zhouyifan279 opened a new pull request, #35: URL: https://github.com/apache/kyuubi-shaded/pull/35
### _Why are the changes needed?_ org.apache.thrift:libthrift:0.9.3 has serveral CVEs: - CVE-2020-13949 - THRIFT-5237(fixed in 0.14.0) - https://github.com/apache/thrift/pull/2191 - CVE-2019-0205 - THRIFT-4053(fixed in 0.11.0) - https://github.com/apache/thrift/pull/1371 - CVE-2018-1320 - THRIFT-4506(fixed in 0.9.3.1) HiveMetaStoreClient of Hive 2.3.9 depends on libthrift:0.9.3 and Kyuubi currently uses it to get HMS delegation token. As Kyuubi only use HiveMetaStoreClient to get delegation token, we think it is better to create a lightweight HiveMetaStoreClient with only the necessary api so that we can: - Decouple Kyuubi's libthrift version from Hive - Remove unnessary dependencies introduced by vanilla HiveMetaStoreClient ### _How was this patch tested?_ - [ ] Add some test cases that check the changes thoroughly including negative and positive cases if possible - [x] Add screenshots for manual tests if appropriate <img width="1483" alt="image" src="https://github.com/apache/kyuubi-shaded/assets/88070094/e3198035-6db4-46b1-a47c-db66cb9a9acb";> - [ ] [Run test](https://kyuubi.readthedocs.io/en/master/develop_tools/testing.html#running-tests) locally before make a pull request -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
