Andrew Purtell | 25 May 18:32 2015
Picon

CVE-2015-1836: Apache HBase remote denial of service, information integrity, and information disclosure vulnerability

CVE-2015-1836: Apache HBase remote denial of service, information
integrity, and information disclosure vulnerability.

Severity: Important

Vendor: The Apache Software Foundation

Versions Affected:

HBase 0.98.0 - 0.98.12
HBase 1.0.0 - 1.0.1
HBase 1.1.0

The unsupported HBase 0.96 versions are also affected.

Description:

A logic error caused HBase in most secure configuration deployments to
handle its coordination state in ZooKeeper via insecure ACLs. Anyone with
remote unauthenticated network access to the ZooKeeper quorum, which by
definition includes all HBase clients, can make use of this opening to
degrade or completely stop availability. Any user with the authentication
credentials needed to connect to the HBase cluster as a normal user can, in
some configurations, read newly written HBase data that they are not
authorized to see. We believe it is possible for any user with
authentication credentials for the underlying HDFS cluster to write
arbitrary HBase data. Work to confirm this last attack vector is ongoing
and this announcement will be updated when we have more information.

Mitigation:
(Continue reading)

Andrew Purtell | 25 May 18:32 2015
Picon

[ANNOUNCE] HBase 1.1.0.1 is now available for download

Apache HBase 1.1.0.1 is now available for download. Get it from an Apache
mirror [1] or Maven repository.

This is a patch release containing an important security fix for CVE-2015-1836
(Apache HBase remote denial of service, information integrity, and
information disclosure vulnerability). All deployments of any 1.0.x release
with security features enabled should upgrade to this release as soon as
possible.

Best,
The HBase Dev Team

1. http://www.apache.org/dyn/closer.cgi/hbase/
Andrew Purtell | 25 May 18:32 2015
Picon

[ANNOUNCE] HBase 1.0.1.1 is now available for download

Apache HBase 1.0.1.1 is now available for download. Get it from an Apache
mirror [1] or Maven repository.

This is a patch release containing an important security fix for CVE-2015-1836
(Apache HBase remote denial of service, information integrity, and
information disclosure vulnerability). All deployments of any 1.0.x release
with security features enabled should upgrade to this release as soon as
possible.

Best,
The HBase Dev Team

1. http://www.apache.org/dyn/closer.cgi/hbase/
Andrew Purtell | 25 May 18:31 2015
Picon

[ANNOUNCE] HBase 0.98.12.1 is now available for download

Apache HBase 0.98.12.1 is now available for download. Get it from an Apache
mirror [1] or Maven repository.

This is a patch release containing an important security fix
for CVE-2015-1836 (Apache HBase remote denial of service, information
integrity, and information disclosure vulnerability). All deployments of
any 0.98.x release with security features enabled should upgrade to this
release as soon as possible.

Best,
The HBase Dev Team

1. http://www.apache.org/dyn/closer.cgi/hbase/
apache | 24 May 17:43 2015
Picon

Issues with import from 0.92 into 0.98

Hello all-

I'm hoping someone can point me in the right direction as I've exhausted
all my knowledge and abilities on the topic...

I've inherited an old, poorly configured and brittle CDH4 cluster
running HBase 0.92. I'm attempting to migrate the data to a new Ambari
cluster running HBase 0.98. I'm attempting to do this without changing
anything on the old cluster as I have hard enough time keeping it
running as is. Also, due to configuration issues with the old cluster
(on AWS), a direct HBase to HBase table copy, or even HDFS to HDFS copy
is out of the question at the moment. 

I was able to use the export task on the old cluster to dump the HBase
tables to HDFS, which I then distcp s3n copied up to S3, then back down
to the new  cluster, then used the HBase importer. This appears to work
fine...

... except that on the new cluster table scans with column filters do
not work. 

A sample row looks something this:
A:9223370612274019807:twtr:56935907581904486 column=x:twitter:username,
timestamp=1424592575087, value=Bilo Selhi

Unfortunately, even though I can see the column is properly defined, I
cannot filter on it:

hbase(main):015:0> scan 'content' , {LIMIT=>10,
COLUMNS=>'x:twitter:username'}
(Continue reading)

Bryan Beaudreault | 22 May 19:17 2015

DNS mismatch between master and regionserver causes doubly registered regionservers

In our system each server has 2 dns associated with it, one always points
to a private address and the other to public or private depending on the
context.

This issue did not show up in 0.94.x, but is showing up on my new 1.x
cluster.  Basically it goes like this:

1. Regionserver starts up, get's its hostname which returns
`hostA.external` due to our /etc/hosts
2. Regionserver registers itself in zookeeper as `hostA.external`
3. Regionserver reports for duty in to HMaster, which re-resolves the DNS
and returns `hostA.internal`.
4. HMaster registers server as `hostA.internal`
5. Regionserver receives the RegionServerStartupResponse, which contains
`hostA.internal` and uses that for its RPCs
6. HMaster sees a ZNode with `hostA.external`, so thinks it is a
regionserver that hasn't checked in yet, and registers it.

So I think the problem is that step #2 happens before step #5.  You can
clearly see this in the HRegionServer.java run() function.

In 0.94, the `createMyEphemeralNode` function was called within
`handleReportForDutyResponse`.  In 1.x, it happens within `run()` BEFORE
`handleReportForDutyResponse`.

I can work around this by handling /etc/hosts specially for my
regionservers.  We have our /etc/hosts file set up like this for a reason,
but I think I can special case regionservers.

However, it seems like a bug that there are mechanisms built in for the
(Continue reading)

Shi, Shaofeng | 22 May 11:35 2015
Picon

Can TableSnapshotInputFormat support multiple snapshots as the MR input?

Hello,

We have a scenario which need merge multiple Hbase tables into one table periodically; To gain better
performance and minimal the impact to HBase server, we are evaluating the method of using
TableSnapshotInputFormat (http://www.slideshare.net/enissoz/mapreduce-over-snapshots); But
from the API we see it only allows one snapshot as input; Is it possible to change it to allow multiple snapshots?

Thanks in advance for any advise;

Shaofeng Shi
Apache Kylin
Dominik Hübner | 22 May 09:50 2015

Many rows vs many columns

Is it better to aggregate more data in a single row with more columns or aiming for having rather short but
many rows?
I remember having read somewhere that it doesn’t really matter as physical layout would be the same, but
cannot find this reference anymore.	
charlse_Li | 22 May 09:02 2015

Some questions about memstore flush

Dear all, i have some confusion about memstore flush, how the parameter
hbase.hregion.memstore.flush.size impacts the time when FlushHandler executes memstore flush?Thanks
 
2015-05-22


charlse_Li 
Shushant Arora | 22 May 06:57 2015
Picon

avoiding hot spot for timestamp prefix key

Can I avoid hotspot of region with custom region split policy in hbase
>0.96 .

Key is of the form timestamp#guid.
So can I have custom region split policy and use second part of key (i.e)
guid as region split criteria and avoid hot spot??
Picon

[ANNOUNCE] Apache Phoenix 4.4-0-HBase-1.0 released

The Apache Phoenix team is pleased to announce the immediate
availability of the 4.4.0-HBase-1.0 release compatible with HBase
1.0.x(1.0.1+).

The 4.4.0-HBase-1.0 release has feature parity with our 4.4.0-HBase-0.98
release.

Extra features include:
- support HBase HA Query(timeline-consistent region replica read)[1]
- alter session query support

The release is available through maven or may be downloaded here[2].

Thanks to all the contributors who made this release possible!

Regards,
The Apache Phoenix Team

[1] https://issues.apache.org/jira/browse/PHOENIX-1683
[2] http://phoenix.apache.org/download.html

Gmane