From bc9d27d85d4c57f8edaf116fb696e0555f7b1a97 Mon Sep 17 00:00:00 2001 From: Maxi Wittich Date: Tue, 21 Oct 2025 12:11:13 +0200 Subject: [PATCH 1/9] Adding troubleshooting for kerberos --- .../hbase/pages/troubleshooting/index.adoc | 18 ++++++++++++++++++ docs/modules/hbase/partials/nav.adoc | 1 + 2 files changed, 19 insertions(+) create mode 100644 docs/modules/hbase/pages/troubleshooting/index.adoc diff --git a/docs/modules/hbase/pages/troubleshooting/index.adoc b/docs/modules/hbase/pages/troubleshooting/index.adoc new file mode 100644 index 00000000..0ed73420 --- /dev/null +++ b/docs/modules/hbase/pages/troubleshooting/index.adoc @@ -0,0 +1,18 @@ += Troubleshooting + +== Hbase access with kerberos authentication + +Currently, xref:zookeeper-operator:index.adoc[Zookeeper] is not secured with authentication. This means, if an application tries to connect to Hbase, it would ask the zookeeper quorum to figure the correct nodes to talk to. In a Java world, you would define a `Client` which would carry the kerberos requirements. + +However, those requirements might be passed through and thus your client ( e.g. xref:spark-k8s-operator:usage-guide:operations:applications.adoc[SparkApplications] ) would try to authenticate with kerberos at the corresponding Zookeeper endpoint. This will result in a kerberos ( authentication ) error. + +To prevent this, you can set a jvm argument like ( again e.g. SparkApplications ) + +[source,yaml] +---- +jvmArgumentOverrides: + add: + - "-Dzookeeper.sasl.client=false" +---- + +in all pods which would like to talk to Hbase. \ No newline at end of file diff --git a/docs/modules/hbase/partials/nav.adoc b/docs/modules/hbase/partials/nav.adoc index 06f2167b..262bc3b1 100644 --- a/docs/modules/hbase/partials/nav.adoc +++ b/docs/modules/hbase/partials/nav.adoc @@ -25,3 +25,4 @@ ** xref:hbase:reference/discovery.adoc[] ** xref:hbase:reference/commandline-parameters.adoc[] ** xref:hbase:reference/environment-variables.adoc[] +* xref:hbase:troubleshooting/index.adoc[] From f58f37c42e91735ddd7988cbef515df7591aff4b Mon Sep 17 00:00:00 2001 From: Maxi Wittich Date: Tue, 21 Oct 2025 12:33:11 +0200 Subject: [PATCH 2/9] Updating xref references --- docs/modules/hbase/pages/troubleshooting/index.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/modules/hbase/pages/troubleshooting/index.adoc b/docs/modules/hbase/pages/troubleshooting/index.adoc index 0ed73420..63ce6ad2 100644 --- a/docs/modules/hbase/pages/troubleshooting/index.adoc +++ b/docs/modules/hbase/pages/troubleshooting/index.adoc @@ -2,9 +2,9 @@ == Hbase access with kerberos authentication -Currently, xref:zookeeper-operator:index.adoc[Zookeeper] is not secured with authentication. This means, if an application tries to connect to Hbase, it would ask the zookeeper quorum to figure the correct nodes to talk to. In a Java world, you would define a `Client` which would carry the kerberos requirements. +Currently, xref:zookeeper:index.adoc[Zookeeper] is not secured with authentication. This means, if an application tries to connect to Hbase, it would ask the zookeeper quorum to figure the correct nodes to talk to. In a Java world, you would define a `Client` which would carry the kerberos requirements. -However, those requirements might be passed through and thus your client ( e.g. xref:spark-k8s-operator:usage-guide:operations:applications.adoc[SparkApplications] ) would try to authenticate with kerberos at the corresponding Zookeeper endpoint. This will result in a kerberos ( authentication ) error. +However, those requirements might be passed through and thus your client ( e.g. xref:spark-k8s:usage-guide:operations:applications.adoc[SparkApplications] ) would try to authenticate with kerberos at the corresponding Zookeeper endpoint. This will result in a kerberos ( authentication ) error. To prevent this, you can set a jvm argument like ( again e.g. SparkApplications ) From 8d8db266224c5cf9e9ca18dda650d5e63f2276a9 Mon Sep 17 00:00:00 2001 From: Maxi Wittich Date: Tue, 21 Oct 2025 12:54:41 +0200 Subject: [PATCH 3/9] Adding newline eof --- docs/modules/hbase/pages/troubleshooting/index.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/hbase/pages/troubleshooting/index.adoc b/docs/modules/hbase/pages/troubleshooting/index.adoc index 63ce6ad2..65ae6d0c 100644 --- a/docs/modules/hbase/pages/troubleshooting/index.adoc +++ b/docs/modules/hbase/pages/troubleshooting/index.adoc @@ -15,4 +15,4 @@ jvmArgumentOverrides: - "-Dzookeeper.sasl.client=false" ---- -in all pods which would like to talk to Hbase. \ No newline at end of file +in all pods which would like to talk to Hbase. From 97ea405135535f8c974f1bbc1c07934828b11568 Mon Sep 17 00:00:00 2001 From: Maximilian Wittich <56642549+Maleware@users.noreply.github.com> Date: Mon, 1 Dec 2025 10:02:03 +0100 Subject: [PATCH 4/9] Add suggestions Co-authored-by: Sebastian Bernauer --- .../hbase/pages/troubleshooting/index.adoc | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/docs/modules/hbase/pages/troubleshooting/index.adoc b/docs/modules/hbase/pages/troubleshooting/index.adoc index 65ae6d0c..da9890d0 100644 --- a/docs/modules/hbase/pages/troubleshooting/index.adoc +++ b/docs/modules/hbase/pages/troubleshooting/index.adoc @@ -1,18 +1,19 @@ = Troubleshooting -== Hbase access with kerberos authentication +== HBase access with Kerberos authentication -Currently, xref:zookeeper:index.adoc[Zookeeper] is not secured with authentication. This means, if an application tries to connect to Hbase, it would ask the zookeeper quorum to figure the correct nodes to talk to. In a Java world, you would define a `Client` which would carry the kerberos requirements. +Currently, xref:zookeeper:index.adoc[Zookeeper] stacklets can only be secured using mutual TLS. +This means, if an application tries to connect to HBase, it would contact Zookeeper to figure the correct HBase nodes to talk to. +In a Java world, you would define a `Client` which would carry the Kerberos requirements. -However, those requirements might be passed through and thus your client ( e.g. xref:spark-k8s:usage-guide:operations:applications.adoc[SparkApplications] ) would try to authenticate with kerberos at the corresponding Zookeeper endpoint. This will result in a kerberos ( authentication ) error. +However, those requirements might be passed through and thus your client (e.g. xref:spark-k8s:usage-guide:operations:applications.adoc[SparkApplications]) would try to authenticate with Kerberos at the corresponding Zookeeper endpoint. +This will result in a Kerberos ( authentication ) error. -To prevent this, you can set a jvm argument like ( again e.g. SparkApplications ) +To prevent this, you can set a JVM argument like this (again e.g. SparkApplications) in all Pods which would like to talk to HBase: [source,yaml] ---- jvmArgumentOverrides: - add: - - "-Dzookeeper.sasl.client=false" + add: + - "-Dzookeeper.sasl.client=false" ---- - -in all pods which would like to talk to Hbase. From 62da960f52984f4af2e5f1cd3e74253690f7eb15 Mon Sep 17 00:00:00 2001 From: Maxi Wittich Date: Mon, 1 Dec 2025 10:05:44 +0100 Subject: [PATCH 5/9] Adding jvm-argument-overrides link --- docs/modules/hbase/pages/troubleshooting/index.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/hbase/pages/troubleshooting/index.adoc b/docs/modules/hbase/pages/troubleshooting/index.adoc index da9890d0..080ce7db 100644 --- a/docs/modules/hbase/pages/troubleshooting/index.adoc +++ b/docs/modules/hbase/pages/troubleshooting/index.adoc @@ -9,7 +9,7 @@ In a Java world, you would define a `Client` which would carry the Kerberos requ However, those requirements might be passed through and thus your client (e.g. xref:spark-k8s:usage-guide:operations:applications.adoc[SparkApplications]) would try to authenticate with Kerberos at the corresponding Zookeeper endpoint. This will result in a Kerberos ( authentication ) error. -To prevent this, you can set a JVM argument like this (again e.g. SparkApplications) in all Pods which would like to talk to HBase: +To prevent this, you can set a xref:concepts:overrides.adoc#jvm-argument-overrides[JVM argument] like this (again e.g. SparkApplications) in all Pods which would like to talk to HBase: [source,yaml] ---- From f1692e6d1621c8291189b38fcf662b8c138173b9 Mon Sep 17 00:00:00 2001 From: Maxi Wittich Date: Mon, 1 Dec 2025 10:55:38 +0100 Subject: [PATCH 6/9] Fixing link to applications.adoc --- docs/modules/hbase/pages/troubleshooting/index.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/hbase/pages/troubleshooting/index.adoc b/docs/modules/hbase/pages/troubleshooting/index.adoc index 080ce7db..91aeda8f 100644 --- a/docs/modules/hbase/pages/troubleshooting/index.adoc +++ b/docs/modules/hbase/pages/troubleshooting/index.adoc @@ -6,7 +6,7 @@ Currently, xref:zookeeper:index.adoc[Zookeeper] stacklets can only be secured us This means, if an application tries to connect to HBase, it would contact Zookeeper to figure the correct HBase nodes to talk to. In a Java world, you would define a `Client` which would carry the Kerberos requirements. -However, those requirements might be passed through and thus your client (e.g. xref:spark-k8s:usage-guide:operations:applications.adoc[SparkApplications]) would try to authenticate with Kerberos at the corresponding Zookeeper endpoint. +However, those requirements might be passed through and thus your client (e.g. xref:spark-k8s:usage-guide:operations/applications.adoc[SparkApplications]) would try to authenticate with Kerberos at the corresponding Zookeeper endpoint. This will result in a Kerberos ( authentication ) error. To prevent this, you can set a xref:concepts:overrides.adoc#jvm-argument-overrides[JVM argument] like this (again e.g. SparkApplications) in all Pods which would like to talk to HBase: From 0c89d8fc38b5e4ed879266fa0bf9514c1945a842 Mon Sep 17 00:00:00 2001 From: Maxi Wittich Date: Mon, 1 Dec 2025 11:00:43 +0100 Subject: [PATCH 7/9] revert changes --- docs/modules/hbase/pages/troubleshooting/index.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/hbase/pages/troubleshooting/index.adoc b/docs/modules/hbase/pages/troubleshooting/index.adoc index 91aeda8f..080ce7db 100644 --- a/docs/modules/hbase/pages/troubleshooting/index.adoc +++ b/docs/modules/hbase/pages/troubleshooting/index.adoc @@ -6,7 +6,7 @@ Currently, xref:zookeeper:index.adoc[Zookeeper] stacklets can only be secured us This means, if an application tries to connect to HBase, it would contact Zookeeper to figure the correct HBase nodes to talk to. In a Java world, you would define a `Client` which would carry the Kerberos requirements. -However, those requirements might be passed through and thus your client (e.g. xref:spark-k8s:usage-guide:operations/applications.adoc[SparkApplications]) would try to authenticate with Kerberos at the corresponding Zookeeper endpoint. +However, those requirements might be passed through and thus your client (e.g. xref:spark-k8s:usage-guide:operations:applications.adoc[SparkApplications]) would try to authenticate with Kerberos at the corresponding Zookeeper endpoint. This will result in a Kerberos ( authentication ) error. To prevent this, you can set a xref:concepts:overrides.adoc#jvm-argument-overrides[JVM argument] like this (again e.g. SparkApplications) in all Pods which would like to talk to HBase: From 003adc2a9b064e63f06a8b5690cf78dd2d18faf7 Mon Sep 17 00:00:00 2001 From: Maxi Wittich Date: Mon, 1 Dec 2025 16:55:11 +0100 Subject: [PATCH 8/9] another change to the xref link --- docs/modules/hbase/pages/troubleshooting/index.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/modules/hbase/pages/troubleshooting/index.adoc b/docs/modules/hbase/pages/troubleshooting/index.adoc index 080ce7db..73f9fb4d 100644 --- a/docs/modules/hbase/pages/troubleshooting/index.adoc +++ b/docs/modules/hbase/pages/troubleshooting/index.adoc @@ -6,7 +6,7 @@ Currently, xref:zookeeper:index.adoc[Zookeeper] stacklets can only be secured us This means, if an application tries to connect to HBase, it would contact Zookeeper to figure the correct HBase nodes to talk to. In a Java world, you would define a `Client` which would carry the Kerberos requirements. -However, those requirements might be passed through and thus your client (e.g. xref:spark-k8s:usage-guide:operations:applications.adoc[SparkApplications]) would try to authenticate with Kerberos at the corresponding Zookeeper endpoint. +However, those requirements might be passed through and thus your client (e.g. xref:spark-k8s:usage-guide/operations/applications.adoc[SparkApplications]) would try to authenticate with Kerberos at the corresponding Zookeeper endpoint. This will result in a Kerberos ( authentication ) error. To prevent this, you can set a xref:concepts:overrides.adoc#jvm-argument-overrides[JVM argument] like this (again e.g. SparkApplications) in all Pods which would like to talk to HBase: From ba7afcd1944b2b94230a9fffabcba12032201eb9 Mon Sep 17 00:00:00 2001 From: Maxi Wittich Date: Mon, 1 Dec 2025 17:02:58 +0100 Subject: [PATCH 9/9] Move troubleshooting to be consistent with other operators --- .../hbase/pages/troubleshooting/index.adoc | 21 +++++++++++++++++++ .../pages/usage-guide/troubleshooting.adoc | 20 ------------------ docs/modules/hbase/partials/nav.adoc | 1 - 3 files changed, 21 insertions(+), 21 deletions(-) delete mode 100644 docs/modules/hbase/pages/usage-guide/troubleshooting.adoc diff --git a/docs/modules/hbase/pages/troubleshooting/index.adoc b/docs/modules/hbase/pages/troubleshooting/index.adoc index 73f9fb4d..7d79ad88 100644 --- a/docs/modules/hbase/pages/troubleshooting/index.adoc +++ b/docs/modules/hbase/pages/troubleshooting/index.adoc @@ -17,3 +17,24 @@ jvmArgumentOverrides: add: - "-Dzookeeper.sasl.client=false" ---- + + +== Additional stack-traces + +To add more useful information to stack-traces caused by RPC issues, the xref:concepts:overrides.adoc#config-overrides[Config overrides documentation] can be used to replace the default Netty implementation: + +[source,yaml] +---- +masters: + roleGroups: + default: + configOverrides: + hbase-site.xml: + hbase.rpc.client.impl: "org.apache.hadoop.hbase.ipc.BlockingRpcClient" +regionServers: + roleGroups: + default: + configOverrides: + hbase-site.xml: + hbase.rpc.client.impl: "org.apache.hadoop.hbase.ipc.BlockingRpcClient" +---- diff --git a/docs/modules/hbase/pages/usage-guide/troubleshooting.adoc b/docs/modules/hbase/pages/usage-guide/troubleshooting.adoc deleted file mode 100644 index 50d9a51d..00000000 --- a/docs/modules/hbase/pages/usage-guide/troubleshooting.adoc +++ /dev/null @@ -1,20 +0,0 @@ -= Trouble-shooting -:description: Tips and guidelines to help trouble-shoot problems with running HBase. - -To add more useful information to stack-traces caused by RPC issues, the xref:concepts:overrides.adoc#config-overrides[Config overrides documentation] can be used to replace the default Netty implementation: - -[source,yaml] ----- -masters: - roleGroups: - default: - configOverrides: - hbase-site.xml: - hbase.rpc.client.impl: "org.apache.hadoop.hbase.ipc.BlockingRpcClient" -regionServers: - roleGroups: - default: - configOverrides: - hbase-site.xml: - hbase.rpc.client.impl: "org.apache.hadoop.hbase.ipc.BlockingRpcClient" ----- diff --git a/docs/modules/hbase/partials/nav.adoc b/docs/modules/hbase/partials/nav.adoc index 262bc3b1..16f28877 100644 --- a/docs/modules/hbase/partials/nav.adoc +++ b/docs/modules/hbase/partials/nav.adoc @@ -13,7 +13,6 @@ ** xref:hbase:usage-guide/hbck2.adoc[] ** xref:hbase:usage-guide/snapshot-export.adoc[] ** xref:hbase:usage-guide/adls.adoc[] -** xref:hbase:usage-guide/troubleshooting.adoc[] ** xref:hbase:usage-guide/operations/index.adoc[] *** xref:hbase:usage-guide/operations/cluster-operations.adoc[] *** xref:hbase:usage-guide/operations/pod-placement.adoc[]