trino icon indicating copy to clipboard operation
trino copied to clipboard

Published 20 hours ago verified publisher icon trinodb

Slate Alluxio integration for removal

Open findepi opened this issue 2 years ago • 2 comments

The Alluxio integration does not seem actively maintained and seems to have quite small user base (for example, searching for Alluxio over Trino Slack discussions since Jan 2022 didn't return any users using Alluxio). Yet, as any integration, it causes problems as security scanners sometimes flag Alluxio shaded client jar as being affected by some CVE vulnerabilities.

Mark Alluxio integration as deprecated.

findepi avatar Aug 09 '22 09:08 findepi

cc @apc999 @rongrong, thoughts?

martint avatar Aug 09 '22 20:08 martint

@findepi, are those reports from scanners real security issues or false positives?

martint avatar Aug 09 '22 20:08 martint

@electrum is probably better positioned to answer this question. I only know some users are concerned, but i don't know whether soundly so.

findepi avatar Aug 11 '22 12:08 findepi

Is there other concerns besides the security issues? Our latest release has fixed those issues. We just need to upgrade the dependency. @beinan is working on that.

rongrong avatar Aug 12 '22 15:08 rongrong

We just need to upgrade the dependency. @beinan is working on that.

I am aware of https://github.com/trinodb/trino/pull/13609 and that it has been merged.

findepi avatar Aug 12 '22 16:08 findepi

There are two separate aspects of Alluxio integration:

  • Metastore
  • Caching layer

I don't think we should remove the caching layer -- there's evidence of usage in the wild (e.g, https://engineering.razorpay.com/how-trino-and-alluxio-power-analytics-at-razorpay-803d3386daaf), and Alluxio cache is still a supported product with a company behind it.

Regarding the Alluxio Metastore, I would like to hear from @rongrong, @beinan and @apc999 whether that product is still supported and whether there are any Trino users on it.

martint avatar Aug 22 '22 18:08 martint

There are two separate aspects of Alluxio integration:

  • Metastore
  • Caching layer

I don't think we should remove the caching layer -- there's evidence of usage in the wild (e.g, https://engineering.razorpay.com/how-trino-and-alluxio-power-analytics-at-razorpay-803d3386daaf), and Alluxio cache is still a supported product with a company behind it.

Regarding the Alluxio Metastore, I would like to hear from @rongrong, @beinan and @apc999 whether that product is still supported and whether there are any Trino users on it.

Thank you @martint and @findepi for looking into this! I know a couple of users (e.g. a telecom operator in China) are still use the metastore from Alluixo, though this feature is not actively supported and might be rewrite in the future.

beinan avatar Aug 22 '22 18:08 beinan

Dropping Alluxio metastore support would resolve https://github.com/trinodb/trino/issues/13270. if Alluxio metastore is not supported by Alluxio itself, this is what we should do. am i hearing you right @beinan?

BTW this PR is about the metastore part. I updated the PR title to reflect that.

findepi avatar Aug 22 '22 18:08 findepi

Do we want to include a release note for this?

colebow avatar Aug 29 '22 17:08 colebow

@colebow good idea

findepi avatar Aug 30 '22 10:08 findepi