apache · joshelser · Aug 24, 2021 · Aug 21, 2021
diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/client/AsyncConnectionImpl.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/client/AsyncConnectionImpl.java
@@ -171,7 +171,7 @@ public void newDead(ServerName sn) {
 
   private void spawnRenewalChore(final UserGroupInformation user) {
     ChoreService service = getChoreService();
-    service.scheduleChore(AuthUtil.getAuthRenewalChore(user));
+    service.scheduleChore(AuthUtil.getAuthRenewalChore(user, conf));
   }
 
   /**

diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/client/ConnectionImplementation.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/client/ConnectionImplementation.java
@@ -374,7 +374,7 @@ replicaSelectorClass, META_TABLE_NAME, getChoreService(), () -> {
 
   private void spawnRenewalChore(final UserGroupInformation user) {
     ChoreService service = getChoreService();
-    service.scheduleChore(AuthUtil.getAuthRenewalChore(user));
+    service.scheduleChore(AuthUtil.getAuthRenewalChore(user, conf));
   }
 
   /**

diff --git a/hbase-common/src/main/java/org/apache/hadoop/hbase/AuthUtil.java b/hbase-common/src/main/java/org/apache/hadoop/hbase/AuthUtil.java
@@ -90,6 +90,10 @@ public final class AuthUtil {
   /** Client principal */
   public static final String HBASE_CLIENT_KERBEROS_PRINCIPAL = "hbase.client.keytab.principal";
 
+  /** Configuration to automatically try to renew keytab-based logins */
+  public static final String HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_KEY = "hbase.client.keytab.automatic.renewal";
+  public static final boolean HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_DEFAULT = true;
+
   private AuthUtil() {
     super();
   }
@@ -189,8 +193,8 @@ private static User loginClientAsService(Configuration conf) throws IOException
    * @return a ScheduledChore for renewals.
    */
   @InterfaceAudience.Private
-  public static ScheduledChore getAuthRenewalChore(final UserGroupInformation user) {
-    if (!user.hasKerberosCredentials()) {
+  public static ScheduledChore getAuthRenewalChore(final UserGroupInformation user, Configuration conf) {
+    if (!user.hasKerberosCredentials() || !isAuthRenewalChoreEnabled(conf)) {
       return null;
     }
 
@@ -221,8 +225,11 @@ protected void chore() {
    */
   @Deprecated
   public static ScheduledChore getAuthChore(Configuration conf) throws IOException {
+    if (!isAuthRenewalChoreEnabled(conf)) {
+      return null;
+    }
     User user = loginClientAsService(conf);
-    return getAuthRenewalChore(user.getUGI());
+    return getAuthRenewalChore(user.getUGI(), conf);
   }
 
   private static Stoppable createDummyStoppable() {
@@ -271,4 +278,13 @@ public static String getGroupName(String aclKey) {
   public static String toGroupEntry(String name) {
     return GROUP_PREFIX + name;
   }
+
+  /**
+   * Returns true if the chore to automatically renew Kerberos tickets (from
+   * keytabs) should be started. The default is true.
+   */
+  static boolean isAuthRenewalChoreEnabled(Configuration conf) {
+    return conf.getBoolean(HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_KEY,
+        HBASE_CLIENT_AUTOMATIC_KEYTAB_RENEWAL_DEFAULT);
+  }
 }