github.com/apache/beam/tree/master/vendor#how-to-validate-the-vendored-dependencies)
* and unit and integration tests in a PR.
*/

plugins { id 'org.apache.beam.vendor-java' }

description = "Apache Beam :: Vendored Dependencies :: Calcite 1.28.0"

group = "org.apache.beam"
version = "0.1"
version = "0.2"

def calcite_version = "1.28.0"
def avatica_version = "1.19.0"
def protobuf_version = "3.19.2"
def prefix = "org.apache.beam.vendor.calcite.v1_28_0"

List<String> packagesToRelocate = [
"com.esri",
"com.fasterxml",
"com.google.common",
"com.google.gson",
"com.google.protobuf",
"com.google.thirdparty",
"com.google.uzaygezen",
Expand All @@ -52,6 +66,12 @@ vendorJava(
"org.apache.calcite:calcite-core:$calcite_version",
"org.apache.calcite:calcite-linq4j:$calcite_version",
"org.apache.calcite.avatica:avatica-core:$avatica_version",

// BEAM-13616: Override the version of protobuf to patch a security vulnerability.
// This override can be removed once we upgrade to a newer version of calcite that
// depends on protobuf >= 3.19.2.
"com.google.protobuf:protobuf-java:$protobuf_version",
"com.google.protobuf:protobuf-java-util:$protobuf_version",
],
runtimeDependencies: [
library.java.slf4j_api,
Expand Down