Nihal Jain created HBASE-29563:
----------------------------------
Summary: Shade, Relocate, and Transform a Minimal Set of Hadoop
Auth Filter Classes
Key: HBASE-29563
URL: https://issues.apache.org/jira/browse/HBASE-29563
Project: HBase
Issue Type: Improvement
Reporter: Nihal Jain
This JIRA proposes an alternative to creating a source-fork of Hadoop's
authentication classes i.e. HBASE-29557
The solution is to create a new {{hbase-auth-filters-shaded}} module that
isolates, relocates, and transforms only the specific, minimal set of Hadoop
authentication classes that HBase requires. This approach will target only the
{{org.apache.hadoop.security.authentication.server}} and
{{org.apache.hadoop.security.authentication.util}} packages. These will be
relocated into a clean {{org.apache.hbase.shaded}} namespace and have their
bytecode transformed from {{javax.servlet}} to {{{}jakarta.servlet{}}}. This
provides a surgical, low-impact solution to unblock HBase's migration to
Jakarta EE 10.
*Motivation*
The motivation remains to upgrade HBase's web servers (Web UI, REST, Thrift) to
Jetty 12 and the Jakarta EE 10 ecosystem. This proposal achieves that goal by
creating a private, Jakarta-compatible copy of the necessary authentication
filters, thereby resolving the dependency conflict without maintaining a source
fork.
*Proposed Change*
The implementation will be focused within a new {{hbase-auth-filters-shaded}}
Maven module and will use the Maven Shade Plugin to perform a highly specific
set of operations.
# *Create New Module:* A new Maven module, {{{}hbase-auth-filters-shaded{}}},
will be created.
# *Depend on {{{}hadoop-auth{}}}:* This module will depend on the official
{{hadoop-auth}} artifact.
# *Configure Precise Shading and Transformation:* The Maven Shade Plugin will
be configured with the following specific rules:
** *Include Only Necessary Packages:* The plugin will be explicitly configured
to _only_ include classes from the following two packages. All other classes
from {{hadoop-auth.jar}} will be excluded.
*** {{{}org.apache.hadoop.security.authentication.server{}}}: This contains
{{{}AuthenticationFilter{}}}, {{{}KerberosAuthenticationHandler{}}}, etc.
*** {{{}org.apache.hadoop.security.authentication.util{}}}: This contains
helpers like {{{}SignerSecretProvider{}}}.
** *Relocate to the {{org.apache.hbase.shaded}} Namespace:* The included
packages will be relocated to a new, private namespace to prevent classpath
conflicts.
*** *Source Pattern:* {{org.apache.hadoop.security.authentication}}
*** *Shaded Pattern:*
{{org.apache.hbase.shaded.org.apache.hadoop.security.authentication}}
*** This means a class like {{AuthenticationFilter}} will be moved from its
original package to
{{{}org.apache.hbase.shaded.org.apache.hadoop.security.authentication.server.AuthenticationFilter{}}}.
** *Transform {{javax}} to {{{}jakarta{}}}:* A resource transformer (e.g.,
Eclipse Transformer) will be applied during the shading process to rewrite the
bytecode of the relocated classes, replacing all {*}{{javax.servlet.}}{*}*
references with {*}{{jakarta.servlet.}}{*}*
# *Update HBase Server Modules:*
** The {{{}hbase-server{}}}, {{{}hbase-rest{}}}, and {{hbase-thrift}} modules
will be updated to depend on the new {{hbase-auth-filters-shaded}} module.
** Server-side code will be updated to import the relocated classes. For
example: {{import
org.apache.hbase.shaded.org.apache.hadoop.security.authentication.server.AuthenticationFilter;}}
*Pros*
* *Minimized Footprint:* By including only two specific packages, we create
the smallest possible artifact, reduce the attack surface, and simplify
maintenance.
* *Clean Namespace:* Using {{org.apache.hbase.shaded}} is a clear and
conventional way to denote an internally managed, private dependency.
* *Guaranteed Conflict Avoidance:* The relocation into a private namespace is
the key step that allows our new {{{}jakarta{}}}-based classes to coexist on
the classpath with Hadoop's original {{{}javax{}}}-based classes.
* *No Source Fork:* We avoid the long-term maintenance burden of a manual code
fork by consuming the official Hadoop artifact.
* *Simplified Upgrades:* Upstream security fixes can be incorporated by simply
updating the {{hadoop-auth}} version in the {{pom.xml}} and rebuilding.
*Cons/Risks*
* *Dependency on Hadoop Release Cycle:* We cannot patch the classes ourselves;
we must wait for an official {{hadoop-auth}} release to get fixes. Given the
stability of these classes, this is a low risk.
* *Build Complexity:* The {{pom.xml}} configuration for this module will be
more complex than a standard module, but it is a well-understood pattern.
*Alternatives (not chosen here)*
- HBASE-29557 Decouple dependency on Hadoop AuthenticationFilter classes
- Wait for Hadoop to move to Jakarta with HADOOP-19395: simplest short-term,
but keeps HBase blocked on Hadoop’s schedule.
*Compatibility/Support Notes*
- Server-internal change only; no wire or client API changes expected.
- Allows HBase to support Hadoop versions on javax today and those on Jakarta
in the future without forcing a drop of javax-era Hadoop immediately when
Hadoop switches.
- If/when Hadoop publishes Jakarta-native auth, we can evaluate switching to
their artifacts; because we’re decoupled, that can be done on our schedule.
*Acceptance Criteria*
* The {{hbase-auth-filters-shaded}} module successfully builds. The resulting
JAR contains *only* classes from the
{{org.apache.hadoop.security.authentication.server}} and
{{org.apache.hadoop.security.authentication.util}} packages.
* All classes within the artifact are successfully relocated under the
{{org.apache.hbase.shaded.*}} namespace.
* Bytecode analysis of the shaded classes confirms they reference
{*}{{javax.servlet.}}{*}* references ** with {*}{{jakarta.servlet.}}{*}{*}.
* HBase servers start and operate correctly using the relocated, transformed
classes.
* All existing authentication tests (Simple, Kerberos, REST, UI) pass without
regression.
*Fix Version(s)*
- Target: master, branch-3
*Class list identified for hbase-auth-filters*
Below is a minimal list of files we may have to shaded from hadoop; a PoC will
follow if others think this approach is worth investing our time in.
{code:java}
>> grep -r "javax.servlet." src/main | cut -d: -f1 | sort | uniq
src/main/java/org/apache/hadoop/security/authentication/server/AltKerberosAuthenticationHandler.java
src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java
src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java
src/main/java/org/apache/hadoop/security/authentication/server/JWTRedirectAuthenticationHandler.java
src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
src/main/java/org/apache/hadoop/security/authentication/server/LdapAuthenticationHandler.java
src/main/java/org/apache/hadoop/security/authentication/server/MultiSchemeAuthenticationHandler.java
src/main/java/org/apache/hadoop/security/authentication/server/PseudoAuthenticationHandler.java
src/main/java/org/apache/hadoop/security/authentication/util/CertificateUtil.java
src/main/java/org/apache/hadoop/security/authentication/util/FileSignerSecretProvider.java
src/main/java/org/apache/hadoop/security/authentication/util/RolloverSignerSecretProvider.java
src/main/java/org/apache/hadoop/security/authentication/util/SignerSecretProvider.java
src/main/java/org/apache/hadoop/security/authentication/util/ZKSignerSecretProvider.java{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
