[ https://issues.apache.org/jira/browse/HBASE-26284?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Wellington Chevreuil reassigned HBASE-26284: -------------------------------------------- Assignee: Dóra Horváth > Add HBase Thrift API to get all table names along with whether it is enabled > or not > ----------------------------------------------------------------------------------- > > Key: HBASE-26284 > URL: https://issues.apache.org/jira/browse/HBASE-26284 > Project: HBase > Issue Type: New Feature > Components: Thrift > Affects Versions: 2.2.7, 2.4.6 > Reporter: Dóra Horváth > Assignee: Dóra Horváth > Priority: Major > > When loading Hue HBase page, hue will firstly get all the table names in one > thrift call, then hue will send a request as a new connection to Hbase thrift > server for each table to check if the table is enabled or not. When the > number of table becomes big, for example a few hundreds. Hue will have the > chance to fail to show the table list, and it shows an error message on Hue > web UI "Api Error: Unable to authenticate". In Hbase thrift server log, we > can see error message, below is an example from test environment: > ====================================== > 2020-07-02 21:54:01,025 INFO > org.apache.hadoop.hbase.thrift.ThriftHttpServlet: Failed to authenticate with > HTTP/[...]@HADOOP.COM kerberos principal > 2020-07-02 21:54:01,025 ERROR > org.apache.hadoop.hbase.thrift.ThriftHttpServlet: Kerberos Authentication > failed > org.apache.hadoop.hbase.thrift.HttpAuthenticationException: > java.lang.reflect.UndeclaredThrowableException > ...... > Caused by: java.lang.reflect.UndeclaredThrowableException > ...... > Caused by: org.apache.hadoop.hbase.thrift.HttpAuthenticationException: > Kerberos authentication failed: > ...... > Caused by: GSSException: Failure unspecified at GSS-API level (Mechanism > level: Request is a replay (34)) > ...... > Caused by: KrbException: Request is a replay (34) > ====================================== > ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ > My current understanding of the cause is Hue sends requests too fast so that > it has the chance to send 2 requests with the same Kerberos authenticator > (timestamp is same). So Hbase thrift server will think this is a replay > attack. We came up with this assumption based on tcpdump observation and this > document, https://web.mit.edu/kerberos/krb5-latest/doc/basic/rcache_def.html > If HBase Thrift server can have an API call that Hue can call it once and get > all table names with whether is enabled or not, we can avoid above issue. -- This message was sent by Atlassian Jira (v8.3.4#803005)