[
https://issues.apache.org/jira/browse/HADOOP-11332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14224399#comment-14224399
]
Dian Fu commented on HADOOP-11332:
----------------------------------
This patch currently only considered the clients which use principles in
kerberos cache, have not considered the clients which use principles in keytab,
such as NameNode (NameNode connect to KMS as client). Will post a patch once
have an idea of how to do this.
> KerberosAuthenticator#doSpnegoSequence should check if kerberos TGT is
> available in the subject
> ------------------------------------------------------------------------------------------------
>
> Key: HADOOP-11332
> URL: https://issues.apache.org/jira/browse/HADOOP-11332
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Dian Fu
> Assignee: Dian Fu
> Attachments: HADOOP-11332.patch
>
>
> In {{KerberosAuthenticator#doSpnegoSequence}}, it first check if the subject
> is {{null}} before actually doing spnego, if the subject is {{null}}, it will
> first perform kerberos login before doing spnego. We should also check if
> kerberos TGT exists in the subject, if not, we should also perform kerberos
> login. This situation will occur when we configure KMS as kerberos enabled
> (via configure {{hadoop.kms.authentication.type}} as {{kerberos}}) and other
> hadoop services not kerberos enabled(via configure
> {{hadoop.security.authentication}} as {{simple}}). In this case, when client
> connect to KMS, KMS will trigger kerberos authentication and as
> {{hadoop.security.authentication}} is configured as {{simple}} in hadoop
> cluster, the client side haven't login with kerberos method currently, but
> maybe it has already login using simple method which will make {{subject}}
> not null.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
