HADOOP-18687. hadoop-auth: remove unnecessary dependency on json-smart

[mjwiq]

Description of PR

https://issues.apache.org/jira/browse/HADOOP-18687

json-smart is not used by hadoop-auth and the reason for including it (for nimbus-jose-jwt) is no longer valid since that package has json-smart shaded now.

How was this patch tested?

I ran the tests for hadoop-auth

For code changes:

• Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
• Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
• If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

[mjwiq]

I did not remove the entry from pom.xml in hadoop-project because it also sets the version for json-smart that is included as a transitive dependency in hdfs:

[INFO] org.apache.hadoop:hadoop-hdfs-client:jar:3.4.0-SNAPSHOT
[INFO] \- org.mock-server:mockserver-netty:jar:5.11.1:test
[INFO]    \- org.mock-server:mockserver-core:jar:5.11.1:test
[INFO]       \- com.jayway.jsonpath:json-path:jar:2.4.0:test
[INFO]          \- net.minidev:json-smart:jar:2.4.7:test

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 37s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ trunk Compile Tests _
+0 🆗	mvndep	15m 58s		Maven dependency ordering for branch
+1 💚	mvninstall	26m 15s		trunk passed
+1 💚	compile	23m 3s		trunk passed with JDK Ubuntu-11.0.18+10-post-Ubuntu-0ubuntu120.04.1
+1 💚	compile	20m 30s		trunk passed with JDK Private Build-1.8.0_362-8u362-ga-0ubuntu1~20.04.1-b09
+1 💚	mvnsite	1m 26s		trunk passed
+1 💚	javadoc	1m 25s		trunk passed with JDK Ubuntu-11.0.18+10-post-Ubuntu-0ubuntu120.04.1
+1 💚	javadoc	1m 18s		trunk passed with JDK Private Build-1.8.0_362-8u362-ga-0ubuntu1~20.04.1-b09
+1 💚	shadedclient	97m 19s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 29s		Maven dependency ordering for patch
+1 💚	mvninstall	0m 36s		the patch passed
+1 💚	compile	22m 36s		the patch passed with JDK Ubuntu-11.0.18+10-post-Ubuntu-0ubuntu120.04.1
+1 💚	javac	22m 36s		the patch passed
+1 💚	compile	20m 29s		the patch passed with JDK Private Build-1.8.0_362-8u362-ga-0ubuntu1~20.04.1-b09
-1 ❌	javac	20m 29s	/results-compile-javac-root-jdkPrivateBuild-1.8.0_362-8u362-ga-0ubuntu1~20.04.1-b09.txt	root-jdkPrivateBuild-1.8.0_362-8u362-ga-0ubuntu120.04.1-b09 with JDK Private Build-1.8.0_362-8u362-ga-0ubuntu120.04.1-b09 generated 1 new + 2625 unchanged - 0 fixed = 2626 total (was 2625)
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	mvnsite	1m 24s		the patch passed
+1 💚	javadoc	1m 19s		the patch passed with JDK Ubuntu-11.0.18+10-post-Ubuntu-0ubuntu120.04.1
+1 💚	javadoc	1m 19s		the patch passed with JDK Private Build-1.8.0_362-8u362-ga-0ubuntu1~20.04.1-b09
+1 💚	shadedclient	27m 20s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
+1 💚	unit	0m 31s		hadoop-project in the patch passed.
+1 💚	unit	3m 21s		hadoop-auth in the patch passed.
+1 💚	asflicense	0m 56s		The patch does not generate ASF License warnings.
		176m 46s

Subsystem	Report/Notes
Docker	ClientAPI=1.42 ServerAPI=1.42 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5524/1/artifact/out/Dockerfile
GITHUB PR	#5524
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint
uname	Linux 5ed0a8fd4f03 4.15.0-206-generic #217-Ubuntu SMP Fri Feb 3 19:10:13 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / 5a6bb63
Default Java	Private Build-1.8.0_362-8u362-ga-0ubuntu1~20.04.1-b09
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.18+10-post-Ubuntu-0ubuntu120.04.1 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_362-8u362-ga-0ubuntu1~20.04.1-b09
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5524/1/testReport/
Max. process+thread count	555 (vs. ulimit of 5500)
modules	C: hadoop-project hadoop-common-project/hadoop-auth U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-5524/1/console
versions	git=2.25.1 maven=3.6.3
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[steveloughran]

+1
LGTM. any hdfs test dependency shouldn't affect anything in production, and the way maven works, probably won't go downstream

[steveloughran]

well spotted -thanks!

merged to trunk. can you make a PR for branch-3.3 and submit it through yetus as well, to see how it goes. thanks

[steveloughran]

ooh, had a thought here. I wonder if it makes it into the binary distro now, it if doesn't, we should review those LICENSE files and cut the reference.

[pjfanning]

json-smart has a CVE - would it be possible to upgrade com.jayway.jsonpath/json-path to the latest version (which also uses the latest version of json-smart - that is CVE free)?

[steveloughran]

so what artifacts do we need to pull in to be free of json-smart pain?

[pjfanning]

json-path lib needs json-smart but if we upgrade the json-path lib, we could theoretically remove the explicit json-smart dependency. I could do a PR as a POC.