You are viewing a plain text version of this content. The canonical link for it is here.
Posted to issues@hbase.apache.org by "Wei-Chiu Chuang (Jira)" <ji...@apache.org> on 2020/04/29 19:19:00 UTC
[jira] [Commented] (HBASE-23834) HBase fails to run on Hadoop
3.3.0/3.2.2/3.1.4 due to jetty version mismatch
[ https://issues.apache.org/jira/browse/HBASE-23834?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17095833#comment-17095833 ]
Wei-Chiu Chuang commented on HBASE-23834:
-----------------------------------------
Some updates here:
It looks like shading Jetty is not enough. Our internal tests found HBase must use SslContextFactory.server instead of SslContextFactory in Jetty 9.4.
The similar change is also seen in Hadoop's Jetty 9.4 update patch: HADOOP-16152.
Hadoop 3.1.4 is going to release soon which will contain the Jetty 9.4 change. Maybe we should move to use Hadoop 3.1.4 in the HBase master branch, and drop Jetty 9.3 entirely.
> HBase fails to run on Hadoop 3.3.0/3.2.2/3.1.4 due to jetty version mismatch
> ----------------------------------------------------------------------------
>
> Key: HBASE-23834
> URL: https://issues.apache.org/jira/browse/HBASE-23834
> Project: HBase
> Issue Type: Bug
> Reporter: Wei-Chiu Chuang
> Assignee: Wei-Chiu Chuang
> Priority: Major
>
> HBase master branch is currently on Jetty 9.3, and latest Hadoop 3 (unreleased branches trunk, branch-3.2 and branch-3.1) bumped Jetty to 9.4 to address a vulnerability CVE-2017-9735.
> (1) Jetty 9.3 and 9.4 are quite different (there are incompatible API changes) and HBase won't start on the latest Hadoop 3.
> (2) In any case, HBase should update its Jetty dependency to address the vulnerability.
> Fortunately for HBase, updating to Jetty 9.4 requires no code change other than the maven version string.
> More tests are needed to verify if HBase can run on older Hadoop versions if its Jetty is updated.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)