Add StarRocks Arrow Flight SQL plugin with direct backend fetch#120
Add StarRocks Arrow Flight SQL plugin with direct backend fetch#120Nitin Bhakar (nitinbhakar) wants to merge 7 commits into
Conversation
Connects to StarRocks via Arrow Flight SQL and, when the FE returns distinct per-backend endpoint locations, redeems each ticket by dialing the BE directly and fanning the fetches out in parallel instead of funneling every row back through the FE. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Wiz Scan Summary
To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension. |
…rsion - google.golang.org/grpc was pulled in below v1.79.3, affected by CVE-2026-33186 - dialFlightClient's TLS config lacked an explicit MinVersion (CWE-327) Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
| module github.com/patterninc/heimdall | ||
|
|
||
| go 1.24.6 | ||
| go 1.25.0 |
There was a problem hiding this comment.
If go upgrade is not required, can we hold this for now and handle it separately? It will require some thorough testing. It will also require changes in custom plugins build besides the standard one provided as part of heimdall.
There was a problem hiding this comment.
Chain: grpc's Critical CVE fix (v1.79.3) pulled otel/x-crypto/x-net floors up too, which were still below Wiz's thresholds. otel's fix is Go 1.24-compatible, kept it. x/crypto's and x/net's fixes both require Go >=1.25 upstream (checked every version — no exceptions), so the go.mod bump wasn't a choice, just a side effect of chasing those. Reverted per your ask; those two stay unfixed for now.
go.opentelemetry.io/otel < 1.41.0 (CVE-2026-29181), golang.org/x/crypto < 0.52.0 (13 CVEs), and golang.org/x/net < 0.55.0 (CVE-2026-25680, CVE-2026-39821) were pulled in transitively by the grpc bump. The crypto fix version requires go >= 1.25, hence the go.mod bump; GOTOOLCHAIN=auto (unpinned in this repo) lets CI's Go 1.24.5 fetch 1.25 automatically rather than needing a workflow change. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
5f7f9f9 to
cfa0a26
Compare
command_context.go (commandContext + plugin.Handler methods), cluster_context.go (clusterContext, no methods), job_context.go (jobContext + collectResults), backend_client_pool.go (backendClientPool + fetchEndpoint/locationHost). starrocks.go keeps just the shared consts/telemetry vars and dialFlightClient, used by both command_context.go and backend_client_pool.go. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Keep job_context.go and backend_client_pool.go split out, but commandContext/clusterContext (plugin.Handler entry points + cluster config) stay in the main file. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
Summary
plugins/starrocks) that connects via Arrow Flight SQL and executes queries/statements against a configured cluster.GetFlightInforesponse includes endpoints with distinct BE locations (rather thanLocationReuseConnection/the FE's own address), the plugin dials each BE directly and redeems tickets in parallel viaDoGet, instead of funneling every row back through the FE. Falls back to the FE connection when no distinct BE location is present (e.g. StarRocks' ownarrow_flight_proxyfeature is enabled).ARRAY/MAP/STRUCT(StarRocksLIST/MAP/STRUCT), which are JSON-encoded rather than stringified.Executeentry point.Dependency updates (Wiz findings)
google.golang.org/grpc(pulled in by the Arrow Flight SQL client) tov1.79.3, fixing CVE-2026-33186 (Critical). Compatible with Go 1.24.go.opentelemetry.io/oteltov1.41.0, fixing CVE-2026-29181 (High). Compatible with Go 1.24.golang.org/x/cryptoandgolang.org/x/netat their natural minimal-version-selection floor (v0.46.0,v0.48.0) rather than bumping to the fully-fixed versions (v0.52.0,v0.55.0), and keptgo.mod'sgodirective at1.24.6. Both packages' fixed versions require Go>=1.25upstream — there's no version that's both fixed and Go-1.24-compatible. Per team decision, staying on Go 1.24 took priority over fixing these two specific findings in this PR. They are pre-existing onmaintoday at even older vulnerable versions (v0.42.0,v0.44.0respectively), so this isn't a new regression introduced here — genuinely fixing them requires a repo-wide Go 1.25 upgrade, tracked as separate follow-up work.x/cryptoandx/netas Critical vulnerabilities on this PR; replying with#wiz_ignore+ this justification on those specific findings.Test plan
go build/go vetoninternal/pkg/object/command/starrocksand theplugins/starrocksplugin (including-buildmode=plugin) againstmainSHOW TABLES,COUNT(*)over 500M+ rows, and confirmed direct-BE ticket redemption engages when the FE advertises a distinct BE location)arrow_flight_proxydisabled and BE/CN nodes network-reachable from Heimdall's runtime — not yet enabled in any cluster config (tracked as follow-up infra work); with the proxy enabled (current default), this plugin behaves identically to always routing through the FE🤖 Generated with Claude Code