[jira] [Commented] (HADOOP-11332) KerberosAuthenticator#doSpnegoSequence should check if kerberos TGT is available in the subject

Wed, 03 Dec 2014 19:16:31 -0800 

    [ 
https://issues.apache.org/jira/browse/HADOOP-11332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14233869#comment-14233869
 ] 

Dian Fu commented on HADOOP-11332:
----------------------------------

Hi [~atm], thanks for review and commit. This JIRA try to solve the 
authentication issue in this kind of cluster setup: hadoop services are 
configured as "simple" and other services such as KMS, Zookeeper, etc are 
configured as "kerberos". The patch in this JIRA currently solves the 
authentication issue between clients which use principles in kerberos cache and 
KMS/Zookeeper Server, while have not considered the clients which use 
principles in keytab, such as NameNode (NameNode connect to KMS/Zookeeper as 
client). I'm not sure if this kind of cluster setup should be considered. If 
so, I will create another JIRA to track it.

> KerberosAuthenticator#doSpnegoSequence should check if kerberos TGT is 
> available in the subject 
> ------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-11332
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11332
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: Dian Fu
>            Assignee: Dian Fu
>             Fix For: 2.7.0
>
>         Attachments: HADOOP-11332.patch
>
>
> In {{KerberosAuthenticator#doSpnegoSequence}}, it first check if the subject 
> is {{null}} before actually doing spnego, if the subject is {{null}}, it will 
> first perform kerberos login before doing spnego. We should also check if 
> kerberos TGT exists in the subject, if not, we should also perform kerberos 
> login. This situation will occur when we configure KMS as kerberos enabled 
> (via configure {{hadoop.kms.authentication.type}} as {{kerberos}}) and other 
> hadoop services not kerberos enabled(via configure 
> {{hadoop.security.authentication}} as {{simple}}). In this case, when client 
> connect to KMS, KMS will trigger kerberos authentication and as 
> {{hadoop.security.authentication}} is configured as {{simple}} in hadoop 
> cluster, the client side haven't login with kerberos method currently, but 
> maybe it has already login using simple method which will make {{subject}} 
> not null.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Reply via email to