[FLINK-15868][kinesis] Resolve version conflict between jackson-core and jackson-dataformat-cbor

[tweise]

What is the purpose of the change

For the Kinesis consumer to work, jackson-core and jackson-dataformat-cbor need to be at the same version. This change will ensure that users get the same version w/o having to override the jackson-dataformat-cbor dependency.

Note that the versions are consistent in https://mvnrepository.com/artifact/com.amazonaws/aws-java-sdk-core/1.11.603 - the problem was introduced by the dependency management in Flink.

Verifying this change

Run mvn dependency:tree on a downstream project and check that versions are same. Was also tested with the 1.10 RC1 with one of our internal deployments.

Does this pull request potentially affect one of the following parts:

• Dependencies (does it add or upgrade a dependency): (yes / no)
• The public API, i.e., is any changed class annotated with @Public(Evolving): (yes / no)
• The serializers: (yes / no / don't know)
• The runtime per-record code paths (performance sensitive): (yes / no / don't know)
• Anything that affects deployment or recovery: JobManager (and its components), Checkpointing, Yarn/Mesos, ZooKeeper: (yes / no / don't know)
• The S3 file system connector: (yes / no / don't know)

Documentation

• Does this pull request introduce a new feature? (yes / no)
• If yes, how is the feature documented? (not applicable / docs / JavaDocs / not documented)

[flinkbot]

Thanks a lot for your contribution to the Apache Flink project. I'm the @flinkbot. I help the community
to review your pull request. We will use this comment to track the progress of the review.

Automated Checks

Last check on commit af2a640 (Mon Feb 03 23:21:52 UTC 2020)

Warnings:

• 1 pom.xml files were touched: Check for build and licensing issues.
• No documentation files were touched! Remember to keep the Flink docs up to date!

_{Mention the bot in a comment to re-run the automated checks.}

Review Progress

• ❓ 1. The [description] looks good.
• ❓ 2. There is [consensus] that the contribution should go into to Flink.
• ❓ 3. Needs [attention] from.
• ❓ 4. The change fits into the overall [architecture].
• ❓ 5. Overall code [quality] is good.

Please see the Pull Request Review Guide for a full explanation of the review process.

The Bot is tracking the review progress through labels. Labels are applied according to the order of the review items. For consensus, approval by a Flink committer of PMC member is required

Bot commands

The @flinkbot bot supports the following commands:

• @flinkbot approve description to approve one or more aspects (aspects: description, consensus, architecture and quality)
• @flinkbot approve all to approve all aspects
• @flinkbot approve-until architecture to approve everything until architecture
• @flinkbot attention @username1 [@username2 ..] to require somebody's attention
• @flinkbot disapprove architecture to remove an approval you gave earlier

[flinkbot]

CI report:

• af2a640 Travis: SUCCESS Azure: FAILURE
• 6ab5029 Travis: FAILURE Azure: FAILURE
• f79154d Travis: FAILURE Azure: FAILURE
• 6c424da Travis: FAILURE Azure: FAILURE
• 7e5471a Travis: FAILURE Azure: SUCCESS

Bot commands

The @flinkbot bot supports the following commands:

• @flinkbot run travis re-run the last Travis build
• @flinkbot run azure re-run the last Azure build

[carp84]

+1

[tillrohrmann]

Thanks for creating this PR @tweise. I think the change goes in the right direction. However, it does not updates the corresponding NOTICE files. Here is the license guide.

It also affects a lot of modules which rely on jackson-dataformat-cbor such as flink-elasticsearch-base, flink-connector-elasticsearch2, flink-connector-elasticsearch5, flink-connector-elasticsearch7, flink-connector-elasticsearch6, flink-connector-kinesis, flink-sql-connector-elasticsearch7, flink-sql-connector-elasticsearch6 which means that we would need to validate that these modules are still working. I guess you haven't tried them out, right?

Last but not least, I was wondering whether we would need to update other jackson dependencies as well. Currently, we rely on jackson-dataformat-smile, jackson-dataformat-yaml, jackson-module-jaxb-annotations. Would it make sense to bump these dependencies to the same version?

[tillrohrmann]

This change requires the update of all affected NOTICE files.

[tillrohrmann]

Do we really want to change the jackson-dataformat-cbor for all dependencies which rely on it? It would invalidate the testing for all these components.

On the other hand I guess that the functionality used by Kinesis should then also be broken for all the other modules.

[tillrohrmann]

What about bumping other jackson dependencies such as jackson-dataformat-smile, jackson-dataformat-yaml, jackson-module-jaxb-annotations? Could they also be affected by the bumping the other dependencies to 2.10.1?

[zentol]

I would only put this into the kinesis connector pom. This is the only module that should be affected by virtue of promoting transitive dependencies via the shade-plugin.
This promotion should likely be removed in the future because it has rather subtle side-effects.

[tweise]

Looks like there is consensus to keep it centralized; I prefer that as well. This dependency isn't specific to Kinesis, it comes from aws-java-sdk-core.

[zentol]

Looks like there is consensus to keep it centralized

Not quite; this came up during the offline discussion and we continued with the existing approach for the time-being for simplicity. Long-term we're likely to throw a jackson bom into every module that needs it, and ban older versions.
This way it is a lot easier to tell which modules are affected by the dependency management.
If a new jackson dependency is added 1 of three cases happen:
a) dependency convergence fails (happens if it is not shaded)
b) enforcer check fails (old insecure versions used that we don't want)
c) a safe version is used and shaded (hence no conflicts), in which case there is no reason to mandate another version. This also allows us to use the version that the transitive dependency was built against, which is one less uncertainty on our side.

[tillrohrmann]

After an offline discussion with @zentol and @GJL we decided to bump the remaining Jackson dependencies to version 2.10.1. The affected dependencies are jackson-dataformat-smile, jackson-dataformat-yaml, jackson-module-jaxb-annotations.

I will update the PR to reflect these changes.

[tillrohrmann]

We actually don't need to pin jackson-module-jaxb-annotations because we don't use it.

[tillrohrmann]

@zentol @GJL, I've updated the PR. Please take a look.

[zentol]

One minor correction to my code, but otherwise this looks good to me.

[zentol]

my bad, this one should be final

[tillrohrmann]

Will update the code.

[GJL]

I don't think json is accurate here.

[tillrohrmann]

Ok I rename it into document.

[tillrohrmann]

I've updated the PR and additionally removed the pinning of Jackson dependencies to 2.9.6 from flink-table-planner. Let's hope that everything still runs.

[tillrohrmann]

I had to pin snakeyaml to 1.25 to make flink-connector-elasticsearch5 work.

[tweise]

LGTM for the additional changes (I cannot approve the PR I opened)

@tillrohrmann thanks for taking care of the updates for the ES modules. We are not using these connectors in our applications, so I have no means to do additional verification. I think it is important to keep the jackson modules on the same version, however. Glad to see this is happening now vs. just patching up the Kinesis connector.