[jira] [Resolved] (HBASE-26530) Backport HBASE-26524 Support remove coprocessor by class name via alter table command

2021-12-10 Thread Tak-Lon (Stephen) Wu (Jira) 


 [ 
https://issues.apache.org/jira/browse/HBASE-26530?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Tak-Lon (Stephen) Wu resolved HBASE-26530.
--
Hadoop Flags: Reviewed
  Resolution: Fixed

> Backport HBASE-26524 Support remove coprocessor by class name via alter table 
> command 
> --
>
> Key: HBASE-26530
> URL: https://issues.apache.org/jira/browse/HBASE-26530
> Project: HBase
>  Issue Type: Task
>  Components: Coprocessors, shell
>Affects Versions: 2.5.0
>Reporter: Tak-Lon (Stephen) Wu
>Assignee: Tak-Lon (Stephen) Wu
>Priority: Major
> Fix For: 2.6.0
>
>
> porting HBASE-26524 to branch-2



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[RESULT][VOTE] The second release condidate for hbase-thirdparty 4.0.0 is available for download

2021-12-10 Thread Duo Zhang 
Oh I forgot to change the title...

张铎(Duo Zhang)  于2021年12月10日周五 13:41写道:

> With 4 binding +1s, no -1, the vote passes.
>
> Let me push out the release.
>
> Thanks all for voting!
>
> 张铎(Duo Zhang)  于2021年12月10日周五 13:40写道:
>
>> Here is my +1, I've been testing it by opening a PR against hbase master
>> branch and it works.
>>
>> See https://github.com/apache/hbase/pull/3910
>>
>> Yu Li  于2021年12月10日周五 09:37写道:
>>
>>> +1
>>>
>>> Checked the diff between 3.5.1 and 4.0.0-rc1: OK (
>>> https://github.com/apache/hbase-thirdparty/compare/rel/3.5.1...4.0.0RC1)
>>> Checked release note and changes: OK
>>> Checked sums and signatures: OK
>>> Maven clean install from source (1.8.0_121): OK
>>> - Minor: I tried to build a tarball from source following README but
>>> failed
>>> with "No assembly descriptors found" error
>>> Checked the jars in the staging repo: OK
>>>
>>> btw, I haven't followed up for a while and could anyone kindly let me
>>> know
>>> where to find this fancy hbase-vote.sh script, so next time I could also
>>> try it out? Thanks :-)
>>>
>>> Best Regards,
>>> Yu
>>>
>>>
>>> On Fri, 10 Dec 2021 at 05:46, Nick Dimiduk  wrote:
>>>
>>> > +1
>>> >
>>> > I've used the hbase-vote.sh script to evaluate this artifact and
>>> there's a
>>> > problem in the final `run_tests` , executed after `build_from_source`.
>>> >
>>> > * Signature: ok
>>> > * Checksum : ok
>>> > * Rat check (11.0.11): ok
>>> >  - mvn clean apache-rat:check
>>> > * Built from source (11.0.11): ok
>>> >  - mvn clean install  -DskipTests
>>> > * Unit tests pass (11.0.11): failed
>>> >  - mvn package -P runAllTests
>>> -Dsurefire.rerunFailingTestsCount=3
>>> >
>>> > [WARNING] The requested profile "runAllTests" could not be activated
>>> > because it does not exist.
>>> > [ERROR] Failed to execute goal
>>> > org.apache.maven.plugins:maven-shade-plugin:3.2.4:shade (default) on
>>> > project hbase-shaded-jackson-jaxrs-json-provider: Error creating shaded
>>> > jar: duplicate entry:
>>> > META-INF/services/org.apache.hbase.thirdparty.javax.ws.rs
>>> > .ext.MessageBodyWriter
>>> >
>>> > Manually running `mvn clean package` within the source tarball, we
>>> succeed.
>>> >
>>> > I have also triggered a PR build of HBASE-25864 / PR#3243 that uses
>>> this
>>> > RC. The tests are still running.
>>> >
>>> >
>>> https://ci-hadoop.apache.org/blue/organizations/jenkins/HBase%2FHBase-PreCommit-GitHub-PR/detail/PR-3243/5/pipeline/
>>> >
>>> > On Tue, Dec 7, 2021 at 6:02 PM 张铎(Duo Zhang) 
>>> > wrote:
>>> >
>>> > > Ah, Thanks Nick for explaining and thanks Andrew for testing.
>>> > >
>>> > > We still need one more +1 to close this vote.
>>> > >
>>> > > Andrew Purtell  于2021年12月7日周二 05:50写道:
>>> > >
>>> > > > Ok, change my vote to +1 (binding). The hbase-thirdparty build and
>>> > > > artifacts are good.
>>> > > >
>>> > > > > On Dec 6, 2021, at 1:18 PM, Nick Dimiduk 
>>> > wrote:
>>> > > > >
>>> > > > > On Mon, Dec 6, 2021 at 11:49 AM Andrew Purtell <
>>> apurt...@apache.org
>>> > >
>>> > > > wrote:
>>> > > > >
>>> > > > >> -1 (binding)
>>> > > > >>
>>> > > > >> Checked sums and signature, ok
>>> > > > >> RAT check passed, ok
>>> > > > >> Built from source, ok
>>> > > > >> Built HEAD of master (d9315fa043) with
>>> > > -Dhbase-thirdparty.version=4.0.0,
>>> > > > >> hbase-http module tests fail
>>> > > > >>
>>> > > > >
>>> > > > > Adoption of this dependency will require changes to master. I had
>>> > > posted
>>> > > > > necessary changes on https://github.com/apache/hbase/pull/3243
>>> and
>>> > Duo
>>> > > > did
>>> > > > > his own on https://github.com/apache/hbase/pull/3910.
>>> > > > >
>>> > > > > [ERROR] Tests run: 17, Failures: 0, Errors: 1, Skipped: 2, Time
>>> > > elapsed:
>>> > > > >> 2.29 s <<< FAILURE! - in
>>> org.apache.hadoop.hbase.http.TestHttpServer
>>> > > > >> [ERROR] org.apache.hadoop.hbase.http.TestHttpServer.testJersey
>>> Time
>>> > > > >> elapsed: 0.123 s  <<< ERROR!
>>> > > > >> java.io.FileNotFoundException:
>>> > > http://localhost:55106/jersey/foo?op=bar
>>> > > > >> at
>>> > > > >>
>>> > > > >>
>>> > > >
>>> > >
>>> >
>>> sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1898)
>>> > > > >> at
>>> > > > >>
>>> > > > >>
>>> > > >
>>> > >
>>> >
>>> sun.net.www.protocol.http.HttpURLConnection.access$200(HttpURLConnection.java:92)
>>> > > > >> at
>>> > > > >>
>>> > > > >>
>>> > > >
>>> > >
>>> >
>>> sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1492)
>>> > > > >> at
>>> > > > >>
>>> > > > >>
>>> > > >
>>> > >
>>> >
>>> sun.net.www.protocol.http.HttpURLConnection$9.run(HttpURLConnection.java:1490)
>>> > > > >> at java.security.AccessController.doPrivileged(Native Method)
>>> > > > >> at
>>> > > > >>
>>> > > > >>
>>> > > >
>>> > >
>>> >
>>> java.security.AccessController.doPrivilegedWithCombiner(AccessController.java:784)
>>> > > > >> at
>>> > > > >>
>>> > > > >>
>>> > > >
>>> > >
>>> >
>>>

[jira] [Created] (HBASE-26559) Put up 3.0.0-alpha-2RC0

2021-12-10 Thread Duo Zhang (Jira) 
Duo Zhang created HBASE-26559:
-

 Summary: Put up 3.0.0-alpha-2RC0
 Key: HBASE-26559
 URL: https://issues.apache.org/jira/browse/HBASE-26559
 Project: HBase
  Issue Type: Sub-task
  Components: community
Reporter: Duo Zhang






--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Resolved] (HBASE-26557) log4j2 has a critical RCE vulnerability

2021-12-10 Thread Duo Zhang (Jira) 


 [ 
https://issues.apache.org/jira/browse/HBASE-26557?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Duo Zhang resolved HBASE-26557.
---
Fix Version/s: 3.0.0-alpha-2
 Hadoop Flags: Reviewed
 Release Note: Upgrade log4j2 to 2.15.0 for addressing CVE-2021-44228.
   Resolution: Fixed

Merged to master.

Thanks [~xytss123] for the quick action.

> log4j2 has a critical RCE vulnerability
> ---
>
> Key: HBASE-26557
> URL: https://issues.apache.org/jira/browse/HBASE-26557
> Project: HBase
>  Issue Type: Bug
>Reporter: Yutong Xiao
>Assignee: Yutong Xiao
>Priority: Major
> Fix For: 3.0.0-alpha-2
>
>
> Impacted log4j version: Apache Log4j 2.x <= 2.14.1
> I found that our current log4j version at master is 2.14.1.
> Should upgrade the version to 2.15.0



--
This message was sent by Atlassian Jira
(v8.20.1#820001)

[jira] [Created] (HBASE-26558) Set version as 3.0.0-alpha-2 in master in prep for first RC of 3.0.0-alpha-2

2021-12-10 Thread Duo Zhang (Jira) 
Duo Zhang created HBASE-26558:
-

 Summary: Set version as 3.0.0-alpha-2 in master in prep for first 
RC of 3.0.0-alpha-2
 Key: HBASE-26558
 URL: https://issues.apache.org/jira/browse/HBASE-26558
 Project: HBase
  Issue Type: Sub-task
  Components: build, pom
Reporter: Duo Zhang






--
This message was sent by Atlassian Jira
(v8.20.1#820001)

Re: [NOTICE] Apache log4j2 security vulnerability

2021-12-10 Thread Duo Zhang 
Seems the 2.15.0 is already out. The log4j community decided to close the
vote earlier to solve the critical security issue.

A developer in our community has already filed an issue and opened a PR.

https://issues.apache.org/jira/browse/HBASE-26557
https://github.com/apache/hbase/pull/3933

Let's get the PR merged and publish 3.0.-alpha-2 ASAP.

Tak Lon (Stephen) Wu  于2021年12月10日周五 13:44写道:

> Thanks for sharing! I found another post [2] that said how to perform such
> an attack.
>
> Should we have a JIRA and keep tracking the solution for it?
>
> [2] https://www.lunasec.io/docs/blog/log4j-zero-day/
>
> -Stephen
>
> On Thu, Dec 9, 2021 at 8:09 PM 张铎(Duo Zhang) 
> wrote:
>
> > See this PR
> >
> > https://github.com/apache/logging-log4j2/pull/608
> >
> > Although the final 2.15.0 release for log4j2 has not been published yet,
> at
> > least on the Chinese internet the details and how to make use of
> > this vulnerability has already been public[1].
> >
> > HBase 3.0.0-alpha-1 is affected, so once 2.15.0 is out, we will push a
> > 3.0.0-alpha-2 release out soon. And for those who already use HBase
> > 3.0.0-alpha-1, please consider using the following ways to disable JNDI
> >
> > Add '-Dlog4j2.formatMsgNoLookups=true' when starting JVM
> > Add 'log4j2.formatMsgNoLookups=True' to config file
> > 'export FORMAT_MESSAGES_PATTERN_DISABLE_LOOKUPS=true' before starting JVM
> >
> > Thanks.
> >
> > 1. https://nosec.org/home/detail/4917.html
> >
>