Dian Fu created HADOOP-11332: -------------------------------- Summary: KerberosAuthenticator#doSpnegoSequence should check if kerberos TGT is available in the subject Key: HADOOP-11332 URL: https://issues.apache.org/jira/browse/HADOOP-11332 Project: Hadoop Common Issue Type: Bug Components: security Reporter: Dian Fu Assignee: Dian Fu
In {{KerberosAuthenticator#doSpnegoSequence}}, it first check if the subject is {{null}} before actually doing spnego, if the subject is {{null}}, it will first perform kerberos login before doing spnego. We should also check if kerberos TGT exists in the subject, if not, we should also perform kerberos login. This situation will occur when we configure KMS as kerberos enabled (via configure {{hadoop.kms.authentication.type}} as {{kerberos}}) and other hadoop services not kerberos enabled(via configure {{hadoop.security.authentication}} as {{simple}}). In this case, when client connect to KMS, KMS will trigger kerberos authentication and as {{hadoop.security.authentication}} is configured as {{simple}} in hadoop cluster, the client side haven't login with kerberos method currently, but maybe it has already login using simple method which will make {{subject}} not null. -- This message was sent by Atlassian JIRA (v6.3.4#6332)