Hello Devs, I'm Vipin, a long time Apache Hadoop user and I like to tinker around in my free time. I've been a MIT Kerberos contributor in my past life.
While chasing the Kerberos credential cache usage in Hadoop, I found out that UGI code[1] makes use of KRB5CCNAME environment variable to find the credential cache name and defaults to /tmp/krb5cc_$uid when there is no KRB5CCNAME defined, while completely ignoring the values defined in /etc/krb5.conf. As per MIT Kerberos doc[2], the correct credential cache location logic should be: **************************** Default ccache name The default credential cache name is determined by the following, in descending order of priority: The KRB5CCNAME environment variable. For example, KRB5CCNAME=DIR:/mydir/. The default_ccache_name profile variable in [libdefaults]. The hardcoded default, DEFCCNAME. **************************** I propose to include support for reading default_ccache_name from /etc/krb5.conf while deciding the right Kerberos credential cache to use. I am testing a patch currently but wanted to check what does the community think before submitting. Thanks for reading and I'm open to discuss any suggestions. Regards, Vipin [1] https://github.com/apache/hadoop/blob/ae3a2c3851cbf7f010f7ae5734ed9e2dbac5d50c/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/UserGroupInformation.java#L2045 [2] https://web.mit.edu/kerberos/krb5-1.15/doc/basic/ccache_def.html#default-ccache-name