[
https://issues.apache.org/jira/browse/HADOOP-11332?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Wang reassigned HADOOP-11332:
------------------------------------
Assignee: Dian Fu
> KerberosAuthenticator#doSpnegoSequence should check if kerberos TGT is
> available in the subject
> ------------------------------------------------------------------------------------------------
>
> Key: HADOOP-11332
> URL: https://issues.apache.org/jira/browse/HADOOP-11332
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Reporter: Dian Fu
> Assignee: Dian Fu
> Attachments: HADOOP-11332.patch
>
>
> In {{KerberosAuthenticator#doSpnegoSequence}}, it first check if the subject
> is {{null}} before actually doing spnego, if the subject is {{null}}, it will
> first perform kerberos login before doing spnego. We should also check if
> kerberos TGT exists in the subject, if not, we should also perform kerberos
> login. This situation will occur when we configure KMS as kerberos enabled
> (via configure {{hadoop.kms.authentication.type}} as {{kerberos}}) and other
> hadoop services not kerberos enabled(via configure
> {{hadoop.security.authentication}} as {{simple}}). In this case, when client
> connect to KMS, KMS will trigger kerberos authentication and as
> {{hadoop.security.authentication}} is configured as {{simple}} in hadoop
> cluster, the client side haven't login with kerberos method currently, but
> maybe it has already login using simple method which will make {{subject}}
> not null.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
