You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@kylin.apache.org by xx...@apache.org on 2022/01/07 01:43:30 UTC
[kylin] branch document updated (6a24bf4 -> 561fa63)
This is an automated email from the ASF dual-hosted git repository.
xxyu pushed a change to branch document
in repository https://gitbox.apache.org/repos/asf/kylin.git.
from 6a24bf4 Release 4.0.1 and 3.1.3
new e64a321 Update security page
new 561fa63 Update docs for release 4.0.1 and 3.1.3
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
website/_dev/index.md | 2 +-
website/_dev40/index.md | 2 +-
website/_docs/howto/howto_config_spark_pool.md | 2 +-
website/_docs/howto/howto_upgrade.md | 9 +-
website/_docs/security.md | 166 ++++++++++++++++++++
website/_docs30/security.md | 167 +++++++++++++++++++++
website/_docs30/tutorial/real_time_olap.md | 2 +-
website/_docs31/howto/howto_upgrade.md | 8 +
website/_docs31/security.md | 166 ++++++++++++++++++++
website/_docs31/tutorial/real_time_olap.md | 2 +-
website/_includes/header.cn.html | 4 +-
website/_includes/header.html | 4 +-
website/_includes/home_header.cn.html | 4 +-
website/_includes/home_header.html | 4 +-
.../blog/2019-07-01-deep-dive-real-time-olap.md | 2 +-
15 files changed, 529 insertions(+), 15 deletions(-)
[kylin] 01/02: Update security page
Posted by xx...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
xxyu pushed a commit to branch document
in repository https://gitbox.apache.org/repos/asf/kylin.git
commit e64a321394f99cd19fb023c570fc357f52f27ccb
Author: yaqian.zhang <59...@qq.com>
AuthorDate: Wed Jan 5 17:16:25 2022 +0800
Update security page
---
website/_docs/security.md | 166 +++++++++++++++++++++++++++++++++++++++++++
website/_docs30/security.md | 167 ++++++++++++++++++++++++++++++++++++++++++++
website/_docs31/security.md | 166 +++++++++++++++++++++++++++++++++++++++++++
3 files changed, 499 insertions(+)
diff --git a/website/_docs/security.md b/website/_docs/security.md
index 405c4e6..ed39f36 100644
--- a/website/_docs/security.md
+++ b/website/_docs/security.md
@@ -94,3 +94,169 @@ Users should upgrade to 3.0.2 or 2.6.6 or set kylin.tool.auto-migrate-cube.enabl
__Credit__
This issue was discovered by Johannes Dahse
+
+### [CVE-2021-27738](https://cveprocess.apache.org/cve/CVE-2021-27738) Improper Access Control to Streaming Coordinator & SSRF
+
+__Severity__
+
+Moderate
+
+__Versions Affected__
+
+Kylin 3.0.0-alpha to 3.1.2
+
+__Description__
+
+All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator.
+
+For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved.
+
+__Mitigation__
+
+Users of Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1646.
+
+__Credit__
+
+This issue was discovered by Wei Lin Ngo
+
+### [CVE-2021-31522](https://cveprocess.apache.org/cve/CVE-2021-31522) Apache Kylin unsafe class loading
+
+__Severity__
+
+Moderate
+
+__Versions Affected__
+
+Kylin 2.0.0 to 2.6.6, 3.0.0-alpha to 3.1.2, 4.0.0-alpha to 4.0.0
+
+__Description__
+
+Kylin can receive user input and load any class through Class.forName(...).
+
+__Mitigation__
+
+Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1695.
+Users of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1763.
+
+__Credit__
+
+This issue was discovered by bo yu
+
+### [CVE-2021-36774](https://cveprocess.apache.org/cve/CVE-2021-36774) Mysql JDBC Connector Deserialize RCE
+
+__Severity__
+
+Moderate
+
+__Versions Affected__
+
+Kylin 2.0.0 to 2.6.6, 3.0.0-alpha to 3.1.2
+
+__Description__
+
+Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes.
+
+__Mitigation__
+
+Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1694.
+
+__Credit__
+
+This issue was discovered by jinchen sheng
+
+### [CVE-2021-45456](https://cveprocess.apache.org/cve/CVE-2021-45456) Command injection
+
+__Severity__
+
+Moderate
+
+__Versions Affected__
+
+Kylin 4.0.0
+
+__Description__
+
+Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability.
+
+__Mitigation__
+
+Users of Kylin 4.0.0 should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781.
+
+__Credit__
+
+This issue was discovered by Alvaro Munoz
+
+### [CVE-2021-45457](https://cveprocess.apache.org/cve/CVE-2021-45457) Overly broad CORS configuration
+
+__Severity__
+
+Moderate
+
+__Versions Affected__
+
+Kylin 2.0.0 to 2.6.6, 3.0.0-alpha to 3.1.2, 4.0.0-alpha to 4.0.0
+
+__Description__
+
+Cross-origin requests with credentials are allowed to be sent from any origin.
+
+Kylin reflects the `Origin` header and allow credentials to be sent cross-origin in the default configuration. The preflight OPTIONS request:
+```
+OPTIONS /kylin/api/projects HTTP/1.1
+Host: localhost:7070
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
+Accept: */*
+Accept-Language: en-US
+Accept-Encoding: gzip, deflate
+Access-Control-Request-Method: POST
+Access-Control-Request-Headers: content-type
+Referer: http://b49b-95-62-58-48.ngrok.io/
+Origin: http://b49b-95-62-58-48.ngrok.io
+Connection: keep-alive
+Cache-Control: max-age=0
+```
+
+Will be replied with:
+
+```
+HTTP/1.1 200 OK
+Server: Apache-Coyote/1.1
+Access-Control-Allow-Origin: http://b49b-95-62-58-48.ngrok.io
+Access-Control-Allow-Credentials: true
+Vary: Origin
+Access-Control-Allow-Methods: DELETE, POST, GET, OPTIONS, PUT
+Access-Control-Allow-Headers: Authorization, Origin, No-Cache, X-Requested-With, Cache-Control, Accept, X-E4m-With, If-Modified-Since, Pragma, Last-Modified, Expires, Content-Type
+Content-Length: 0
+```
+
+__Mitigation__
+
+Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782.
+Users of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781.
+
+__Credit__
+
+This issue was discovered by Alvaro Munoz
+
+### [CVE-2021-45458](https://cveprocess.apache.org/cve/CVE-2021-45458) Hardcoded credentials
+
+__Severity__
+
+Moderate
+
+__Versions Affected__
+
+Kylin 2.0.0 to 2.6.6, 3.0.0-alpha to 3.1.2, 4.0.0-alpha to 4.0.0
+
+__Description__
+
+Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted.
+
+__Mitigation__
+
+Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782.
+Users of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781.
+
+__Credit__
+
+This issue was discovered by Alvaro Munoz
diff --git a/website/_docs30/security.md b/website/_docs30/security.md
index 07acd9a..3acab44 100644
--- a/website/_docs30/security.md
+++ b/website/_docs30/security.md
@@ -74,3 +74,170 @@ Users should upgrade to 3.0.2 or 2.6.6 or set kylin.tool.auto-migrate-cube.enabl
__Credit__
This issue was discovered by Johannes Dahse
+
+### [CVE-2021-27738](https://cveprocess.apache.org/cve/CVE-2021-27738) Improper Access Control to Streaming Coordinator & SSRF
+
+__Severity__
+
+Moderate
+
+__Versions Affected__
+
+Kylin 3.0.0-alpha to 3.1.2
+
+__Description__
+
+All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator.
+
+For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved.
+
+__Mitigation__
+
+Users of Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1646.
+
+__Credit__
+
+This issue was discovered by Wei Lin Ngo
+
+### [CVE-2021-31522](https://cveprocess.apache.org/cve/CVE-2021-31522) Apache Kylin unsafe class loading
+
+__Severity__
+
+Moderate
+
+__Versions Affected__
+
+Kylin 2.0.0 to 2.6.6, 3.0.0-alpha to 3.1.2, 4.0.0-alpha to 4.0.0
+
+__Description__
+
+Kylin can receive user input and load any class through Class.forName(...).
+
+__Mitigation__
+
+Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1695.
+Users of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1763.
+
+__Credit__
+
+This issue was discovered by bo yu
+
+### [CVE-2021-36774](https://cveprocess.apache.org/cve/CVE-2021-36774) Mysql JDBC Connector Deserialize RCE
+
+__Severity__
+
+Moderate
+
+__Versions Affected__
+
+Kylin 2.0.0 to 2.6.6, 3.0.0-alpha to 3.1.2
+
+__Description__
+
+Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes.
+
+__Mitigation__
+
+Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1694.
+
+__Credit__
+
+This issue was discovered by jinchen sheng
+
+### [CVE-2021-45456](https://cveprocess.apache.org/cve/CVE-2021-45456) Command injection
+
+__Severity__
+
+Moderate
+
+__Versions Affected__
+
+Kylin 4.0.0
+
+__Description__
+
+Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability.
+
+__Mitigation__
+
+Users of Kylin 4.0.0 should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781.
+
+__Credit__
+
+This issue was discovered by Alvaro Munoz
+
+### [CVE-2021-45457](https://cveprocess.apache.org/cve/CVE-2021-45457) Overly broad CORS configuration
+
+__Severity__
+
+Moderate
+
+__Versions Affected__
+
+Kylin 2.0.0 to 2.6.6, 3.0.0-alpha to 3.1.2, 4.0.0-alpha to 4.0.0
+
+__Description__
+
+Cross-origin requests with credentials are allowed to be sent from any origin.
+
+Kylin reflects the `Origin` header and allow credentials to be sent cross-origin in the default configuration. The preflight OPTIONS request:
+```
+OPTIONS /kylin/api/projects HTTP/1.1
+Host: localhost:7070
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
+Accept: */*
+Accept-Language: en-US
+Accept-Encoding: gzip, deflate
+Access-Control-Request-Method: POST
+Access-Control-Request-Headers: content-type
+Referer: http://b49b-95-62-58-48.ngrok.io/
+Origin: http://b49b-95-62-58-48.ngrok.io
+Connection: keep-alive
+Cache-Control: max-age=0
+```
+
+Will be replied with:
+
+```
+HTTP/1.1 200 OK
+Server: Apache-Coyote/1.1
+Access-Control-Allow-Origin: http://b49b-95-62-58-48.ngrok.io
+Access-Control-Allow-Credentials: true
+Vary: Origin
+Access-Control-Allow-Methods: DELETE, POST, GET, OPTIONS, PUT
+Access-Control-Allow-Headers: Authorization, Origin, No-Cache, X-Requested-With, Cache-Control, Accept, X-E4m-With, If-Modified-Since, Pragma, Last-Modified, Expires, Content-Type
+Content-Length: 0
+```
+
+__Mitigation__
+
+Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782.
+Users of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781.
+
+__Credit__
+
+This issue was discovered by Alvaro Munoz
+
+### [CVE-2021-45458](https://cveprocess.apache.org/cve/CVE-2021-45458) Hardcoded credentials
+
+__Severity__
+
+Moderate
+
+__Versions Affected__
+
+Kylin 2.0.0 to 2.6.6, 3.0.0-alpha to 3.1.2, 4.0.0-alpha to 4.0.0
+
+__Description__
+
+Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted.
+
+__Mitigation__
+
+Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782.
+Users of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781.
+
+__Credit__
+
+This issue was discovered by Alvaro Munoz
+
diff --git a/website/_docs31/security.md b/website/_docs31/security.md
index b18c968..7d059ee 100644
--- a/website/_docs31/security.md
+++ b/website/_docs31/security.md
@@ -120,3 +120,169 @@ Users should upgrade to 3.0.2 or 2.6.6 or set kylin.tool.auto-migrate-cube.enabl
__Credit__
This issue was discovered by Johannes Dahse
+
+### [CVE-2021-27738](https://cveprocess.apache.org/cve/CVE-2021-27738) Improper Access Control to Streaming Coordinator & SSRF
+
+__Severity__
+
+Moderate
+
+__Versions Affected__
+
+Kylin 3.0.0-alpha to 3.1.2
+
+__Description__
+
+All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator.
+
+For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved.
+
+__Mitigation__
+
+Users of Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1646.
+
+__Credit__
+
+This issue was discovered by Wei Lin Ngo
+
+### [CVE-2021-31522](https://cveprocess.apache.org/cve/CVE-2021-31522) Apache Kylin unsafe class loading
+
+__Severity__
+
+Moderate
+
+__Versions Affected__
+
+Kylin 2.0.0 to 2.6.6, 3.0.0-alpha to 3.1.2, 4.0.0-alpha to 4.0.0
+
+__Description__
+
+Kylin can receive user input and load any class through Class.forName(...).
+
+__Mitigation__
+
+Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1695.
+Users of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1763.
+
+__Credit__
+
+This issue was discovered by bo yu
+
+### [CVE-2021-36774](https://cveprocess.apache.org/cve/CVE-2021-36774) Mysql JDBC Connector Deserialize RCE
+
+__Severity__
+
+Moderate
+
+__Versions Affected__
+
+Kylin 2.0.0 to 2.6.6, 3.0.0-alpha to 3.1.2
+
+__Description__
+
+Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes.
+
+__Mitigation__
+
+Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1694.
+
+__Credit__
+
+This issue was discovered by jinchen sheng
+
+### [CVE-2021-45456](https://cveprocess.apache.org/cve/CVE-2021-45456) Command injection
+
+__Severity__
+
+Moderate
+
+__Versions Affected__
+
+Kylin 4.0.0
+
+__Description__
+
+Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability.
+
+__Mitigation__
+
+Users of Kylin 4.0.0 should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781.
+
+__Credit__
+
+This issue was discovered by Alvaro Munoz
+
+### [CVE-2021-45457](https://cveprocess.apache.org/cve/CVE-2021-45457) Overly broad CORS configuration
+
+__Severity__
+
+Moderate
+
+__Versions Affected__
+
+Kylin 2.0.0 to 2.6.6, 3.0.0-alpha to 3.1.2, 4.0.0-alpha to 4.0.0
+
+__Description__
+
+Cross-origin requests with credentials are allowed to be sent from any origin.
+
+Kylin reflects the `Origin` header and allow credentials to be sent cross-origin in the default configuration. The preflight OPTIONS request:
+```
+OPTIONS /kylin/api/projects HTTP/1.1
+Host: localhost:7070
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:94.0) Gecko/20100101 Firefox/94.0
+Accept: */*
+Accept-Language: en-US
+Accept-Encoding: gzip, deflate
+Access-Control-Request-Method: POST
+Access-Control-Request-Headers: content-type
+Referer: http://b49b-95-62-58-48.ngrok.io/
+Origin: http://b49b-95-62-58-48.ngrok.io
+Connection: keep-alive
+Cache-Control: max-age=0
+```
+
+Will be replied with:
+
+```
+HTTP/1.1 200 OK
+Server: Apache-Coyote/1.1
+Access-Control-Allow-Origin: http://b49b-95-62-58-48.ngrok.io
+Access-Control-Allow-Credentials: true
+Vary: Origin
+Access-Control-Allow-Methods: DELETE, POST, GET, OPTIONS, PUT
+Access-Control-Allow-Headers: Authorization, Origin, No-Cache, X-Requested-With, Cache-Control, Accept, X-E4m-With, If-Modified-Since, Pragma, Last-Modified, Expires, Content-Type
+Content-Length: 0
+```
+
+__Mitigation__
+
+Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782.
+Users of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781.
+
+__Credit__
+
+This issue was discovered by Alvaro Munoz
+
+### [CVE-2021-45458](https://cveprocess.apache.org/cve/CVE-2021-45458) Hardcoded credentials
+
+__Severity__
+
+Moderate
+
+__Versions Affected__
+
+Kylin 2.0.0 to 2.6.6, 3.0.0-alpha to 3.1.2, 4.0.0-alpha to 4.0.0
+
+__Description__
+
+Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, there is a risk that the password may be decrypted.
+
+__Mitigation__
+
+Users of Kylin 2.x & Kylin 3.x should upgrade to 3.1.3 or apply patch https://github.com/apache/kylin/pull/1782.
+Users of Kylin 4.x should upgrade to 4.0.1 or apply patch https://github.com/apache/kylin/pull/1781.
+
+__Credit__
+
+This issue was discovered by Alvaro Munoz
[kylin] 02/02: Update docs for release 4.0.1 and 3.1.3
Posted by xx...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
xxyu pushed a commit to branch document
in repository https://gitbox.apache.org/repos/asf/kylin.git
commit 561fa638e4d0b0cf31cd2ffaf1d23583483d87ec
Author: yaqian.zhang <59...@qq.com>
AuthorDate: Thu Jan 6 10:56:27 2022 +0800
Update docs for release 4.0.1 and 3.1.3
---
website/_dev/index.md | 2 +-
website/_dev40/index.md | 2 +-
website/_docs/howto/howto_config_spark_pool.md | 2 +-
website/_docs/howto/howto_upgrade.md | 9 ++++++++-
website/_docs30/tutorial/real_time_olap.md | 2 +-
website/_docs31/howto/howto_upgrade.md | 8 ++++++++
website/_docs31/tutorial/real_time_olap.md | 2 +-
website/_includes/header.cn.html | 4 ++--
website/_includes/header.html | 4 ++--
website/_includes/home_header.cn.html | 4 ++--
website/_includes/home_header.html | 4 ++--
website/_posts/blog/2019-07-01-deep-dive-real-time-olap.md | 2 +-
12 files changed, 30 insertions(+), 15 deletions(-)
diff --git a/website/_dev/index.md b/website/_dev/index.md
index 808fd8a..ffdd74f 100644
--- a/website/_dev/index.md
+++ b/website/_dev/index.md
@@ -14,7 +14,7 @@ Check out the [How to Contribute](/development/howto_contribute.html) document.
### Source Repository
Apache Kylin™ source code is version controlled using Git version control:
-Commits [Summary](https://github.com/apache/kylin/commits/master)
+Commits [Summary](https://github.com/apache/kylin/commits/main)
Source Repo: [https://github.com/apache/kylin ](https://github.com/apache/kylin )
Mirrored to Gitbox: [https://gitbox.apache.org/repos/asf?p=kylin.git ](https://gitbox.apache.org/repos/asf?p=kylin.git )
diff --git a/website/_dev40/index.md b/website/_dev40/index.md
index 3ae3358..da255e3 100644
--- a/website/_dev40/index.md
+++ b/website/_dev40/index.md
@@ -14,7 +14,7 @@ Check out the [How to Contribute](/development40/howto_contribute.html) document
### Source Repository
Apache Kylin™ source code is version controlled using Git version control:
-Commits [Summary](https://github.com/apache/kylin/commits/master)
+Commits [Summary](https://github.com/apache/kylin/commits/main)
Source Repo: [https://github.com/apache/kylin ](https://github.com/apache/kylin )
Mirrored to Gitbox: [https://gitbox.apache.org/repos/asf?p=kylin.git ](https://gitbox.apache.org/repos/asf?p=kylin.git )
diff --git a/website/_docs/howto/howto_config_spark_pool.md b/website/_docs/howto/howto_config_spark_pool.md
index 964897a..4e5b76a 100644
--- a/website/_docs/howto/howto_config_spark_pool.md
+++ b/website/_docs/howto/howto_config_spark_pool.md
@@ -1,6 +1,6 @@
---
layout: docs
-title: Config different spark Pool for different types of SQL
+title: Config spark Pool for SQL
categories: howto
permalink: /docs/howto/howto_config_spark_pool.html
---
diff --git a/website/_docs/howto/howto_upgrade.md b/website/_docs/howto/howto_upgrade.md
index f8f6909..7c27e66 100644
--- a/website/_docs/howto/howto_upgrade.md
+++ b/website/_docs/howto/howto_upgrade.md
@@ -7,4 +7,11 @@ permalink: /docs/howto/howto_upgrade.html
Compared with Kylin 3.x and previous versions, Kylin 4.0's storage engine has changed from HBase to Parquet. Therefore, if you need to upgrade from Kylin 3.x and previous versions to kylin4.0, the built cuboid data can't be upgraded, you can only upgrade metadata.
-Please refer to : [How to migrate metadata to Kylin 4](https://cwiki.apache.org/confluence/display/KYLIN/How+to+migrate+metadata+to+Kylin+4)
\ No newline at end of file
+Please refer to : [How to migrate metadata to Kylin 4](https://cwiki.apache.org/confluence/display/KYLIN/How+to+migrate+metadata+to+Kylin+4)
+
+## Upgrade from 4.0.0 to 4.0.1
+1) Kylin users can customize the IV value of the encryption algorithm by config `kylin.security.encrypt.cipher.ivSpec` in kylin 4.0.1.
+If you uses the default value of `kylin.security.encrypt.cipher.ivSpec`, there is no need to modify the encryption password in kylin.properties.
+If you changes the value of `kylin.security.encrypt.cipher.ivSpec`, the encrypted password needs to be re-encrypted.
+
+The encryption algorithm may be used in `kylin.metadata.url(mysql password)`, `kylin.security.ldap.connection-password`, etc.
\ No newline at end of file
diff --git a/website/_docs30/tutorial/real_time_olap.md b/website/_docs30/tutorial/real_time_olap.md
index 8f5f9ca..038e72c 100644
--- a/website/_docs30/tutorial/real_time_olap.md
+++ b/website/_docs30/tutorial/real_time_olap.md
@@ -39,7 +39,7 @@ If you want to configure timezone for derived time column or learn how to update
### Streaming Coordinator
Streaming coordinator works as the master node of streaming receiver cluster. It's main responsibility include assign/unassign specific topic partition to specific replica set, pause or resume consuming behavior, collect mertics such as consume rate (message per second).
-When `kylin.server.mode` is set to `all` or `stream_coordinator`, that process is a streaming coordinator candidate(as well as query server and job server if you use `all`). Coordinator only manage metadata, won't process entered message.
+When `kylin.server.mode` is set to `stream_coordinator`, that process is a streaming coordinator candidate(as well as query server and job server if you use `all`). Coordinator only manage metadata, won't process entered message.
### Coordinator Cluster
For the purpose of eliminating single point of failure, we could start more than one coordinator process. When cluster has several coordinator processes, a leader will be selected by zookeeper. Only the leader will answer coordinator client's request, others process will become standby/candidate, so single point of failure will be eliminated.
diff --git a/website/_docs31/howto/howto_upgrade.md b/website/_docs31/howto/howto_upgrade.md
index 952ad15..0855b0a 100644
--- a/website/_docs31/howto/howto_upgrade.md
+++ b/website/_docs31/howto/howto_upgrade.md
@@ -19,6 +19,14 @@ Running as a Hadoop client, Apache Kylin's metadata and Cube data are persistend
Below are versions specific guides:
+## Upgrade from 3.1.2 to 3.1.3
+1) When using the real-time function, users need to set `kylin.server.mode=stream_coordinator` for the coordinator node, which can no longer be set to `kylin.server.mode=all`.
+2) Kylin users can customize the IV value of the encryption algorithm by config `kylin.security.encrypt.cipher.ivSpec` in kylin 3.1.3.
+If you uses the default value, there is no need to modify the encryption password in kylin.properties.
+If you changes the value of `kylin.security.encrypt.cipher.ivSpec`, the encrypted password needs to be re-encrypted.
+
+The encryption algorithm may be used in `kylin.metadata.url(mysql password)`, `kylin.security.ldap.connection-password`, etc.
+
## Upgrade from 3.0 to 3.1.0
1)`Set Config` on web of kylin v3.1.0 is turned off by default.
diff --git a/website/_docs31/tutorial/real_time_olap.md b/website/_docs31/tutorial/real_time_olap.md
index b737d99..57dcc61 100644
--- a/website/_docs31/tutorial/real_time_olap.md
+++ b/website/_docs31/tutorial/real_time_olap.md
@@ -39,7 +39,7 @@ If you want to configure timezone for derived time column or learn how to update
### Streaming Coordinator
Streaming coordinator works as the master node of streaming receiver cluster. It's main responsibility include assign/unassign specific topic partition to specific replica set, pause or resume consuming behavior, collect mertics such as consume rate (message per second).
-When `kylin.server.mode` is set to `all` or `stream_coordinator`, that process is a streaming coordinator candidate(as well as query server and job server if you use `all`). Coordinator only manage metadata, won't process entered message.
+When `kylin.server.mode` is set to 3.1.3, that process is a streaming coordinator candidate(as well as query server and job server if you use `all`). Coordinator only manage metadata, won't process entered message.
### Coordinator Cluster
For the purpose of eliminating single point of failure, we could start more than one coordinator process. When cluster has several coordinator processes, a leader will be selected by zookeeper. Only the leader will answer coordinator client's request, others process will become standby/candidate, so single point of failure will be eliminated.
diff --git a/website/_includes/header.cn.html b/website/_includes/header.cn.html
index 5a886a1..1a6f80b 100644
--- a/website/_includes/header.cn.html
+++ b/website/_includes/header.cn.html
@@ -44,8 +44,8 @@
<li>
<a href="/cn/docs" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">文档<span class="caret"></span></a>
<ul class="dropdown-menu">
- <li><a href="/cn/docs/">最新版本(Kylin 4.0.0)</a></li>
- <li><a href="/cn/docs31/">Kylin 3.1.2</a></li>
+ <li><a href="/cn/docs/">最新版本(Kylin 4.0.1)</a></li>
+ <li><a href="/cn/docs31/">Kylin 3.1.3</a></li>
<li><a href="/cn/docs24/">Kylin 2.4.0</a></li>
<li><a href="/cn/archive/">归档</a></li>
</ul>
diff --git a/website/_includes/header.html b/website/_includes/header.html
index 3180063..bf99325 100644
--- a/website/_includes/header.html
+++ b/website/_includes/header.html
@@ -49,8 +49,8 @@
<li>
<a href="/docs" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Docs<span class="caret"></span></a>
<ul class="dropdown-menu">
- <li><a href="/docs/">Latest Release(Kylin 4.0.0)</a></li>
- <li><a href="/docs31/">Kylin 3.1.2</a></li>
+ <li><a href="/docs/">Latest Release(Kylin 4.0.1)</a></li>
+ <li><a href="/docs31/">Kylin 3.1.3</a></li>
<li><a href="/docs24/">Kylin 2.4.0</a></li>
<li><a href="/archive/">Archive</a></li>
</ul>
diff --git a/website/_includes/home_header.cn.html b/website/_includes/home_header.cn.html
index b09606c..cf518ab 100644
--- a/website/_includes/home_header.cn.html
+++ b/website/_includes/home_header.cn.html
@@ -43,8 +43,8 @@
<li>
<a href="/cn/docs" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">文档<span class="caret"></span></a>
<ul class="dropdown-menu">
- <li><a href="/cn/docs/">最新版本(Kylin 4.0.0)</a></li>
- <li><a href="/cn/docs31/">Kylin 3.1.2</a></li>
+ <li><a href="/cn/docs/">最新版本(Kylin 4.0.1)</a></li>
+ <li><a href="/cn/docs31/">Kylin 3.1.3</a></li>
<li><a href="/cn/docs24/">Kylin 2.4.0</a></li>
<li><a href="/cn/archive/">归档</a></li>
</ul>
diff --git a/website/_includes/home_header.html b/website/_includes/home_header.html
index fe3b9f4..d5c62de 100644
--- a/website/_includes/home_header.html
+++ b/website/_includes/home_header.html
@@ -47,8 +47,8 @@
<li>
<a href="/docs" class="dropdown-toggle" data-toggle="dropdown" role="button" aria-haspopup="true" aria-expanded="false">Docs<span class="caret"></span></a>
<ul class="dropdown-menu">
- <li><a href="/docs/">Latest Release(Kylin 4.0.0)</a></li>
- <li><a href="/docs31/">Kylin 3.1.2</a></li>
+ <li><a href="/docs/">Latest Release(Kylin 4.0.1)</a></li>
+ <li><a href="/docs31/">Kylin 3.1.3</a></li>
<li><a href="/docs24/">Kylin 2.4.0</a></li>
<li><a href="/archive/">Archive</a></li>
</ul>
diff --git a/website/_posts/blog/2019-07-01-deep-dive-real-time-olap.md b/website/_posts/blog/2019-07-01-deep-dive-real-time-olap.md
index 94db707..28d771a 100644
--- a/website/_posts/blog/2019-07-01-deep-dive-real-time-olap.md
+++ b/website/_posts/blog/2019-07-01-deep-dive-real-time-olap.md
@@ -88,7 +88,7 @@ The role of Streaming Receiver is worker, each receiver is a Java process, manag
A collection of Streaming Receivers is called a Receiver cluster.
3. **Streaming Coordinator**
-As the Master node of the Receiver cluster, the Streaming Coordinator is mainly responsible for managing Receiver, including allocating/de-allocating Kafka topic partitions to specified Replica sets, suspending or restoring consumption, collecting and displaying various statistical indicators (such as message per second). When `kylin.server.mode` is set to `all` or `stream_coordinator`, the process becomes a Streaming Coordinator. The Coordinator only processes metadata and cluster sched [...]
+As the Master node of the Receiver cluster, the Streaming Coordinator is mainly responsible for managing Receiver, including allocating/de-allocating Kafka topic partitions to specified Replica sets, suspending or restoring consumption, collecting and displaying various statistical indicators (such as message per second). When `kylin.server.mode` is set to `stream_coordinator`, the process becomes a Streaming Coordinator. The Coordinator only processes metadata and cluster scheduling, an [...]
4. **Coordinator Cluster**
Multiple Coordinators can exist at the same time to form a Coordinator cluster. In multiple Coordinators, there is only one leader at a time, only the leader can respond to the request, and the rest of the processes are standby/backup.