[WIP][SPARK-32502][BUILD] Upgrade Guava to 27.0-jre

[viirya]

What changes were proposed in this pull request?

This PR upgrades Guava to newer 27.0-jre.

Why are the changes needed?

Guava 14.0.1 is pretty old and is among the affected Guava versions of CVE-2018-10237.

All newer Hadoop releases are going to be built with a later guava version, e.g. 27.0-jre, including Hadoop 3.1.3, 3.2.1, 3.3.0.

Does this PR introduce any user-facing change?

No

How was this patch tested?

Pass the Jenkins tests.

[SparkQA]

Test build #126931 has finished for PR 29326 at commit 68375f0.

• This patch fails due to an unknown error code, -9.
• This patch merges cleanly.
• This patch adds no public classes.

[maropu]

retest this please

[SparkQA]

Test build #126935 has finished for PR 29326 at commit 68375f0.

• This patch fails Spark unit tests.
• This patch merges cleanly.
• This patch adds no public classes.

[srowen]

Is this duplicated by #29325 ?
Yes, this can only happen for Hadoop 3.2.1+, so would at best be in the Hadoop 3.2 profile.

[viirya]

It is a trouble that hive-exec uses a method that became package-private since Guava version 20. So there is incompatibility with Guava versions > 19.0.

sbt.ForkMain$ForkError: sbt.ForkMain$ForkError: java.lang.IllegalAccessError: tried to access method com.google.common.collect.Iterators.emptyIterator()Lcom/google/common/collect/UnmodifiableIterator; from class org.apache.hadoop.hive.ql.exec.FetchOperator
	at org.apache.hadoop.hive.ql.exec.FetchOperator.<init>(FetchOperator.java:108)
	at org.apache.hadoop.hive.ql.exec.FetchTask.initialize(FetchTask.java:87)
	at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:541)
	at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1317)
	at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:1457)
	at org.apache.hadoop.hive.ql.Driver.run(Driver.java:1237)
	at org.apache.hadoop.hive.ql.Driver.run(Driver.java:1227)

hive-exec doesn't shade Guava until https://issues.apache.org/jira/browse/HIVE-22126 that targets 4.0.0.

This seems a dead end for upgrading Guava in Spark for now.

[viirya]

Opened https://issues.apache.org/jira/browse/HIVE-23980 and see if Hive people has some ideas.

[viirya]

I did some tests. Few changes are required to pass the failed Hive tests:

1. Shading Guava at hive-exec packaging and a few code changes to hive-common and hive-exec regarding Guava usage
2. Don't use core classifier for hive dependencies in Spark

But this just upgrades Guava version used in Spark. Hive dependencies still use older Guava with the reported CVE.

[dongjoon-hyun]

Thank you for assessment, @viirya . Is there an official plan for Apache Spark 4.0.0 release?

Actually, this is 3rd try after mine and @HyukjinKwon 's . So, I was curious about what is changed more until now. At that time, we dropped the old PRs because it's hard to expect to get shaded Apache Hive 2.3.8.

• [WIP][SPARK-29250][BUILD][test-hadoop3.2][test-maven] Upgrade to Hadoop 3.2.1 #25932
• [WIP][SPARK-29250][BUILD][test-hadoop3.2][test-maven] Upgrade to Hadoop 3.2.1 #27009

Apache Spark just migrated to Apache Hive 2.3. I don't think we can migrate to Apache Hive 4.0.0 in next one year.

cc @gatorsmile

[dongjoon-hyun]

BTW, shall we close for now? You can reopen this later when it's ready.

[viirya]

@dongjoon-hyun Thanks for the comment. Yeah, it doesn't make sense to upgrade to Hive 4 in short or midterm. I'm working on upgrade Guava 27 and shading Guava in Hive too. I hope it can be part of Hive 2.3.8.

I will close this for now. Once the work at Hive gets progress, I can reopen this. Thanks.

[dongjoon-hyun]

Thank you so much. Yes. I'm looking forward to seeing that~

[danielradulov]

Hi Guys, I am having problems with Guava on Spark 3.0.0 and 3.0.1 with Hadoop 3.2.1 and Hive 3.12.

I am using Spark Operator developed by Google, all seems to work fine except when I try to use Spark integrated with Hive Metastore. In this case I am facing the following error:

java.lang.NoSuchMethodError: com.google.common.base.Preconditions.checkArgument

I have tried several workarounds like replacing Guava, Spark spec on client "spark.executor.userClassPathFirst": "true" "spark.driver.userClassPathFirst": "true", shading Guava with maven-shade-plugin and unfortunately any of this alternatives are working properly.

I hope you can be able to upgrade Guava soon in Spark.

thanks.

[dongjoon-hyun]

Thank you for your opinion, @danielradulov . However, it's Apache Hive issue across Apache Hadoop versions.

except when I try to use Spark integrated with Hive Metastore.

Apache Hadoop 3.2.1 has a breaking Guava dependency change which breaks most downstream project. IIRC, there is no official Apache Hive version to work on Apache Hadoop 3.2.1. You had better ask the support to Apache Hive community.

Apache Spark community tried to upgrade to Apache Hadoop 3.2.1 (Sep. 2019) and gave up due to that.

• [WIP][SPARK-29250][BUILD][test-hadoop3.2][test-maven] Upgrade to Hadoop 3.2.1 #25932

[dbtsai]

One question, in https://issues.apache.org/jira/browse/HADOOP-14284 it seems that Hadoop shades the Guava dependency, why do we introduce breaking changes when we upgrade to Hadoop 3.2.1 or Hadoop 3.3?

[viirya]

Isn't HADOOP-14284 resolved as Invalid?

[dbtsai]

@viirya you are right. My bad.

[viirya]

try this again.

[viirya]

retest this please

[SparkQA]

Test build #140400 has started for PR 29326 at commit 4e6da9c.

[viirya]

retest this please

[dongjoon-hyun]

27.0-jre was released on October 2018. I'm wondering if we still need to use the same version from Hadoop. Since Apache Hadoop shaded its Guava dependency and Apache Spark doesn't use it, shall we try to use the latest one, 30.1.1-jre, instead?

All newer Hadoop releases are going to be built with a later guava version, e.g. 27.0-jre, including Hadoop 3.1.3, 3.2.1, 3.3.0.

[viirya]

I'm not against to this point. I can change to latest guava and see what CI tells.

[dongjoon-hyun]

Thanks. Ya, let's try with the latest one.

[SparkQA]

Kubernetes integration test unable to build dist.

exiting with code: 1
URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/44945/

[SparkQA]

Test build #140430 has finished for PR 29326 at commit 4e6da9c.

• This patch fails Spark unit tests.
• This patch merges cleanly.
• This patch adds the following public classes (experimental):
• class GroupBy(Generic[FrameLike], metaclass=ABCMeta):
• class SparkIndexOpsMethods(Generic[IndexOpsLike], metaclass=ABCMeta):
• class RollingAndExpanding(Generic[FrameLike], metaclass=ABCMeta):
• class RollingLike(RollingAndExpanding[FrameLike]):
• class Rolling(RollingLike[FrameLike]):
• class RollingGroupby(RollingLike[FrameLike]):
• class ExpandingLike(RollingAndExpanding[FrameLike]):
• class Expanding(ExpandingLike[FrameLike]):
• class ExpandingGroupby(ExpandingLike[FrameLike]):
• sealed trait FieldPosition extends LeafExpression with Unevaluable
• case class UnresolvedFieldPosition(
• case class ResolvedFieldName(path: Seq[String], field: StructField) extends FieldName
• case class ResolvedFieldPosition(position: ColumnPosition) extends FieldPosition
• case class ArraysZip(children: Seq[Expression], names: Seq[Expression])
• case class AlterTableAlterColumn(
• case class ShowCreateTableExec(

[SparkQA]

Kubernetes integration test unable to build dist.

exiting with code: 1
URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/44948/

[SparkQA]

Test build #140434 has finished for PR 29326 at commit 74d5fbd.

• This patch fails Spark unit tests.
• This patch merges cleanly.
• This patch adds no public classes.

[viirya]

retest this please

[SparkQA]

Kubernetes integration test unable to build dist.

exiting with code: 1
URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/45001/

[SparkQA]

Test build #140501 has finished for PR 29326 at commit d5e8ff8.

• This patch fails Spark unit tests.
• This patch merges cleanly.
• This patch adds no public classes.

[SparkQA]

Kubernetes integration test unable to build dist.

exiting with code: 1
URL: https://amplab.cs.berkeley.edu/jenkins/job/SparkPullRequestBuilder-K8s/45011/

[viirya]

Hmm, from the failed tests below:

org.apache.spark.sql.hive.DataSourceWithHiveMetastoreCatalogSuite
org.apache.spark.sql.hive.HiveExternalCatalogSuite
org.apache.spark.sql.hive.StatisticsSuite

Since Guava 20, com.google.common.collect.Iterators.emptyIterator() is not public anymore. But I don't get it because Hive 2.3.8/2.3.9 shaded guava in hive-exec. Why it will use the newer guava upgraded here?

java.lang.IllegalAccessError: tried to access method com.google.common.collect.Iterators.emptyIterator()Lcom/google/common/collect/UnmodifiableIterator; from class org.apache.hadoop.hive.ql.exec.FetchOperator
	at org.apache.hadoop.hive.ql.exec.FetchOperator.<init>(FetchOperator.java:108)
	at org.apache.hadoop.hive.ql.exec.FetchTask.initialize(FetchTask.java:87)
	at org.apache.hadoop.hive.ql.Driver.compile(Driver.java:541)
	at org.apache.hadoop.hive.ql.Driver.compileInternal(Driver.java:1317)
	at org.apache.hadoop.hive.ql.Driver.runInternal(Driver.java:1457)
	at org.apache.hadoop.hive.ql.Driver.run(Driver.java:1237)
	at org.apache.hadoop.hive.ql.Driver.run(Driver.java:1227)
	at org.apache.spark.sql.hive.client.HiveClientImpl.$anonfun$runHive$1(HiveClientImpl.scala:831)

I seems figured it out. Verifying it locally...

[viirya]

Encountered some issues.

Although we can switch to hive-exec without classifier (shaded version) to get rid of above guava version issue, the shaded hive-exec contains (without relocation) some dependencies like commons-lang3, orc, parquet that are not same version with Spark and so they conflict.

Because shaded hive-exec jar already includes these dependency jars, seems dependency exclusions in pom cannot exclude them.

Currently seems we can just go back to Hive to shade every included dependencies? Any other thoughts?

[sunchao]

Oh I didn't even realize that Spark is using hive-exec-core jar. Does that mean it doesn't take advantage of the Guava shading from Hive 2.3.8+ at all?

One idea is to have Spark use hadoop-shaded-guava which is also 30.1.1-jre. It also makes sure that Spark always use the same Guava version as Hadoop.

[viirya]

Oh I didn't even realize that Spark is using hive-exec-core jar. Does that mean it doesn't take advantage of the Guava shading from Hive 2.3.8+ at all?

Yea, I'm afraid that it is true. If we want to completely isolate dependencies from Hive, we may need to relocate all included (but not relocated) dependencies in hive-exec w/o classifier.

One idea is to have Spark use hadoop-shaded-guava which is also 30.1.1-jre. It also makes sure that Spark always use the same Guava version as Hadoop.

Even Spark uses hadoop-shaded-guava, but hive-exec still needs older Guava if we cannot use the version w/o classifier (due to other dependencies e.g. common-lang3, orc, parquet..)

[sunchao]

Hmm yea you are right, but shading the other dependencies will require another release though.

Another thing we could try is to change IsolatedClientLoader#isSharedClassand have the Hive client to use its own version of common-lang3 etc, if there is a conflict.

[viirya]

Hmm, I looked at isSharedClass, looks like common-lang3, orc, etc. are already non-shared classes.

[sunchao]

Yeah that looks right. It seems for the case when spark.sql.hive.metastore.jars=builtin the isolated client loader doesn't really provide isolated classpaths for Hive.

[viirya]

#33989 seems a promising direction. Close this.