HBASE-29115 Fix website cannot load some resources because of CSP #6668

PDavid · 2025-02-07T13:17:22Z

Self-host Bootstrap CSS, highlight.js (CSS and JS) for the website instead of trying load it from CDN-s. Because of the new CSP, loading these from CDN-s is blocked.
Switch to local fontawesome (used for icons) in Reference Guide (book.html) instead of using CDN as per this guide: https://docs.asciidoctor.org/asciidoctor/latest/html-backend/local-font-awesome/.
- Set stylesdir so that book.html will include /css/font-awesome.css (where the file is) and not /font-awesome.css.
Replace MathJax CDN URI with local one in book.html

PDavid · 2025-02-07T13:52:25Z

I'm not sure if this is the most efficient way to download and extract the CSS and JS files with Maven, so any feedback is appreciated.

PDavid · 2025-02-07T13:53:54Z

Would be great to upgrade from Bootstrap 2.3.2 as it contains 6 CVE-s and it is end of life since 11 years...

PDavid · 2025-02-07T13:55:13Z

Tested this locally by building the website with mvn site and serving it with python3 -m http.server 8000:

PDavid · 2025-02-10T10:44:50Z

Still looking into the last problem: The Reference Guide HTML page tries to load the MathJax.js library from cdnjs.cloudflare.com (which is also blocked by CSP).

PDavid · 2025-02-10T12:14:20Z

Still looking into the last problem: The Reference Guide HTML page tries to load the MathJax.js library from cdnjs.cloudflare.com (which is also blocked by CSP).

Unfortunately it seems that right now there is no way to influence from where the Reference Guide Asciidoc includes the MathJax.js library.

https://docs.asciidoctor.org/asciidoctor/latest/stem/mathjax/
https://docs.asciidoctor.org/asciidoc/latest/attributes/document-attributes-ref/
GH Issue: Introduce attribute for controlling the location of the MathJax script: Introduce attribute for controlling the location of the MathJax script asciidoctor/asciidoctor#761 (last update on it was in 2020)

Apache9 · 2025-02-10T14:48:10Z

Is it possible to replace the location string in the generated HTML when committing the changes to our site repo?

PDavid · 2025-02-24T17:20:51Z

Tested this locally, now even the mathematical formulas are rendered:

Also I used the ModHeader Chrome extension to set the Content-Security-Policy header on the page.

PDavid · 2025-02-25T10:20:12Z

Hi @Apache9, @ndimiduk, @NihalJain,

Can you please have a look on this?

As far as I understand, the new Content Security Policy (CSP) will be turned on March 1st, 2025. While the website seemed to be functional, the reference guide (book.html) had some smaller issues (missing icons, not rendered mathematical formulas, etc).

The PR build failed but as I saw it was unrelated.

pom.xml

src/site/site.xml

pom.xml

ndimiduk

I have nothing to add here, @NihalJain has got you. Thanks for picking this up, @PDavid !

dev-support/jenkins-scripts/generate-hbase-website.sh

ndimiduk · 2025-02-26T14:31:06Z

pom.xml

+            <configuration>
+              <artifactItems>
+                <artifactItem>
+                  <groupId>org.webjars</groupId>


wow, Today I Learn

NihalJain · 2025-02-26T19:04:38Z

@PDavid Please let me know if I can go ahead and merge this now.

PDavid · 2025-02-27T09:22:45Z

@PDavid Please let me know if I can go ahead and merge this now.

Many thanks @NihalJain. 👍 I now added a comment and links to the MathJax workaround in the shell script. I'd wait until the PR build is done and then I think this is ready to be merged.

PDavid · 2025-02-27T10:27:20Z

BTW the PR site build is failing because of checkstyle is not able to parse ReplicaKey.java (because of instanceOf pattern match):

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-site-plugin:3.12.0:site (default-site) on project hbase: Error generating maven-checkstyle-plugin:3.1.0:checkstyle-aggregate report: Failed during checkstyle configuration: Exception was thrown while processing /home/jenkins/jenkins-home/workspace/Base-PreCommit-GitHub-PR_PR-6724/yetus-general-check/src/hbase-balancer/src/main/java/org/apache/hadoop/hbase/master/balancer/replicas/ReplicaKey.java: IllegalStateException occurred while parsing file /home/jenkins/jenkins-home/workspace/Base-PreCommit-GitHub-PR_PR-6724/yetus-general-check/src/hbase-balancer/src/main/java/org/apache/hadoop/hbase/master/balancer/replicas/ReplicaKey.java. /home/jenkins/jenkins-home/workspace/Base-PreCommit-GitHub-PR_PR-6724/yetus-general-check/src/hbase-balancer/src/main/java/org/apache/hadoop/hbase/master/balancer/replicas/ReplicaKey.java:43:35: expecting RPAREN, found 'other' -> [Help 1]

Probably checktyle needs to be updated. @petersomogyi is already mentioned that he is looking into this issue.

Apache9 · 2025-02-27T11:57:24Z

BTW the PR site build is failing because of checkstyle is not able to parse ReplicaKey.java (because of instanceOf pattern match):

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-site-plugin:3.12.0:site (default-site) on project hbase: Error generating maven-checkstyle-plugin:3.1.0:checkstyle-aggregate report: Failed during checkstyle configuration: Exception was thrown while processing /home/jenkins/jenkins-home/workspace/Base-PreCommit-GitHub-PR_PR-6724/yetus-general-check/src/hbase-balancer/src/main/java/org/apache/hadoop/hbase/master/balancer/replicas/ReplicaKey.java: IllegalStateException occurred while parsing file /home/jenkins/jenkins-home/workspace/Base-PreCommit-GitHub-PR_PR-6724/yetus-general-check/src/hbase-balancer/src/main/java/org/apache/hadoop/hbase/master/balancer/replicas/ReplicaKey.java. /home/jenkins/jenkins-home/workspace/Base-PreCommit-GitHub-PR_PR-6724/yetus-general-check/src/hbase-balancer/src/main/java/org/apache/hadoop/hbase/master/balancer/replicas/ReplicaKey.java:43:35: expecting RPAREN, found 'other' -> [Help 1]

Probably checktyle needs to be updated. @petersomogyi is already mentioned that he is looking into this issue.

Please file an issue to use java 8 style instanceof to fix the problem, to align the code between branch-3+ and branch-2.x? @rmdmattingly ?

PDavid · 2025-02-27T12:12:54Z

BTW the PR site build is failing because of checkstyle is not able to parse ReplicaKey.java (because of instanceOf pattern match):

[ERROR] Failed to execute goal org.apache.maven.plugins:maven-site-plugin:3.12.0:site (default-site) on project hbase: Error generating maven-checkstyle-plugin:3.1.0:checkstyle-aggregate report: Failed during checkstyle configuration: Exception was thrown while processing /home/jenkins/jenkins-home/workspace/Base-PreCommit-GitHub-PR_PR-6724/yetus-general-check/src/hbase-balancer/src/main/java/org/apache/hadoop/hbase/master/balancer/replicas/ReplicaKey.java: IllegalStateException occurred while parsing file /home/jenkins/jenkins-home/workspace/Base-PreCommit-GitHub-PR_PR-6724/yetus-general-check/src/hbase-balancer/src/main/java/org/apache/hadoop/hbase/master/balancer/replicas/ReplicaKey.java. /home/jenkins/jenkins-home/workspace/Base-PreCommit-GitHub-PR_PR-6724/yetus-general-check/src/hbase-balancer/src/main/java/org/apache/hadoop/hbase/master/balancer/replicas/ReplicaKey.java:43:35: expecting RPAREN, found 'other' -> [Help 1]

Probably checktyle needs to be updated. @petersomogyi is already mentioned that he is looking into this issue.

Please file an issue to use java 8 style instanceof to fix the problem, to align the code between branch-3+ and branch-2.x? @rmdmattingly ?

@Apache9 proposed a fix here (upgrade checkstyle): #6727

…f CSP Self-host Boostrap CSS, highlight.js (CSS and JS) instead of trying load it from CDN-s. Because of the new CSP, loading these from CDN-s is blocked.

…` to new property

…hbase-website.sh

PDavid · 2025-02-28T09:08:07Z

The website build is now fixed on master, so rebased this PR on master to have a better PR build.

Apache-HBase · 2025-02-28T10:26:37Z

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 30s		Docker mode activated.
			_ Prechecks _
+1 💚	dupname	0m 0s		No case conflicting files found.
+0 🆗	codespell	0m 0s		codespell was not available.
+0 🆗	detsecrets	0m 0s		detect-secrets was not available.
+0 🆗	shelldocs	0m 1s		Shelldocs was not available.
+1 💚	@author	0m 0s		The patch does not contain any @author tags.
			_ master Compile Tests _
+1 💚	mvninstall	3m 22s		master passed
+1 💚	compile	8m 18s		master passed
+1 💚	mvnsite	6m 55s		master passed
+1 💚	spotless	0m 49s		branch has no errors when running spotless:check.
			_ Patch Compile Tests _
+1 💚	mvninstall	3m 49s		the patch passed
+1 💚	compile	9m 47s		the patch passed
+1 💚	javac	9m 47s		the patch passed
+1 💚	blanks	0m 0s		The patch has no blanks issues.
+1 💚	mvnsite	8m 6s		the patch passed
+1 💚	shellcheck	0m 2s		No new issues.
+1 💚	xmllint	0m 0s		No new issues.
+1 💚	hadoopcheck	14m 13s		Patch does not cause any errors with Hadoop 3.3.6 3.4.0.
+1 💚	spotless	0m 51s		patch has no errors when running spotless:check.
			_ Other Tests _
+1 💚	asflicense	0m 14s		The patch does not generate ASF License warnings.
		65m 14s

Subsystem	Report/Notes
Docker	ClientAPI=1.43 ServerAPI=1.43 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-6668/7/artifact/yetus-general-check/output/Dockerfile
GITHUB PR	#6668
Optional Tests	dupname asflicense codespell detsecrets shellcheck shelldocs spotless javac xmllint hadoopcheck compile mvnsite
uname	Linux be8248429fbf 5.4.0-1103-aws #111~18.04.1-Ubuntu SMP Tue May 23 20:04:10 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/hbase-personality.sh
git revision	master / `6d93675`
Default Java	Eclipse Adoptium-17.0.11+9
Max. process+thread count	188 (vs. ulimit of 30000)
modules	C: . U: .
Console output	https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-6668/7/console
versions	git=2.34.1 maven=3.9.8 shellcheck=0.8.0 xmllint=20913
Powered by	Apache Yetus 0.15.0 https://yetus.apache.org

This message was automatically generated.

Apache-HBase · 2025-02-28T14:46:36Z

🎊 +1 overall

Vote	Subsystem	Runtime	Logfile	Comment
+0 🆗	reexec	0m 27s		Docker mode activated.
-0 ⚠️	yetus	0m 2s		Unprocessed flag(s): --brief-report-file --spotbugs-strict-precheck --author-ignore-list --blanks-eol-ignore-file --blanks-tabs-ignore-file --quick-hadoopcheck
			_ Prechecks _
			_ master Compile Tests _
+1 💚	mvninstall	3m 44s		master passed
+1 💚	compile	2m 8s		master passed
+1 💚	javadoc	1m 54s		master passed
+1 💚	shadedjars	5m 58s		branch has no errors when building our shaded downstream artifacts.
			_ Patch Compile Tests _
+1 💚	mvninstall	2m 59s		the patch passed
+1 💚	compile	2m 7s		the patch passed
+1 💚	javac	2m 7s		the patch passed
+1 💚	javadoc	1m 53s		the patch passed
+1 💚	shadedjars	5m 47s		patch has no errors when building our shaded downstream artifacts.
			_ Other Tests _
+1 💚	unit	290m 36s		root in the patch passed.
		325m 15s

Subsystem	Report/Notes
Docker	ClientAPI=1.43 ServerAPI=1.43 base: https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-6668/7/artifact/yetus-jdk17-hadoop3-check/output/Dockerfile
GITHUB PR	#6668
Optional Tests	javac javadoc unit shadedjars compile
uname	Linux 99ab6ac46df9 5.4.0-1103-aws #111~18.04.1-Ubuntu SMP Tue May 23 20:04:10 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
Build tool	maven
Personality	dev-support/hbase-personality.sh
git revision	master / `6d93675`
Default Java	Eclipse Adoptium-17.0.11+9
Test Results	https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-6668/7/testReport/
Max. process+thread count	8208 (vs. ulimit of 30000)
modules	C: . U: .
Console output	https://ci-hbase.apache.org/job/HBase-PreCommit-GitHub-PR/job/PR-6668/7/console
versions	git=2.34.1 maven=3.9.8
Powered by	Apache Yetus 0.15.0 https://yetus.apache.org

This message was automatically generated.

PDavid · 2025-02-28T16:37:46Z

@NihalJain The PR build looks good to me, I think this PR is now ready to be merged.

NihalJain · 2025-02-28T19:19:17Z

Merged this to master. Thanks @PDavid .

I am away from my laptop. Could you raise backports for all affected branches.? Although I am not sure if these changes are needed by other branches at all.

PDavid · 2025-03-03T09:23:22Z

Merged this to master. Thanks @PDavid .

Thank you very much @NihalJain! 🎉

I am away from my laptop. Could you raise backports for all affected branches.? Although I am not sure if these changes are needed by other branches at all.

In this PR we changed how we include static resources in the website and in the Reference Guide (book.html).
Do we generate the website or the Reference Guide (book.html) in other branches? I think we only build the website on master branch and there was a community decision to also only build the reference guide on master. 🤔

Maybe I can raise the backports, so that we could regenerate the old reference guides (if possible) and the code in pom.xml and site.xml does not get too different between branches.

What do you think?

ndimiduk · 2025-03-03T09:48:39Z

I believe that we only generate the site and book content from master, so there shouldn't be anything to backport.

This comment has been minimized.

Sign in to view

stoty requested review from Apache9, NihalJain and ndimiduk February 10, 2025 09:17

PDavid force-pushed the HBASE-29115-website-csp-blocks-resources branch from 3b3a7fa to 8b4549c Compare February 10, 2025 10:20

This comment has been minimized.

Sign in to view

PDavid force-pushed the HBASE-29115-website-csp-blocks-resources branch from 8b4549c to 512dba7 Compare February 24, 2025 17:17

PDavid force-pushed the HBASE-29115-website-csp-blocks-resources branch from 512dba7 to 52fba14 Compare February 24, 2025 17:24

This comment has been minimized.

Sign in to view

PDavid marked this pull request as ready for review February 25, 2025 07:19