[jira] [Commented] (HBASE-26284) Add HBase Thrift API to get all table names along with whether it is enabled or not

Mon, 18 Oct 2021 03:31:07 -0700 


    [ 
https://issues.apache.org/jira/browse/HBASE-26284?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17429926#comment-17429926
 ] 

Wellington Chevreuil commented on HBASE-26284:
----------------------------------------------

This commit broke UTs. HBASE-26364 is on-going with the fix.

> Add HBase Thrift API to get all table names along with whether it is enabled 
> or not
> -----------------------------------------------------------------------------------
>
>                 Key: HBASE-26284
>                 URL: https://issues.apache.org/jira/browse/HBASE-26284
>             Project: HBase
>          Issue Type: New Feature
>          Components: Thrift
>    Affects Versions: 3.0.0-alpha-1, 2.2.7, 2.3.6, 2.4.7
>            Reporter: Dóra Horváth
>            Assignee: Dóra Horváth
>            Priority: Major
>             Fix For: 2.5.0, 3.0.0-alpha-2, 2.3.7, 2.4.8
>
>
> When loading Hue HBase page, hue will firstly get all the table names in one 
> thrift call, then hue will send a request as a new connection to Hbase thrift 
> server for each table to check if the table is enabled or not. When the 
> number of table becomes big, for example a few hundreds. Hue will have the 
> chance to fail to show the table list, and it shows an error message on Hue 
> web UI "Api Error: Unable to authenticate". In Hbase thrift server log, we 
> can see error message, below is an example from test environment:
> ======================================
> 2020-07-02 21:54:01,025 INFO 
> org.apache.hadoop.hbase.thrift.ThriftHttpServlet: Failed to authenticate with 
> HTTP/[...]@HADOOP.COM kerberos principal
> 2020-07-02 21:54:01,025 ERROR 
> org.apache.hadoop.hbase.thrift.ThriftHttpServlet: Kerberos Authentication 
> failed
> org.apache.hadoop.hbase.thrift.HttpAuthenticationException: 
> java.lang.reflect.UndeclaredThrowableException
> ......
> Caused by: java.lang.reflect.UndeclaredThrowableException
> ......
> Caused by: org.apache.hadoop.hbase.thrift.HttpAuthenticationException: 
> Kerberos authentication failed:
> ......
> Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism 
> level: Request is a replay (34))
> ......
> Caused by: KrbException: Request is a replay (34)
> ======================================
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> My current understanding of the cause is Hue sends requests too fast so that 
> it has the chance to send 2 requests with the same Kerberos authenticator 
> (timestamp is same). So Hbase thrift server will think this is a replay 
> attack. We came up with this assumption based on tcpdump observation and this 
> document, https://web.mit.edu/kerberos/krb5-latest/doc/basic/rcache_def.html
> If HBase Thrift server can have an API call that Hue can call it once and get 
> all table names with whether is enabled or not, we can avoid above issue.



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to