-
Notifications
You must be signed in to change notification settings - Fork 3.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HBASE-28921 Skip bundling hbase-webapps folder in jars #6368
base: master
Are you sure you want to change the base?
Conversation
Built hbase locally, untarred and start master, rest and thrift server. And then verified following:
|
🎊 +1 overall
This message was automatically generated. |
🎊 +1 overall
This message was automatically generated. |
Are the webapps found in development mode (i.e. when starting HBase from the source directory) ? |
Should be available since we have following code at Line 204 in a8fbac6
Have never tried launching hbase from source directory. Let me try that as well. |
Verified starting master, rest and thrift from source directory with this patch. All web UIs work fine.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1 LGTM
Thank you @stoty for reviewing. I will merge this to branch-2+ by EOD. |
Since this is a security imrovement, I would consider merging this to all active branches. |
Actually, you are right. Will push to all active branches. |
We are bundling all webapp resources in hbase-server, hbase-thrift, hbase-rest and transitively to hbase-shaded-mapreduce jar. This can be an issue, say if any of the Js projects used by hbase are vulnerable, security scan tools like sonatype start flagging the jars too as vulnerable since they contain vulnerable code.
With this JIRA, we want to avoid bundling static webapp resources in our jars.