mini666 opened a new pull request, #8030: URL: https://github.com/apache/hbase/pull/8030
## Summary Each snapshot operation created two short-lived connections in `SnapshotDescriptionUtils.validate()`: 1. `isSecurityAvailable(conf)` — created a `Connection` + `Admin` just to check `hbase:acl` table existence 2. `writeAclToSnapshotDescription()` — created another `Connection` to read ACL data from `hbase:acl` In Kerberos environments with the default `ZKConnectionRegistry`, each connection triggered a new ZK session with GSSAPI authentication and a TGS request to the KDC. During batch snapshot operations, this caused excessive KDC load that could lead to IP blocking. This patch reuses the caller's existing connection instead of creating new ones: - `isSecurityAvailable()` now accepts a `Connection` parameter - `writeAclToSnapshotDescription()` passes the shared connection's `Table` to `PermissionStorage.getTablePermissions()` - All callers (`MasterRpcServices`, `RestoreSnapshotProcedure`, `CloneSnapshotProcedure`) pass through their available connection Zero behavioral change — the same checks are performed, the same data is read, the same ACL is written to snapshots. See [HBASE-30058](https://issues.apache.org/jira/browse/HBASE-30058) for detailed root cause analysis including design ambiguity discussion. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
