[ 
https://issues.apache.org/jira/browse/HADOOP-11332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14233865#comment-14233865
 ] 

Hudson commented on HADOOP-11332:
---------------------------------

SUCCESS: Integrated in Hadoop-trunk-Commit #6647 (See 
[https://builds.apache.org/job/Hadoop-trunk-Commit/6647/])
HADOOP-11332. KerberosAuthenticator#doSpnegoSequence should check if kerberos 
TGT is available in the subject. Contributed by Dian Fu. (atm: rev 
9d1a8f5897d585bec96de32116fbd2118f8e0f95)
* 
hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
* hadoop-common-project/hadoop-common/CHANGES.txt


> KerberosAuthenticator#doSpnegoSequence should check if kerberos TGT is 
> available in the subject 
> ------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-11332
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11332
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: Dian Fu
>            Assignee: Dian Fu
>             Fix For: 2.7.0
>
>         Attachments: HADOOP-11332.patch
>
>
> In {{KerberosAuthenticator#doSpnegoSequence}}, it first check if the subject 
> is {{null}} before actually doing spnego, if the subject is {{null}}, it will 
> first perform kerberos login before doing spnego. We should also check if 
> kerberos TGT exists in the subject, if not, we should also perform kerberos 
> login. This situation will occur when we configure KMS as kerberos enabled 
> (via configure {{hadoop.kms.authentication.type}} as {{kerberos}}) and other 
> hadoop services not kerberos enabled(via configure 
> {{hadoop.security.authentication}} as {{simple}}). In this case, when client 
> connect to KMS, KMS will trigger kerberos authentication and as 
> {{hadoop.security.authentication}} is configured as {{simple}} in hadoop 
> cluster, the client side haven't login with kerberos method currently, but 
> maybe it has already login using simple method which will make {{subject}} 
> not null.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to