HADOOP-19696. hadoop binary distribution to move cloud connectors to hadoop common/lib (#7980)

[steveloughran]

This moves all the cloud connector libraries to common/lib There are specific build options to control which libraries to include The hadoop-* JARs of the modules are includes, but dependencies are only included when the build-time options specify it.

Available package profiles:
hadoop-aliyun-package
hadoop-aws-package
hadoop-azure-datalake-package
hadoop-cos-package
hadoop-huaweicloud-package

This means that by default AWS bundle.jar is no longer included in the distribution: to add it users must drop their chosen version of the SDK into share/hadoop/common/lib

Anyone building their own release now has a choice of which connectors to bundle. The ASF ones will stay fairly lean to reduce the CVE attack surface as well as keep package size under control.

This is the branch-3.4 variant which cuts out connector that are not present (tos, gcp).

How was this patch tested?

Manual builds; another in progress.

LICENSE-binary validated by looking at dependencie of hadoop-cloud-storage, making sure the needed ones were there and deleting some which didn't appear any more.

For code changes:

• Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
• Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
• If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

[steveloughran]

restore hadoop-aliyun-package

[steveloughran]

cut

[steveloughran]

restore hadoop-aliyun-package docs

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 58s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	shelldocs	0m 0s		Shelldocs was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
+1 💚	test4tests	0m 0s		The patch appears to include 1 new or modified test files.
			_ branch-3.4 Compile Tests _
+0 🆗	mvndep	2m 12s		Maven dependency ordering for branch
+1 💚	mvninstall	21m 55s		branch-3.4 passed
+1 💚	compile	9m 5s		branch-3.4 passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	compile	8m 0s		branch-3.4 passed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
+1 💚	checkstyle	1m 56s		branch-3.4 passed
+1 💚	mvnsite	14m 38s		branch-3.4 passed
+1 💚	javadoc	4m 47s		branch-3.4 passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	4m 39s		branch-3.4 passed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
+0 🆗	spotbugs	0m 13s		branch/hadoop-project no spotbugs output file (spotbugsXml.xml)
+0 🆗	spotbugs	0m 11s		branch/hadoop-assemblies no spotbugs output file (spotbugsXml.xml)
-1 ❌	spotbugs	16m 43s	/branch-spotbugs-root-warnings.html	root in branch-3.4 has 1 extant spotbugs warnings.
+0 🆗	spotbugs	0m 15s		branch/hadoop-tools/hadoop-tools-dist no spotbugs output file (spotbugsXml.xml)
+1 💚	shadedclient	18m 49s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 23s		Maven dependency ordering for patch
+1 💚	mvninstall	18m 34s		the patch passed
+1 💚	compile	8m 45s		the patch passed with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04
+1 💚	javac	8m 45s		the patch passed
+1 💚	compile	8m 12s		the patch passed with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
+1 💚	javac	8m 12s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	checkstyle	1m 58s		the patch passed
+1 💚	mvnsite	11m 35s		the patch passed
+1 💚	shellcheck	0m 0s		No new issues.
-1 ❌	javadoc	4m 42s	/results-javadoc-javadoc-root-jdkUbuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04.txt	root-jdkUbuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04 with JDK Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04 generated 10 new + 5675 unchanged - 10 fixed = 5685 total (was 5685)
-1 ❌	javadoc	4m 40s	/results-javadoc-javadoc-root-jdkPrivateBuild-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09.txt	root-jdkPrivateBuild-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09 with JDK Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09 generated 10 new + 1429 unchanged - 10 fixed = 1439 total (was 1439)
+0 🆗	spotbugs	0m 14s		hadoop-project has no data from spotbugs
+0 🆗	spotbugs	0m 13s		hadoop-assemblies has no data from spotbugs
+0 🆗	spotbugs	0m 14s		hadoop-tools/hadoop-tools-dist has no data from spotbugs
+0 🆗	spotbugs	0m 16s		hadoop-cloud-storage-project/hadoop-cloud-storage-dist has no data from spotbugs
+1 💚	shadedclient	18m 49s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
-1 ❌	unit	634m 43s	/patch-unit-root.txt	root in the patch passed.
-1 ❌	asflicense	0m 53s	/results-asflicense.txt	The patch generated 1 ASF License warnings.
		845m 29s

Reason	Tests
Failed junit tests	hadoop.mapred.gridmix.TestSleepJob
	hadoop.mapred.gridmix.TestGridmixSubmission
	hadoop.mapred.gridmix.TestLoadJob

Subsystem	Report/Notes
Docker	ClientAPI=1.52 ServerAPI=1.52 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8094/1/artifact/out/Dockerfile
GITHUB PR	#8094
Optional Tests	dupname asflicense codespell detsecrets shellcheck shelldocs compile javac javadoc mvninstall mvnsite unit shadedclient xmllint spotbugs checkstyle
uname	Linux 5698d08ecfea 5.15.0-156-generic #166-Ubuntu SMP Sat Aug 9 00:02:46 UTC 2025 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	branch-3.4 / 026c9ba
Default Java	Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.27+6-post-Ubuntu-0ubuntu120.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_452-8u452-gaus1-0ubuntu120.04-b09
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8094/1/testReport/
Max. process+thread count	4336 (vs. ulimit of 5500)
modules	C: hadoop-project hadoop-assemblies hadoop-common-project/hadoop-common hadoop-tools/hadoop-tools-dist hadoop-tools/hadoop-aws hadoop-cloud-storage-project/hadoop-huaweicloud hadoop-cloud-storage-project . hadoop-cloud-storage-project/hadoop-cloud-storage-dist U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-8094/1/console
versions	git=2.25.1 maven=3.6.3 spotbugs=4.2.2 shellcheck=0.7.0
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[pan3793]

Hmm... I feel this is a surprising change for branch-3.4

[steveloughran]

@pan3793 I understand your concerns but this is actually a packaging improvement

The current build

• contains a tools/lib/bundle.jar for aws, which is too big for distribution
• doesn't put anyone elses cloud connector on the classpath. People doing their own distros end up moving them or doing other classpath stuff.
• forces a release process where we have to take the full tar, untar it, remove that bundle.tar, rebuild and sign again: https://github.com/apache/hadoop-release-support/blob/main/build.xml#L1315

moving the hadoop-* cloud libs into common-lib but leaving out dependencies means the stuff is in the right place, provided users manually add the dependencies (which I'm not going to build with except for hadoop-azure as that's the httpclient and wildfly libs we use elsewhere.

This makes releasing easier, and it makes adding the dependencies easier as the current setup requires a user to add the specific bundle-jar version the release was built with, same for the other components.

That's why this change has been a blocker for a 3.4.3 release -the release process itself is what needs fixing

[pan3793]

@steveloughran I understand it's a little bit tricky for creating the lean tarball (should be similar to aarch tarball?), given that it already has a working script for it, I don't think it's a blocker for the 3.4 patching releases. TBH, I think Hadoop is currently kind of an abuse of patch releases, the recent patch releases contain more features than bug fixes, and even breaking changes.

[steveloughran]

I think Hadoop is currently kind of an abuse of patch releases, the recent patch releases contain more features than bug fixes, and even breaking changes.

I've been trying to keep 3.4.3 low diff-wise to 3.4.2, balancing out the need for a lot of those transient CVE fixes. Other than anything related to avro updates, everything api-wise shouldn't be causing regressions.

I'd like 3.4.3 to be the last java8 release, though I suspect we may need some dependency update releases next year. It's got a stabilisation of the aws analytics reader, but the only breaking change there is we change the default to "on"...people can switch back.

maybe we should discuss this on common-dev?

[pan3793]

@steveloughran, I may not have enough background to comment on all the changes. Specific to this PR, I wonder

• How does it affect hadoop classpath? As far as I know, many downstream projects require adding the output of hadoop classpath to their classpath.
• I suppose it has no effect on hadoop-client-* jars, right?
• Which maven profiles will be enabled by the Apache binary release? in other words, how to reproduce it from the source release locally?

Compile/release is one-time stuff, while install/setup is more frequent, I would rather not have such a change in a patch release if it is not a blocker, but only makes the release process easier. Anyway, I don't have a binding veto, and I trust your authority in the Hadoop project.

[steveloughran]

How does it affect hadoop classpath? As far as I know, many downstream projects require adding the output of hadoop classpath to their classpath.

• does nothing for maven/gradle imports of hadoop-cloud-storage
• if you add hadoop/common/* and hadoop/commmon/lib/* to your CP you may now get more cloud connectors

I suppose it has no effect on hadoop-client-* jars, right?

correct

Which maven profiles will be enabled by the Apache binary release? in other words, how to reproduce it from the source release locally?

It doesn't set any of the new profiles, meaning the hadoop-* jars will be there, abfs will work (limited dependendencies) but anything else needs extra jars added.

FWIW third-party cloud deployments (EMR, azure etc) all get their connectors onto the classpath, somehow. And because hadoop-aws has a bit of bash script in its src/main, somehow it gets into "bin/hadoop fs" commands...the shell script wiring up logic does this.

[pan3793]

How does it affect hadoop classpath? As far as I know, many downstream projects require adding the output of hadoop classpath to their classpath.

• does nothing for maven/gradle imports of hadoop-cloud-storage
• if you add hadoop/common/* and hadoop/commmon/lib/* to your CP you may now get more cloud connectors

I specifically mean the output of the command hadoop classpath, which is used in many projects, e.g., Flink, to guide users for Hadoop integration.

• Important Make sure that the HADOOP_CLASSPATH environment variable is set up (it can be checked by running echo $HADOOP_CLASSPATH). If not, set it up using

  export HADOOP_CLASSPATH=`hadoop classpath`

https://nightlies.apache.org/flink/flink-docs-release-2.1/docs/deployment/resource-providers/yarn/

but according to the answer to the next question, it seems fine.

Which maven profiles will be enabled by the Apache binary release? in other words, how to reproduce it from the source release locally?

It doesn't set any of the new profiles, meaning the hadoop-* jars will be there, abfs will work (limited dependendencies) but anything else needs extra jars added.

@steveloughran, thanks for your detailed explanation. I don't have more questions

[steveloughran]

@pan3793 happy to explain, and happy to hear your concerns.

the build is set to keep out all the new transitive dependencies as much for security reasons as size: fewer dependencies, fewer dependabot alerts about CVEs, fewer jars to keep updating.

but the hadoop-gcs and hadoop-cos (or is it hadoop-tos? it's 3.5+ only I think) both build shaded releases with all their dependencies in their JARs if you do a -Pdist build, which of course ASF releases do. This makes for bigger artifacts but not so big that they create a distribution problem...and that shading makes direct use of the fs through an import of the jar or hadoop-cloud-storage pom easier. Changing that packaging to not do the shading adds many, many more libraries to hadoop common (all enumerated and listed in LICENSE-binary), and would complicate use through maven declarations: classpath hell.

Although I don't use Aliyun, tos, cos, volcano connectors myself, I don't want to do anything to stop them being used, and with these changes make it easy for people to build a hadoop-release with out-the-box support for them.

FWIW, in cloudera we

• keep hadoop-aws and hadoop-azure in tools/lib
• and add google gcs (not the one in trunk, the original)
• plus some associated auth/permissions
• somehow add them to the classpath for FS commands
• and strip out the hadoop-cos artifact as its sdk caused problems talking to newer s3 regions due to an outdated mozilla/public-suffix-list.txt resource confusing aws sdk about what were toplevel domains. Good bug to track down :)