Forgot to share a few past attempts: 1. HBASE-18224 <https://issues.apache.org/jira/browse/HBASE-18224>Upgrade jetty
1. HBASE-19390 <https://issues.apache.org/jira/browse/HBASE-19390>Revert to older version of Jetty 9.3 1. HBASE-19256 <https://issues.apache.org/jira/browse/HBASE-19256> [ hbase-thirdparty] shade jetty On Mon, Feb 24, 2020 at 2:06 PM Wei-Chiu Chuang <[email protected]> wrote: > Hi, > > While I work on this jira HBASE-23834 > <https://issues.apache.org/jira/browse/HBASE-23834> (HBase fails to run > on Hadoop 3.3.0/3.2.2/3.1.4 due to jetty version mismatch) and I realized > this was attempted before. But it simply doesn't work when you have Hadoop > and HBase on different Jetty minor versions (9.3 / 9.4) unless Jetty is > shaded in HBase (or Hadoop). > > We should update Jetty in HBase for sure. 9.3 has known security > vulnerabilities and not fixed until 9.4. > > Given that hbase-thirdparty is the standard practice to place > thirdparty jars, should we also shade Jetty into hbase-thirdparty? > >
