[jira] [Updated] (HBASE-26284) Add HBase Thrift API to get all table names along with whether it is enabled or not

Wed, 15 Sep 2021 01:53:04 -0700 


     [ 
https://issues.apache.org/jira/browse/HBASE-26284?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Norbert Kalmár updated HBASE-26284:
-----------------------------------
    Description: 
When loading Hue HBase page, hue will firstly get all the table names in one 
thrift call, then hue will send a request as a new connection to Hbase thrift 
server for each table to check if the table is enabled or not. When the number 
of table becomes big, for example a few hundreds. Hue will have the chance to 
fail to show the table list, and it shows an error message on Hue web UI "Api 
Error: Unable to authenticate". In Hbase thrift server log, we can see error 
message, below is an example from test environment:
======================================
2020-07-02 21:54:01,025 INFO org.apache.hadoop.hbase.thrift.ThriftHttpServlet: 
Failed to authenticate with HTTP/[...]@HADOOP.COM kerberos principal
2020-07-02 21:54:01,025 ERROR org.apache.hadoop.hbase.thrift.ThriftHttpServlet: 
Kerberos Authentication failed
org.apache.hadoop.hbase.thrift.HttpAuthenticationException: 
java.lang.reflect.UndeclaredThrowableException
......
Caused by: java.lang.reflect.UndeclaredThrowableException
......
Caused by: org.apache.hadoop.hbase.thrift.HttpAuthenticationException: Kerberos 
authentication failed:
......
Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism level: 
Request is a replay (34))
......
Caused by: KrbException: Request is a replay (34)
======================================
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

My current understanding of the cause is Hue sends requests too fast so that it 
has the chance to send 2 requests with the same Kerberos authenticator 
(timestamp is same). So Hbase thrift server will think this is a replay attack. 
We came up with this assumption based on tcpdump observation and this document, 
https://web.mit.edu/kerberos/krb5-latest/doc/basic/rcache_def.html

If HBase Thrift server can have an API call that Hue can call it once and get 
all table names with whether is enabled or not, we can avoid above issue.

> Add HBase Thrift API to get all table names along with whether it is enabled 
> or not
> -----------------------------------------------------------------------------------
>
>                 Key: HBASE-26284
>                 URL: https://issues.apache.org/jira/browse/HBASE-26284
>             Project: HBase
>          Issue Type: New Feature
>          Components: Thrift
>    Affects Versions: 2.2.7, 2.4.6
>            Reporter: Dóra Horváth
>            Priority: Major
>
> When loading Hue HBase page, hue will firstly get all the table names in one 
> thrift call, then hue will send a request as a new connection to Hbase thrift 
> server for each table to check if the table is enabled or not. When the 
> number of table becomes big, for example a few hundreds. Hue will have the 
> chance to fail to show the table list, and it shows an error message on Hue 
> web UI "Api Error: Unable to authenticate". In Hbase thrift server log, we 
> can see error message, below is an example from test environment:
> ======================================
> 2020-07-02 21:54:01,025 INFO 
> org.apache.hadoop.hbase.thrift.ThriftHttpServlet: Failed to authenticate with 
> HTTP/[...]@HADOOP.COM kerberos principal
> 2020-07-02 21:54:01,025 ERROR 
> org.apache.hadoop.hbase.thrift.ThriftHttpServlet: Kerberos Authentication 
> failed
> org.apache.hadoop.hbase.thrift.HttpAuthenticationException: 
> java.lang.reflect.UndeclaredThrowableException
> ......
> Caused by: java.lang.reflect.UndeclaredThrowableException
> ......
> Caused by: org.apache.hadoop.hbase.thrift.HttpAuthenticationException: 
> Kerberos authentication failed:
> ......
> Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism 
> level: Request is a replay (34))
> ......
> Caused by: KrbException: Request is a replay (34)
> ======================================
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> My current understanding of the cause is Hue sends requests too fast so that 
> it has the chance to send 2 requests with the same Kerberos authenticator 
> (timestamp is same). So Hbase thrift server will think this is a replay 
> attack. We came up with this assumption based on tcpdump observation and this 
> document, https://web.mit.edu/kerberos/krb5-latest/doc/basic/rcache_def.html
> If HBase Thrift server can have an API call that Hue can call it once and get 
> all table names with whether is enabled or not, we can avoid above issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to