HADOOP-18962. Upgrade kafka to 3.4.0

[dmmkr]

Description of PR

Upgrade kafka to 3.4.0 to fix CVE

How was this patch tested?

Built on local. ran unit tests of hadoop-tools/hadoop-kafka project

For code changes:

• Does the title or this PR starts with the corresponding JIRA issue id (e.g. 'HADOOP-17799. Your PR title ...')?
• Object storage: have the integration tests been executed and the endpoint declared according to the connector-specific documentation?
• If adding new dependencies to the code, are these dependencies licensed in a way that is compatible for inclusion under ASF 2.0?
• If applicable, have you updated the LICENSE, LICENSE-binary, NOTICE-binary files?

[hadoop-yetus]

💔 -1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 27s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	xmllint	0m 0s		xmllint was not available.
+0 🆗	shelldocs	0m 0s		Shelldocs was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
-1 ❌	test4tests	0m 0s		The patch doesn't appear to include any new or modified tests. Please justify why no new tests are needed for this patch. Also please list what manual steps were performed to verify this patch.
			_ trunk Compile Tests _
+0 🆗	mvndep	13m 54s		Maven dependency ordering for branch
+1 💚	mvninstall	19m 25s		trunk passed
+1 💚	compile	9m 14s		trunk passed with JDK Ubuntu-11.0.20.1+1-post-Ubuntu-0ubuntu120.04
+1 💚	compile	8m 21s		trunk passed with JDK Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
+1 💚	mvnsite	12m 33s		trunk passed
+1 💚	javadoc	5m 35s		trunk passed with JDK Ubuntu-11.0.20.1+1-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	4m 53s		trunk passed with JDK Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
+1 💚	shadedclient	30m 6s		branch has no errors when building and testing our client artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 30s		Maven dependency ordering for patch
+1 💚	mvninstall	17m 28s		the patch passed
+1 💚	compile	9m 3s		the patch passed with JDK Ubuntu-11.0.20.1+1-post-Ubuntu-0ubuntu120.04
+1 💚	javac	9m 3s		the patch passed
+1 💚	compile	8m 17s		the patch passed with JDK Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
+1 💚	javac	8m 17s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	mvnsite	8m 6s		the patch passed
+1 💚	shellcheck	0m 0s		No new issues.
+1 💚	javadoc	5m 34s		the patch passed with JDK Ubuntu-11.0.20.1+1-post-Ubuntu-0ubuntu120.04
+1 💚	javadoc	4m 51s		the patch passed with JDK Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
+1 💚	shadedclient	31m 25s		patch has no errors when building and testing our client artifacts.
			_ Other Tests _
-1 ❌	unit	224m 32s	/patch-unit-root.txt	root in the patch failed.
+0 🆗	asflicense	0m 31s		ASF License check generated no output?
		397m 51s

Reason	Tests
Failed junit tests	hadoop.hdfs.server.balancer.TestBalancerWithSaslDataTransfer
	hadoop.hdfs.server.datanode.TestDataNodeErasureCodingMetrics
	hadoop.hdfs.server.datanode.TestDataNodeReconfiguration
	hadoop.hdfs.server.datanode.TestBatchIbr
	hadoop.hdfs.server.datanode.TestNNHandlesCombinedBlockReport
	hadoop.hdfs.server.datanode.TestCachingStrategy
	hadoop.hdfs.server.datanode.TestDataNodeVolumeFailureReporting
	hadoop.hdfs.server.datanode.TestBlockScanner
	hadoop.hdfs.server.datanode.TestHSync
	hadoop.hdfs.server.balancer.TestBalancerWithEncryptedTransfer
	hadoop.hdfs.server.datanode.TestDataNodeMultipleRegistrations

Subsystem	Report/Notes
Docker	ClientAPI=1.43 ServerAPI=1.43 base: https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6247/1/artifact/out/Dockerfile
GITHUB PR	#6247
Optional Tests	dupname asflicense compile javac javadoc mvninstall mvnsite unit shadedclient codespell detsecrets xmllint shellcheck shelldocs
uname	Linux 887bae761035 4.15.0-213-generic #224-Ubuntu SMP Mon Jun 19 13:30:12 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/bin/hadoop.sh
git revision	trunk / ea5be17
Default Java	Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
Multi-JDK versions	/usr/lib/jvm/java-11-openjdk-amd64:Ubuntu-11.0.20.1+1-post-Ubuntu-0ubuntu120.04 /usr/lib/jvm/java-8-openjdk-amd64:Private Build-1.8.0_382-8u382-ga-1~20.04.1-b05
Test Results	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6247/1/testReport/
Max. process+thread count	3552 (vs. ulimit of 5500)
modules	C: hadoop-project . U: .
Console output	https://ci-hadoop.apache.org/job/hadoop-multibranch/job/PR-6247/1/console
versions	git=2.25.1 maven=3.6.3 shellcheck=0.7.0
Powered by	Apache Yetus 0.14.0 https://yetus.apache.org

This message was automatically generated.

[steveloughran]

looking at the other import changes. #6842 updates org.lz4:lz4-java:1.8.0 as well.

can someone do a full hadoop distro build and show what's in the lib folders so we can see what is really there?

[steveloughran]

where does this change come from? a transient import of kafka?

[fuchaohong]

Updated LICENSE-binary based on the following result.
$mvn dependency:tree -pl hadoop-tools/hadoop-kafka
...
[INFO] +- org.apache.kafka:kafka-clients:jar:3.4.0:compile
[INFO] | +- com.github.luben:zstd-jni:jar:1.5.2-1:runtime
[INFO] | \- org.lz4:lz4-java:jar:1.7.1:runtime

it's right, org.lz4:lz4-java does not require updates.

[steveloughran]

LGTM
+1

[steveloughran]

ok, merged. can someone do cherrypick PRs for

• branch-3.4
• branch-3.3

so that the next release of either of these gets the fix too. thanks!