From 1a6d9fcf17598677dc5d4e7ed21d0912eafac564 Mon Sep 17 00:00:00 2001 From: Josh Elser Date: Sat, 21 Aug 2021 15:59:33 -0400 Subject: [PATCH] HBASE-26212 Expose configuration to enable/disable AuthUtil In some situations, a caller may know that it is properly managing the Kerberos ticket to talk to HBase. In these situations, it's possible that AuthUtil still tries to do renewals, but just fails repeatedly to do so. Give a configuration flag for such clients to be able to tell AuthUtil to simply stop trying. Signed-off-by: Duo Zhang --- .../hbase/client/AsyncConnectionImpl.java | 2 +- .../client/ConnectionImplementation.java | 2 +- .../org/apache/hadoop/hbase/AuthUtil.java | 22 ++++++++++++++++--- 3 files changed, 21 insertions(+), 5 deletions(-) diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/client/AsyncConnectionImpl.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/client/AsyncConnectionImpl.java index 26533618652f..2ed73992d7f1 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/client/AsyncConnectionImpl.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/client/AsyncConnectionImpl.java @@ -171,7 +171,7 @@ public void newDead(ServerName sn) { private void spawnRenewalChore(final UserGroupInformation user) { ChoreService service = getChoreService(); - service.scheduleChore(AuthUtil.getAuthRenewalChore(user)); + service.scheduleChore(AuthUtil.getAuthRenewalChore(user, conf)); } /** diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/client/ConnectionImplementation.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/client/ConnectionImplementation.java index 936f7f583279..33f92ed9bc71 100644 --- a/hbase-client/src/main/java/org/apache/hadoop/hbase/client/ConnectionImplementation.java +++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/client/ConnectionImplementation.java @@ -374,7 +374,7 @@ replicaSelectorClass, META_TABLE_NAME, getChoreService(), () -> { private void spawnRenewalChore(final UserGroupInformation user) { ChoreService service = getChoreService(); - service.scheduleChore(AuthUtil.getAuthRenewalChore(user)); + service.scheduleChore(AuthUtil.getAuthRenewalChore(user, conf)); } /** diff --git a/hbase-common/src/main/java/org/apache/hadoop/hbase/AuthUtil.java b/hbase-common/src/main/java/org/apache/hadoop/hbase/AuthUtil.java index d8d4f788ab10..95dfdd206ec8 100644 --- a/hbase-common/src/main/java/org/apache/hadoop/hbase/AuthUtil.java +++ b/hbase-common/src/main/java/org/apache/hadoop/hbase/AuthUtil.java @@ -90,6 +90,10 @@ public final class AuthUtil { /** Client principal */ public static final String HBASE_CLIENT_KERBEROS_PRINCIPAL = "hbase.client.keytab.principal"; + /** Configuration to automatically try to renew keytab-based logins */ + public static final String HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_KEY = "hbase.client.keytab.automatic.renewal"; + public static final boolean HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_DEFAULT = true; + private AuthUtil() { super(); } @@ -189,8 +193,8 @@ private static User loginClientAsService(Configuration conf) throws IOException * @return a ScheduledChore for renewals. */ @InterfaceAudience.Private - public static ScheduledChore getAuthRenewalChore(final UserGroupInformation user) { - if (!user.hasKerberosCredentials()) { + public static ScheduledChore getAuthRenewalChore(final UserGroupInformation user, Configuration conf) { + if (!user.hasKerberosCredentials() || !isAuthRenewalChoreEnabled(conf)) { return null; } @@ -221,8 +225,11 @@ protected void chore() { */ @Deprecated public static ScheduledChore getAuthChore(Configuration conf) throws IOException { + if (!isAuthRenewalChoreEnabled(conf)) { + return null; + } User user = loginClientAsService(conf); - return getAuthRenewalChore(user.getUGI()); + return getAuthRenewalChore(user.getUGI(), conf); } private static Stoppable createDummyStoppable() { @@ -271,4 +278,13 @@ public static String getGroupName(String aclKey) { public static String toGroupEntry(String name) { return GROUP_PREFIX + name; } + + /** + * Returns true if the chore to automatically renew Kerberos tickets (from + * keytabs) should be started. The default is true. + */ + static boolean isAuthRenewalChoreEnabled(Configuration conf) { + return conf.getBoolean(HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_KEY, + HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_DEFAULT); + } }