[
https://issues.apache.org/jira/browse/KNOX-916?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15949657#comment-15949657
]
Larry McCay commented on KNOX-916:
----------------------------------
Yeah, I saw that.
It needs to be tried and regression tested.
Many of the Hadoop components leverage the Hadoop UGI class to login via
keytab, etc.
Knox does not rely on UGI and therefore there could be a difference.
It has been a long time since we worked on enabling kerberos and I don't recall
any community discussion around why it is configured any particular way.
It has long been a known issue that if you kinit as knox and start the server
that it wouldn't work properly.
But like I said, there is really no reason to do that unless you are a
developer trying to test something.
> When REST endpoint enables SPNEGO and there is valid kerberos ticket cache
> for knox user, REST call through knox will show 401 error
> ------------------------------------------------------------------------------------------------------------------------------------
>
> Key: KNOX-916
> URL: https://issues.apache.org/jira/browse/KNOX-916
> Project: Apache Knox
> Issue Type: Bug
> Affects Versions: 0.11.0
> Reporter: Shi Wang
> Assignee: Shi Wang
>
> For example, if webhdfs uses SPNEGO authentication, and curl through knox, su
> knoxuser and klist, if there is valid kerberos ticket cached for knoxuser,
> then it will show 401 unauthorized error. But if the cached ticket expired or
> do not have any cached ticket, could get 200 correct result.
--
This message was sent by Atlassian JIRA
(v6.3.15#6346)
