Defer initialization of AlluxioMetastoreModule

Some of these modules are depending on third-party libraries (e.g. Alluxio), which may have some security vulnerabilities; they should be benign if the particular module is not enabled, but instantiation of the module class may trigger loading and initialization of some code from these libraries anyway. For this particular module we want to make some preemptive action, because it is unmaintained (though still used).
trinodb · May 26, 2022 · 1da52b3 · 1da52b3
1 parent a6e9401
commit 1da52b3
Showing 1 changed file with 24 additions and 2 deletions.
diff --git a/plugin/trino-hive/src/main/java/io/trino/plugin/hive/metastore/HiveMetastoreModule.java b/plugin/trino-hive/src/main/java/io/trino/plugin/hive/metastore/HiveMetastoreModule.java
@@ -16,7 +16,6 @@
 import com.google.inject.Binder;
 import com.google.inject.Module;
 import io.airlift.configuration.AbstractConfigurationAwareModule;
-import io.trino.plugin.hive.metastore.alluxio.AlluxioMetastoreModule;
 import io.trino.plugin.hive.metastore.file.FileMetastoreModule;
 import io.trino.plugin.hive.metastore.glue.GlueMetastoreModule;
 import io.trino.plugin.hive.metastore.thrift.ThriftMetastoreModule;
@@ -45,7 +44,10 @@ protected void setup(Binder binder)
             bindMetastoreModule("thrift", new ThriftMetastoreModule());
             bindMetastoreModule("file", new FileMetastoreModule());
             bindMetastoreModule("glue", new GlueMetastoreModule());
-            bindMetastoreModule("alluxio", new AlluxioMetastoreModule());
+            // Load Alluxio metastore support through reflection. This makes Alluxio effectively an optional dependency
+            // and allows deploying Trino without the Alluxio jar. Can be useful if the integration is unused and is flagged
+            // by a security scanner.
+            bindMetastoreModule("alluxio", deferredModule("io.trino.plugin.hive.metastore.alluxio.AlluxioMetastoreModule"));
         }
 
         install(new DecoratedHiveMetastoreModule());
@@ -58,4 +60,24 @@ private void bindMetastoreModule(String name, Module module)
                 metastore -> name.equalsIgnoreCase(metastore.getMetastoreType()),
                 module));
     }
+
+    private static Module deferredModule(String moduleClassName)
+    {
+        return new AbstractConfigurationAwareModule()
+        {
+            @Override
+            protected void setup(Binder binder)
+            {
+                try {
+                    install(Class.forName(moduleClassName)
+                            .asSubclass(Module.class)
+                            .getConstructor()
+                            .newInstance());
+                }
+                catch (ReflectiveOperationException e) {
+                    throw new RuntimeException("Problem loading module class: " + moduleClassName, e);
+                }
+            }
+        };
+    }
 }