As an alternative, if we ensured the jetty from Hadoop wasn't in our classpath for our service roles would that allow us to version jetty independently? Or would we run into test problems?
On Mon, Feb 24, 2020, 16:07 Wei-Chiu Chuang <[email protected]> wrote: > Hi, > > While I work on this jira HBASE-23834 > <https://issues.apache.org/jira/browse/HBASE-23834> (HBase fails to run on > Hadoop 3.3.0/3.2.2/3.1.4 due to jetty version mismatch) and I realized this > was attempted before. But it simply doesn't work when you have Hadoop and > HBase on different Jetty minor versions (9.3 / 9.4) unless Jetty is shaded > in HBase (or Hadoop). > > We should update Jetty in HBase for sure. 9.3 has known security > vulnerabilities and not fixed until 9.4. > > Given that hbase-thirdparty is the standard practice to place > thirdparty jars, should we also shade Jetty into hbase-thirdparty? >
