HBASE-28921 Avoid bundling hbase-webapps folder in default jars #6388

NihalJain · 2024-10-23T12:22:18Z

We are bundling all webapp resources in hbase-server, hbase-thrift, hbase-rest and transitively to hbase-shaded-mapreduce jar. This can be an issue, say if any of the Js projects used by hbase are vulnerable, security scan tools like sonatype start flagging the jars too as vulnerable since they contain vulnerable code.

With this JIRA, we want to avoid bundling static webapp resources in our default jars as these are available during runtime via hbase-webapps directory bundled in our assembly.

But, we still need this for our minicluster based tests which expects it to be present in test classpath. Hence, we are copying hbase-webapps to hbase-server tests jar, which contains class SingleProcessHBaseCluster responsible for hbase minicluster creation. This class eventually needs hbase-webapps in classpath during HttpServer initialisation and hence we are copying it to hbase-server tests.

We are bundling all webapp resources in hbase-server, hbase-thrift, hbase-rest and transitively to hbase-shaded-mapreduce jar. This can be an issue, say if any of the Js projects used by hbase are vulnerable, security scan tools like sonatype start flagging the jars too as vulnerable since they contain vulnerable code. With this JIRA, we want to avoid bundling static webapp resources in our jars as these are available during runtime via hbase-webapps directory bundled in our assembly. But, we still need this for our minicluster based tests which expects it to be present in test classpath. Hence, we are copying hbase-webapps to hbase-server tests jar, which contains class SingleProcessHBaseCluster responsible for hbase minicluster creation. This class eventually needs hbase-webapps in classpath during HttpServer initialisation and hence we are copying it to hbase-server tests.

NihalJain · 2024-10-23T12:23:17Z

2nd attempt for #6368, since we had to revert that one due to #6382

NihalJain · 2024-10-23T12:27:54Z

pom.xml

@@ -803,9 +803,9 @@
    <!-- override on command line to have generated LICENSE files include
         diagnostic info for verifying notice requirements -->
    <license.debug.print.included>false</license.debug.print.included>
-    <!-- When a particular module bundles its depenendencies, should be true -->
+    <!-- When a particular module bundles its dependencies, should be true -->


dummy change to trigger all tests

should revert

NihalJain · 2024-10-23T12:44:13Z

Built hbase locally, untarred and started master, rest and thrift server.
And then verified following:

Browse to master, rest and thrift web UIs and ensure no issues in web pages
Start hbase shell and do basic CRUD, snapshots etc
Run Thrift demo client from hbase-examples
Run basic REST APIs
Run hbase-diagnostics and hbase-shell UTs locally which helped discover the minicluster issue last time
Diff of the tarballs against master:

hbase % jar -tf hbase-server/target/hbase-server-4.0.0-alpha-1-SNAPSHOT.jar | grep hbase-webapps

hbase % jar -tf hbase-server/target/hbase-server-4.0.0-alpha-1-SNAPSHOT-tests.jar | grep hbase-webapps
hbase-webapps/
hbase-webapps/canary/
hbase-webapps/master/
hbase-webapps/master/WEB-INF/
hbase-webapps/regionserver/
hbase-webapps/regionserver/WEB-INF/
hbase-webapps/static/
hbase-webapps/static/css/
hbase-webapps/static/fonts/
hbase-webapps/static/js/
hbase-webapps/canary/index.html
hbase-webapps/master/WEB-INF/web.xml
hbase-webapps/master/index.html
hbase-webapps/regionserver/WEB-INF/web.xml
hbase-webapps/regionserver/index.html
hbase-webapps/static/css/asc.gif
hbase-webapps/static/css/bg.gif
hbase-webapps/static/css/bootstrap-theme.min.css
hbase-webapps/static/css/bootstrap.min.css
hbase-webapps/static/css/desc.gif
hbase-webapps/static/css/hbase.css
hbase-webapps/static/fonts/glyphicons-halflings-regular.eot
hbase-webapps/static/fonts/glyphicons-halflings-regular.svg
hbase-webapps/static/fonts/glyphicons-halflings-regular.ttf
hbase-webapps/static/fonts/glyphicons-halflings-regular.woff
hbase-webapps/static/fonts/glyphicons-halflings-regular.woff2
hbase-webapps/static/hbase_logo.png
hbase-webapps/static/hbase_logo_med.gif
hbase-webapps/static/hbase_logo_small.png
hbase-webapps/static/js/bootstrap.min.js
hbase-webapps/static/js/jqSpager.js
hbase-webapps/static/js/jquery.min.js
hbase-webapps/static/js/jquery.tablesorter.min.js
hbase-webapps/static/js/parser-date-iso8601.min.js
hbase-webapps/static/js/tab.js
hbase-webapps/static/js/vega-embed@6.21.3.min.js
hbase-webapps/static/js/vega-lite@5.6.1.min.js
hbase-webapps/static/js/vega@5.24.0.min.js
hbase-webapps/static/jumping-orca_rotated_12percent.png

hbase % jar -tf hbase-thrift/target/hbase-thrift-4.0.0-alpha-1-SNAPSHOT.jar | grep hbase-webapps

hbase % jar -tf hbase-rest/target/hbase-rest-4.0.0-alpha-1-SNAPSHOT.jar | grep hbase-webapps

hbase % jar -tf hbase-shaded/hbase-shaded-mapreduce/target/hbase-shaded-mapreduce-4.0.0-alpha-1-SNAPSHOT.jar | grep hbase-webapps

hbase %

CC: @stoty

hbase-server/pom.xml

NihalJain · 2024-10-24T18:40:06Z

Please ignore commit 552c419, will revert before merge. This is to force UTs for all modules

NihalJain · 2024-10-24T18:41:05Z

hbase-annotations/pom.xml

@@ -54,3 +54,4 @@
    </plugins>
  </build>
 </project>
+


should revert at all places

Why bunch of this new line change?

i wanted to trigger all tests for this PR, so modified all files to add a dummy whitespace to each pom. Have reverted since build is GREEN now

hbase-server/pom.xml

stoty

+1 LGTM

Pending tests and reverting the spurious whitespace changes.

Apache-HBase · 2024-10-28T07:22:37Z

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	4m 22s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
			_ master Compile Tests _
+0 🆗	mvndep	0m 15s		Maven dependency ordering for branch
+1 💚	mvninstall	3m 1s		master passed
+1 💚	compile	8m 14s		master passed
+1 💚	spotless	0m 45s		branch has no errors when running spotless:check.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 16s		Maven dependency ordering for patch
+1 💚	mvninstall	2m 56s		the patch passed
+1 💚	compile	8m 17s		the patch passed
+1 💚	javac	8m 17s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	xmllint	0m 0s		No new issues.
+1 💚	hadoopcheck	10m 42s		Patch does not cause any errors with Hadoop 3.3.6 3.4.0.
+1 💚	spotless	0m 44s		patch has no errors when running spotless:check.
			_ Other Tests _
+1 💚	asflicense	0m 42s		The patch does not generate ASF License warnings.
		46m 53s

Subsystem	Report/Notes
Docker	ClientAPI=1.47 ServerAPI=1.47 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-6388/6/artifact/yetus-general-check/output/Dockerfile
GITHUB PR	#6388
Optional Tests	dupname asflicense javac codespell detsecrets xmllint hadoopcheck spotless compile
uname	Linux 8243c127f329 5.4.0-195-generic #215-Ubuntu SMP Fri Aug 2 18:28:05 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/hbase-personality.sh
git revision	master / `434a3ed`
Default Java	Eclipse Adoptium-17.0.11+9
Max. process+thread count	190 (vs. ulimit of 30000)
modules	C: hbase-server hbase-thrift hbase-rest . U: .
Console output	https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-6388/6/console
versions	git=2.34.1 maven=3.9.8 xmllint=20913
Powered by	Apache Yetus 0.15.0 https://yetus.apache.org

This message was automatically generated.

Apache-HBase · 2024-10-28T12:34:36Z

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 35s		Docker mode activated.
-0 ⚠️	yetus	0m 2s		Unprocessed flag(s): --brief-report-file --spotbugs-strict-precheck --author-ignore-list --blanks-eol-ignore-file --blanks-tabs-ignore-file --quick-hadoopcheck
			_ Prechecks _
			_ master Compile Tests _
+0 🆗	mvndep	0m 35s		Maven dependency ordering for branch
+1 💚	mvninstall	3m 45s		master passed
+1 💚	compile	2m 48s		master passed
+1 💚	javadoc	3m 49s		master passed
+1 💚	shadedjars	7m 4s		branch has no errors when building our shaded downstream artifacts.
			_ Patch Compile Tests _
+0 🆗	mvndep	0m 18s		Maven dependency ordering for patch
+1 💚	mvninstall	3m 54s		the patch passed
+1 💚	compile	2m 35s		the patch passed
+1 💚	javac	2m 35s		the patch passed
+1 💚	javadoc	4m 15s		the patch passed
+1 💚	shadedjars	6m 57s		patch has no errors when building our shaded downstream artifacts.
			_ Other Tests _
+1 💚	unit	314m 16s		root in the patch passed.
		358m 46s

Subsystem	Report/Notes
Docker	ClientAPI=1.43 ServerAPI=1.43 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-6388/6/artifact/yetus-jdk17-hadoop3-check/output/Dockerfile
GITHUB PR	#6388
Optional Tests	javac javadoc unit shadedjars compile
uname	Linux 9a114da4a138 5.4.0-1103-aws #111~18.04.1-Ubuntu SMP Tue May 23 20:04:10 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/hbase-personality.sh
git revision	master / `434a3ed`
Default Java	Eclipse Adoptium-17.0.11+9
Test Results	https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-6388/6/testReport/
Max. process+thread count	8610 (vs. ulimit of 30000)
modules	C: hbase-server hbase-thrift hbase-rest . U: .
Console output	https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-6388/6/console
versions	git=2.34.1 maven=3.9.8
Powered by	Apache Yetus 0.15.0 https://yetus.apache.org

This message was automatically generated.

NihalJain · 2024-10-29T06:23:25Z

Will wait till EOD to see if any more reviews and then finally merge, in case no more comments here

…he#6388) We are bundling all webapp resources in hbase-server, hbase-thrift, hbase-rest and transitively to hbase-shaded-mapreduce jar. This can be an issue, say if any of the Js projects used by hbase are vulnerable, security scan tools like sonatype start flagging the jars too as vulnerable since they contain vulnerable code. With this JIRA, we want to avoid bundling static webapp resources in our jars as these are available during runtime via hbase-webapps directory bundled in our assembly. But, we still need this for our minicluster based tests which expects it to be present in test classpath. Hence, we are copying hbase-webapps to hbase-server tests jar, which contains class SingleProcessHBaseCluster responsible for hbase minicluster creation. This class eventually needs hbase-webapps in classpath during HttpServer initialisation and hence we are adding hbase-webapps to hbase-server test resources. Signed-off-by: Istvan Toth <stoty@apache.org> (cherry picked from commit 16c51d8)

… (#6429) We are bundling all webapp resources in hbase-server, hbase-thrift, hbase-rest and transitively to hbase-shaded-mapreduce jar. This can be an issue, say if any of the Js projects used by hbase are vulnerable, security scan tools like sonatype start flagging the jars too as vulnerable since they contain vulnerable code. With this JIRA, we want to avoid bundling static webapp resources in our jars as these are available during runtime via hbase-webapps directory bundled in our assembly. But, we still need this for our minicluster based tests which expects it to be present in test classpath. Hence, we are copying hbase-webapps to hbase-server tests jar, which contains class SingleProcessHBaseCluster responsible for hbase minicluster creation. This class eventually needs hbase-webapps in classpath during HttpServer initialisation and hence we are adding hbase-webapps to hbase-server test resources. Signed-off-by: Istvan Toth <stoty@apache.org> (cherry picked from commit 16c51d8)

… (#6430) We are bundling all webapp resources in hbase-server, hbase-thrift, hbase-rest and transitively to hbase-shaded-mapreduce jar. This can be an issue, say if any of the Js projects used by hbase are vulnerable, security scan tools like sonatype start flagging the jars too as vulnerable since they contain vulnerable code. With this JIRA, we want to avoid bundling static webapp resources in our jars as these are available during runtime via hbase-webapps directory bundled in our assembly. But, we still need this for our minicluster based tests which expects it to be present in test classpath. Hence, we are copying hbase-webapps to hbase-server tests jar, which contains class SingleProcessHBaseCluster responsible for hbase minicluster creation. This class eventually needs hbase-webapps in classpath during HttpServer initialisation and hence we are adding hbase-webapps to hbase-server test resources. Signed-off-by: Istvan Toth <stoty@apache.org> (cherry picked from commit 16c51d8)

… (#6431) We are bundling all webapp resources in hbase-server, hbase-thrift, hbase-rest and transitively to hbase-shaded-mapreduce jar. This can be an issue, say if any of the Js projects used by hbase are vulnerable, security scan tools like sonatype start flagging the jars too as vulnerable since they contain vulnerable code. With this JIRA, we want to avoid bundling static webapp resources in our jars as these are available during runtime via hbase-webapps directory bundled in our assembly. But, we still need this for our minicluster based tests which expects it to be present in test classpath. Hence, we are copying hbase-webapps to hbase-server tests jar, which contains class SingleProcessHBaseCluster responsible for hbase minicluster creation. This class eventually needs hbase-webapps in classpath during HttpServer initialisation and hence we are adding hbase-webapps to hbase-server test resources. Signed-off-by: Istvan Toth <stoty@apache.org> (cherry picked from commit 16c51d8)

… (#6432) We are bundling all webapp resources in hbase-server, hbase-thrift, hbase-rest and transitively to hbase-shaded-mapreduce jar. This can be an issue, say if any of the Js projects used by hbase are vulnerable, security scan tools like sonatype start flagging the jars too as vulnerable since they contain vulnerable code. With this JIRA, we want to avoid bundling static webapp resources in our jars as these are available during runtime via hbase-webapps directory bundled in our assembly. But, we still need this for our minicluster based tests which expects it to be present in test classpath. Hence, we are copying hbase-webapps to hbase-server tests jar, which contains class SingleProcessHBaseCluster responsible for hbase minicluster creation. This class eventually needs hbase-webapps in classpath during HttpServer initialisation and hence we are adding hbase-webapps to hbase-server test resources. Signed-off-by: Istvan Toth <stoty@apache.org> (cherry picked from commit 16c51d8)

NihalJain commented Oct 23, 2024

View reviewed changes

This comment has been minimized.

Sign in to view

stoty reviewed Oct 24, 2024

View reviewed changes

hbase-server/pom.xml Show resolved Hide resolved

This comment has been minimized.

Sign in to view

- Switch to build-helper-maven-plugin

57942b6

NihalJain force-pushed the HBASE-28921_v2 branch from 68ea60a to 57942b6 Compare October 24, 2024 18:37

NihalJain commented Oct 24, 2024

View reviewed changes

NihalJain requested a review from stoty October 24, 2024 18:41

This comment has been minimized.

Sign in to view

stoty reviewed Oct 25, 2024

View reviewed changes

hbase-server/pom.xml Show resolved Hide resolved

stoty approved these changes Oct 25, 2024

View reviewed changes

This comment has been minimized.

Sign in to view

NihalJain force-pushed the HBASE-28921_v2 branch from 552c419 to bc8ef80 Compare October 28, 2024 06:27

- Revert dummy whitespace changes

434a3ed

NihalJain force-pushed the HBASE-28921_v2 branch from bc8ef80 to 434a3ed Compare October 28, 2024 06:28

NihalJain requested a review from Apache9 October 28, 2024 06:29

NihalJain merged commit 16c51d8 into apache:master Nov 4, 2024
1 check passed

NihalJain mentioned this pull request Nov 4, 2024

HBASE-28921 Avoid bundling hbase-webapps folder in default jars #6429

Merged

NihalJain mentioned this pull request Nov 4, 2024

HBASE-28921 Avoid bundling hbase-webapps folder in default jars #6430

Merged

NihalJain mentioned this pull request Nov 4, 2024

HBASE-28921 Avoid bundling hbase-webapps folder in default jars #6431

Merged

NihalJain mentioned this pull request Nov 4, 2024

HBASE-28921 Avoid bundling hbase-webapps folder in default jars #6432

Merged

NihalJain mentioned this pull request Mar 27, 2025

HBASE-27802 Manage static javascript resources programatically #6864

Merged

HBASE-28921 Avoid bundling hbase-webapps folder in default jars #6388

HBASE-28921 Avoid bundling hbase-webapps folder in default jars #6388

Uh oh!

Conversation

NihalJain commented Oct 23, 2024

Uh oh!

NihalJain commented Oct 23, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

NihalJain Oct 23, 2024

Choose a reason for hiding this comment

Uh oh!

NihalJain Oct 24, 2024

Choose a reason for hiding this comment

Uh oh!

NihalJain commented Oct 23, 2024 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

This comment has been minimized.

This comment has been minimized.

Uh oh!

This comment has been minimized.

NihalJain commented Oct 24, 2024

Uh oh!

NihalJain Oct 24, 2024

Choose a reason for hiding this comment

Uh oh!

Apache9 Oct 26, 2024

Choose a reason for hiding this comment

Uh oh!

NihalJain Oct 28, 2024

Choose a reason for hiding this comment

Uh oh!

This comment has been minimized.

This comment has been minimized.

Uh oh!

stoty left a comment

Choose a reason for hiding this comment

Uh oh!

This comment has been minimized.

This comment has been minimized.

Apache-HBase commented Oct 28, 2024

Uh oh!

Apache-HBase commented Oct 28, 2024

Uh oh!

NihalJain commented Oct 29, 2024

Uh oh!

Uh oh!

Uh oh!

NihalJain commented Oct 23, 2024 •

edited

Loading

NihalJain commented Oct 23, 2024 •

edited

Loading