[
https://issues.apache.org/jira/browse/HADOOP-12579?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Kai Zheng updated HADOOP-12579:
-------------------------------
Attachment: HADOOP-12579-v1.patch
Uploaded the initial patch according to above discussions:
* Removed {{WritableRpcEngine}} from production codes to test, considering
there are still many valuable tests using it.
* As [~cnauroth] said, made the default RPC engine as {{ProtobufRpcEngine}}
instead of WritableRpcEngine. The effect might be what we really want to
achieve here. So now to use WritableRpcEngine (now only possible in tests), it
must explicitly call {{RPC#setProtocolEngine}} first.
* Updated the tests explicitly using WritableRpcEngine, to keep the original
test behaviour. Some of these tests are still valuable because they test some
other IPC aspects, and for such, we may port them to use protocol buffer as
follow on tasks; some of them may be abandoned.
Would suggest we still keep the engine in test scope and the related test
codes, anyhow, we still keep the {{RPC_BUILTIN}} kind.
Very probably missed some places to clean up, please kindly point out. Have run
all the IPC tests locally.
Not sure how to deprecate it for 2.6 branch yet, in addition to annotating the
class with {{deprecated}}.
> Deprecate and remove WriteableRPCEngine
> ---------------------------------------
>
> Key: HADOOP-12579
> URL: https://issues.apache.org/jira/browse/HADOOP-12579
> Project: Hadoop Common
> Issue Type: Improvement
> Reporter: Haohui Mai
> Attachments: HADOOP-12579-v1.patch
>
>
> The {{WriteableRPCEninge}} depends on Java's serialization mechanisms for RPC
> requests. Without proper checks, it has be shown that it can lead to security
> vulnerabilities such as remote code execution (e.g., COLLECTIONS-580,
> HADOOP-12577).
> The current implementation has migrated from {{WriteableRPCEngine}} to
> {{ProtobufRPCEngine}} now. This jira proposes to deprecate
> {{WriteableRPCEngine}} in branch-2 and to remove it in trunk.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
