HBASE-26212 Expose configuration to enable/disable AuthUtil

In some situations, a caller may know that it is properly managing the
Kerberos ticket to talk to HBase. In these situations, it's possible
that AuthUtil still tries to do renewals, but just fails repeatedly to
do so. Give a configuration flag for such clients to be able to tell
AuthUtil to simply stop trying.

Signed-off-by: Duo Zhang <zhangduo@apache.org>

Closes #3609
This commit is contained in:
Josh Elser 2021-08-21 15:57:06 -04:00
parent 6bb5701783
commit 6b5bd75e46
2 changed files with 20 additions and 4 deletions

View File

@ -180,7 +180,7 @@ class AsyncConnectionImpl implements AsyncConnection {
private void spawnRenewalChore(final UserGroupInformation user) { private void spawnRenewalChore(final UserGroupInformation user) {
ChoreService service = getChoreService(); ChoreService service = getChoreService();
service.scheduleChore(AuthUtil.getAuthRenewalChore(user)); service.scheduleChore(AuthUtil.getAuthRenewalChore(user, conf));
} }
/** /**

View File

@ -90,6 +90,10 @@ public final class AuthUtil {
/** Client principal */ /** Client principal */
public static final String HBASE_CLIENT_KERBEROS_PRINCIPAL = "hbase.client.keytab.principal"; public static final String HBASE_CLIENT_KERBEROS_PRINCIPAL = "hbase.client.keytab.principal";
/** Configuration to automatically try to renew keytab-based logins */
public static final String HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_KEY = "hbase.client.keytab.automatic.renewal";
public static final boolean HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_DEFAULT = true;
private AuthUtil() { private AuthUtil() {
super(); super();
} }
@ -189,8 +193,8 @@ public final class AuthUtil {
* @return a ScheduledChore for renewals. * @return a ScheduledChore for renewals.
*/ */
@InterfaceAudience.Private @InterfaceAudience.Private
public static ScheduledChore getAuthRenewalChore(final UserGroupInformation user) { public static ScheduledChore getAuthRenewalChore(final UserGroupInformation user, Configuration conf) {
if (!user.hasKerberosCredentials()) { if (!user.hasKerberosCredentials() || !isAuthRenewalChoreEnabled(conf)) {
return null; return null;
} }
@ -221,8 +225,11 @@ public final class AuthUtil {
*/ */
@Deprecated @Deprecated
public static ScheduledChore getAuthChore(Configuration conf) throws IOException { public static ScheduledChore getAuthChore(Configuration conf) throws IOException {
if (!isAuthRenewalChoreEnabled(conf)) {
return null;
}
User user = loginClientAsService(conf); User user = loginClientAsService(conf);
return getAuthRenewalChore(user.getUGI()); return getAuthRenewalChore(user.getUGI(), conf);
} }
private static Stoppable createDummyStoppable() { private static Stoppable createDummyStoppable() {
@ -271,4 +278,13 @@ public final class AuthUtil {
public static String toGroupEntry(String name) { public static String toGroupEntry(String name) {
return GROUP_PREFIX + name; return GROUP_PREFIX + name;
} }
/**
* Returns true if the chore to automatically renew Kerberos tickets (from
* keytabs) should be started. The default is true.
*/
static boolean isAuthRenewalChoreEnabled(Configuration conf) {
return conf.getBoolean(HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_KEY,
HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_DEFAULT);
}
} }