HIVE-29705: Remediate critical CVEs in hive-druid-handler (HIVE-25013)#6589
HIVE-29705: Remediate critical CVEs in hive-druid-handler (HIVE-25013)#6589saihemanth-cloudera wants to merge 2 commits into
Conversation
There was a problem hiding this comment.
Pull request overview
This PR remediates critical CVEs in hive-druid-handler by removing the legacy Netty 3-based Druid HTTP client stack, updating/shading dependency versions (e.g., Netty 4, Jackson, async-http-client), and making the Druid handler optional in default distributions.
Changes:
- Replaced Druid’s Netty 3 HTTP client usage with a new Apache HttpClient-based wrapper (
HiveDruidHttpClient+ request/response wrappers). - Updated platform dependency versions (Netty 4.1.133.Final, Jackson 2.18.8) and pinned
async-http-client2.15.0 for shading. - Made
hive-druid-handleropt-in in distribution packaging via a newdruid-handlerMaven profile.
Reviewed changes
Copilot reviewed 18 out of 18 changed files in this pull request and generated 9 comments.
Show a summary per file
| File | Description |
|---|---|
| storage-api/pom.xml | Bumps shared Netty 4 version used by the build. |
| standalone-metastore/pom.xml | Updates Jackson and Netty versions for standalone metastore. |
| pom.xml | Updates Jackson/Netty versions and adds async-http-client version/dependency management. |
| packaging/pom.xml | Moves hive-druid-handler into an opt-in packaging profile. |
| druid-handler/pom.xml | Updates dependencies/exclusions/relocations to remove Netty 3 and shade patched deps. |
| druid-handler/src/test/org/apache/hadoop/hive/druid/serde/TestDruidSerDe.java | Updates tests/mocks to use the new HTTP client interface. |
| druid-handler/src/java/org/apache/hadoop/hive/druid/serde/DruidQueryRecordReader.java | Switches query execution from Druid Netty client to HiveDruidHttpClient. |
| druid-handler/src/java/org/apache/hadoop/hive/druid/security/RetryIfUnauthorizedResponseHandler.java | Removes Netty 3 response retry handler (obsolete with new client). |
| druid-handler/src/java/org/apache/hadoop/hive/druid/security/ResponseCookieHandler.java | Removes Netty 3 cookie handler (replaced by CookieManager usage). |
| druid-handler/src/java/org/apache/hadoop/hive/druid/security/KerberosHttpClient.java | Removes Netty 3 Kerberos HTTP client wrapper (replaced by new client). |
| druid-handler/src/java/org/apache/hadoop/hive/druid/security/DruidKerberosUtil.java | Makes Kerberos helper methods public for use by new HTTP client package. |
| druid-handler/src/java/org/apache/hadoop/hive/druid/io/DruidQueryBasedInputFormat.java | Updates request creation to use HiveDruidHttpRequest. |
| druid-handler/src/java/org/apache/hadoop/hive/druid/http/HiveDruidHttpResponse.java | Adds new response wrapper replacing Druid Netty 3 holders. |
| druid-handler/src/java/org/apache/hadoop/hive/druid/http/HiveDruidHttpRequest.java | Adds new request wrapper replacing Druid Netty 3 Request. |
| druid-handler/src/java/org/apache/hadoop/hive/druid/http/HiveDruidHttpClient.java | Introduces new Apache HttpClient-based client (async wrapper + Kerberos/cookie logic). |
| druid-handler/src/java/org/apache/hadoop/hive/druid/DruidStorageHandlerUtils.java | Updates request submission/redirect handling to use new client + wrappers. |
| druid-handler/src/java/org/apache/hadoop/hive/druid/DruidStorageHandler.java | Replaces lifecycle-based Netty client setup with new client + shutdown hook. |
| druid-handler/src/java/org/apache/hadoop/hive/druid/DruidKafkaUtils.java | Updates Druid supervisor calls to use new client + wrappers. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
| String redirectUrlStr = responseHolder.getHeader("Location"); | ||
| LOG.debug("Request[{}] received redirect response to location [{}].", request.getUrl(), redirectUrlStr); | ||
| final URL redirectUrl; | ||
| try { | ||
| redirectUrl = new URL(redirectUrlStr); |
| private HiveDruidHttpResponse innerExecute(HiveDruidHttpRequest request) throws IOException { | ||
| HiveDruidHttpRequest current = request.copy(); | ||
| boolean shouldRetryOnUnauthorized = prepareKerberosAuth(current); | ||
|
|
||
| while (true) { |
There was a problem hiding this comment.
Can we have any test covering Kerberos auth and retry on failure?
| * @param address of the host target. | ||
| * @param query druid query. | ||
| * @return Request object to be submitted. | ||
| */ |
| because the shaded handler bundles legacy transitive dependencies (Netty 3, | ||
| older Jackson) tracked under HIVE-25013 and CVE remediation work. --> | ||
| <dependencies> | ||
| <dependency> |
There was a problem hiding this comment.
This will exclude the Druid handler with current build command, is it intended?
| private HiveDruidHttpResponse innerExecute(HiveDruidHttpRequest request) throws IOException { | ||
| HiveDruidHttpRequest current = request.copy(); | ||
| boolean shouldRetryOnUnauthorized = prepareKerberosAuth(current); | ||
|
|
||
| while (true) { |
There was a problem hiding this comment.
Can we have any test covering Kerberos auth and retry on failure?
| <version>${jjwt.version}</version> | ||
| </dependency> | ||
| <dependency> | ||
| <groupId>org.asynchttpclient</groupId> |
There was a problem hiding this comment.
any reason why a new dependency is needed?



What changes were proposed in this pull request?
Replace Druid's Netty 3 HTTP client with Apache HttpClient to remove
io.netty:netty 3.x from the shaded druid-handler JAR (CVE-2019-20444).
Force patched async-http-client 2.15.0 and Jackson 2.18.8 into the shade,
bump platform Netty 4 to 4.1.133.Final, and make hive-druid-handler opt-in
via the druid-handler packaging profile so default distributions avoid
legacy transitive CVEs.
Why are the changes needed?
Avoid CVEs
Does this PR introduce any user-facing change?
No.
How was this patch tested?
Unit tests