[ https://issues.apache.org/jira/browse/HADOOP-9317?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13582469#comment-13582469 ]
Aaron T. Myers commented on HADOOP-9317: ---------------------------------------- Hey Daryn, have you tested this with IBM Java? I don't think it will quite work, since it could result in both useDefaultCcache and useKeytab being set, which according to [IBM's JGSS documentation|http://publib.boulder.ibm.com/infocenter/javasdk/v6r0/index.jsp?topic=%2Fcom.ibm.java.security.component.doc%2Fsecurity-component%2FjgssDocs%2Fjaas_login_user.html] are incompatible when set in the same JAAS config. > User cannot specify a kerberos keytab for commands > -------------------------------------------------- > > Key: HADOOP-9317 > URL: https://issues.apache.org/jira/browse/HADOOP-9317 > Project: Hadoop Common > Issue Type: Bug > Components: security > Affects Versions: 0.23.0, 2.0.0-alpha, 3.0.0 > Reporter: Daryn Sharp > Assignee: Daryn Sharp > Priority: Critical > Attachments: HADOOP-9317.branch-23.patch, > HADOOP-9317.branch-23.patch, HADOOP-9317.patch, HADOOP-9317.patch, > HADOOP-9317.patch > > > {{UserGroupInformation}} only allows kerberos users to be logged in via the > ticket cache when running hadoop commands. {{UGI}} allows a keytab to be > used, but it's only exposed programatically. This forces keytab-based users > running hadoop commands to periodically issue a kinit from the keytab. A > race condition exists during the kinit when the ticket cache is deleted and > re-created. Hadoop commands will fail when the ticket cache does not > momentarily exist. -- This message is automatically generated by JIRA. If you think it was sent incorrectly, please contact your JIRA administrators For more information on JIRA, see: http://www.atlassian.com/software/jira