[
https://issues.apache.org/jira/browse/HADOOP-11332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14235472#comment-14235472
]
Dian Fu commented on HADOOP-11332:
----------------------------------
Hi [~atm], thanks for review and commit. Agree that currently this cluster
setup is not so reasonable and we can reconsider this if it has requirements in
the future.
> KerberosAuthenticator#doSpnegoSequence should check if kerberos TGT is
> available in the subject
> ------------------------------------------------------------------------------------------------
>
> Key: HADOOP-11332
> URL: https://issues.apache.org/jira/browse/HADOOP-11332
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.6.0
> Reporter: Dian Fu
> Assignee: Dian Fu
> Fix For: 2.7.0
>
> Attachments: HADOOP-11332.patch
>
>
> In {{KerberosAuthenticator#doSpnegoSequence}}, it first check if the subject
> is {{null}} before actually doing spnego, if the subject is {{null}}, it will
> first perform kerberos login before doing spnego. We should also check if
> kerberos TGT exists in the subject, if not, we should also perform kerberos
> login. This situation will occur when we configure KMS as kerberos enabled
> (via configure {{hadoop.kms.authentication.type}} as {{kerberos}}) and other
> hadoop services not kerberos enabled(via configure
> {{hadoop.security.authentication}} as {{simple}}). In this case, when client
> connect to KMS, KMS will trigger kerberos authentication and as
> {{hadoop.security.authentication}} is configured as {{simple}} in hadoop
> cluster, the client side haven't login with kerberos method currently, but
> maybe it has already login using simple method which will make {{subject}}
> not null.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
