[
https://issues.apache.org/jira/browse/HBASE-29563?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Nihal Jain updated HBASE-29563:
-------------------------------
Summary: Shade and Transform a Minimal Set of Hadoop Auth Filter Classes
(was: Shade, Relocate, and Transform a Minimal Set of Hadoop Auth Filter
Classes)
> Shade and Transform a Minimal Set of Hadoop Auth Filter Classes
> ---------------------------------------------------------------
>
> Key: HBASE-29563
> URL: https://issues.apache.org/jira/browse/HBASE-29563
> Project: HBase
> Issue Type: Improvement
> Components: dependencies, jetty12, REST, security, Thrift, UI
> Reporter: Nihal Jain
> Priority: Major
>
> This JIRA proposes an alternative to creating a source-fork of Hadoop's
> authentication filter classes i.e. HBASE-29557
> The solution is to create a new {{hbase-auth-filters-shaded}} (or maybe
> hadoop-auth-filter-shaded) module that isolates, relocates, and transforms
> only the specific, minimal set of Hadoop authentication classes that HBase
> requires.
> This approach will target only the following packages in hadoop-auth module:
> * {{org.apache.hadoop.security.authentication.server}} and
> * {{{}org.apache.hadoop.security.authentication.util{}}}.
> These will be relocated into a clean {{org.apache.hbase.shaded}} namespace
> and have their bytecode transformed from {{javax.servlet}} to
> {{{}jakarta.servlet{}}}. This provides a surgical, low-impact solution to
> unblock HBase's migration to Jakarta EE 10.
> *Motivation*
> The motivation remains to upgrade HBase's web servers (Web UI, REST, Thrift)
> to Jetty 12 and the Jakarta EE 10 ecosystem. This proposal achieves that goal
> by creating a private, Jakarta-compatible copy of the necessary
> authentication filters, thereby resolving the dependency conflict without
> maintaining a source fork.
> *Proposed Change*
> The implementation will be focused within a new {{hbase-auth-filters-shaded}}
> Maven module and will use the Maven Shade Plugin to perform a highly specific
> set of operations.
> # *Create New Module:* A new Maven module,
> {{{}hbase-auth-filters-shaded{}}}, will be created.
> # *Depend on {{{}hadoop-auth{}}}:* This module will depend on the official
> {{hadoop-auth}} artifact.
> # *Configure Precise Shading and Transformation:* The Maven Shade Plugin
> will be configured with the following specific rules:
> ** *Include Only Necessary Packages:* The plugin will be explicitly
> configured to _only_ include classes from the following two packages. All
> other classes from {{hadoop-auth.jar}} will be excluded.
> *** {{{}org.apache.hadoop.security.authentication.server{}}}: This contains
> {{{}AuthenticationFilter{}}}, {{{}KerberosAuthenticationHandler{}}}, etc.
> *** {{{}org.apache.hadoop.security.authentication.util{}}}: This contains
> helpers like {{{}SignerSecretProvider{}}}.
> ** *Relocate to the {{org.apache.hbase.shaded}} Namespace:* The included
> packages will be relocated to a new, private namespace to prevent classpath
> conflicts.
> *** *Source Pattern:* {{org.apache.hadoop.security.authentication}}
> *** *Shaded Pattern:*
> {{org.apache.hbase.shaded.org.apache.hadoop.security.authentication}}
> *** This means a class like {{AuthenticationFilter}} will be moved from its
> original package to
> {{{}org.apache.hbase.shaded.org.apache.hadoop.security.authentication.server.AuthenticationFilter{}}}.
> ** *Transform {{javax}} to {{{}jakarta{}}}:* A resource transformer (e.g.,
> Eclipse Transformer) will be applied during the shading process to rewrite
> the bytecode of the relocated classes, replacing all
> {*}{{javax.servlet.}}{*}* references with {*}{{jakarta.servlet.}}{*}*
> # *Update HBase Server Modules:*
> ** The {{{}hbase-server{}}}, {{{}hbase-rest{}}}, and {{hbase-thrift}}
> modules will be updated to depend on the new {{hbase-auth-filters-shaded}}
> module.
> ** Server-side code will be updated to import the relocated classes. For
> example: {{import
> org.apache.hbase.shaded.org.apache.hadoop.security.authentication.server.AuthenticationFilter;}}
> ** Would be done as a follow up!
> *Pros*
> * *Minimized Footprint:* By including only two specific packages, we create
> the smallest possible artifact, reduce the attack surface, and simplify
> maintenance.
> * *Clean Namespace:* Using {{org.apache.hbase.shaded}} is a clear and
> conventional way to denote an internally managed, private dependency.
> * *Guaranteed Conflict Avoidance:* The relocation into a private namespace
> is the key step that allows our new {{{}jakarta{}}}-based classes to coexist
> on the classpath with Hadoop's original {{{}javax{}}}-based classes.
> * *No Source Fork:* We avoid the long-term maintenance burden of a manual
> code fork by consuming the official Hadoop artifact.
> * *Simplified Upgrades:* Upstream security fixes can be incorporated by
> simply updating the {{hadoop-auth}} version in the {{pom.xml}} and rebuilding.
> *Cons/Risks*
> * *Dependency on Hadoop Release Cycle:* We cannot patch the classes
> ourselves; we must wait for an official {{hadoop-auth}} release to get fixes.
> Given the stability of these classes, this is a low risk.
> * *Build Complexity:* The {{pom.xml}} configuration for this module will be
> more complex than a standard module, but it is a well-understood pattern.
> *Alternatives (not chosen here)*
> - HBASE-29557 Decouple dependency on Hadoop AuthenticationFilter classes
> - Wait for Hadoop to move to Jakarta with HADOOP-19395: simplest short-term,
> but keeps HBase blocked on Hadoop’s schedule.
> *Compatibility/Support Notes*
> - Server-internal change only; no wire or client API changes expected.
> - Allows HBase to support Hadoop versions on javax today and those on
> Jakarta in the future without forcing a drop of javax-era Hadoop immediately
> when Hadoop switches.
> - If/when Hadoop publishes Jakarta-native auth, we can evaluate switching to
> their artifacts; because we’re decoupled, that can be done on our schedule.
> *Acceptance Criteria*
> * The {{hbase-auth-filters-shaded}} module successfully builds. The
> resulting JAR contains *only* classes from the
> {{org.apache.hadoop.security.authentication.server}} and
> {{org.apache.hadoop.security.authentication.util}} packages.
> * All classes within the artifact are successfully relocated under the
> {{org.apache.hbase.shaded.*}} namespace.
> * Bytecode analysis of the shaded classes confirms they reference
> {*}{{javax.servlet.}}{*}* references with {*}{{jakarta.servlet.}}{*}*.
> * HBase servers start and operate correctly using the relocated, transformed
> classes.
> * All existing authentication tests (Simple, Kerberos, REST, UI) pass
> without regression.
> *Follow-ups*
> - Switch to jakarta and consume this new module and unblock HBASE-29542
> without waiting for hadoop.
> *Fix Version(s)*
> - Target: master, branch-3
> *Class list identified for hbase-auth-filters*
> Below is a minimal list of files we may have to shaded from hadoop; a PoC
> will follow if others think this approach is worth investing our time in.
> {code:java}
> >> grep -r "javax.servlet." src/main | cut -d: -f1 | sort | uniq
> src/main/java/org/apache/hadoop/security/authentication/server/AltKerberosAuthenticationHandler.java
> src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationFilter.java
> src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationHandler.java
> src/main/java/org/apache/hadoop/security/authentication/server/AuthenticationToken.java
> src/main/java/org/apache/hadoop/security/authentication/server/JWTRedirectAuthenticationHandler.java
> src/main/java/org/apache/hadoop/security/authentication/server/KerberosAuthenticationHandler.java
> src/main/java/org/apache/hadoop/security/authentication/server/LdapAuthenticationHandler.java
> src/main/java/org/apache/hadoop/security/authentication/server/MultiSchemeAuthenticationHandler.java
> src/main/java/org/apache/hadoop/security/authentication/server/PseudoAuthenticationHandler.java
> src/main/java/org/apache/hadoop/security/authentication/util/CertificateUtil.java
> src/main/java/org/apache/hadoop/security/authentication/util/FileSignerSecretProvider.java
> src/main/java/org/apache/hadoop/security/authentication/util/RolloverSignerSecretProvider.java
> src/main/java/org/apache/hadoop/security/authentication/util/SignerSecretProvider.java
> src/main/java/org/apache/hadoop/security/authentication/util/ZKSignerSecretProvider.java{code}
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
