Dian Fu created HADOOP-11332:
--------------------------------
Summary: KerberosAuthenticator#doSpnegoSequence should check if
kerberos TGT is available in the subject
Key: HADOOP-11332
URL: https://issues.apache.org/jira/browse/HADOOP-11332
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: Dian Fu
Assignee: Dian Fu
In {{KerberosAuthenticator#doSpnegoSequence}}, it first check if the subject is
{{null}} before actually doing spnego, if the subject is {{null}}, it will
first perform kerberos login before doing spnego. We should also check if
kerberos TGT exists in the subject, if not, we should also perform kerberos
login. This situation will occur when we configure KMS as kerberos enabled (via
configure {{hadoop.kms.authentication.type}} as {{kerberos}}) and other hadoop
services not kerberos enabled(via configure {{hadoop.security.authentication}}
as {{simple}}). In this case, when client connect to KMS, KMS will trigger
kerberos authentication and as {{hadoop.security.authentication}} is configured
as {{simple}} in hadoop cluster, the client side haven't login with kerberos
method currently, but maybe it has already login using simple method which will
make {{subject}} not null.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
