[
https://issues.apache.org/jira/browse/HADOOP-11332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14234779#comment-14234779
]
Aaron T. Myers commented on HADOOP-11332:
-----------------------------------------
Hi [~dian.fu], yea, not sure how I feel about that. It doesn't seem like a
super reasonable cluster setup to me, so I'm personally inclined to ignore that
situation for now. I don't feel super strongly about this, though, and
certainly could be convinced otherwise. Your call.
> KerberosAuthenticator#doSpnegoSequence should check if kerberos TGT is
> available in the subject
> ------------------------------------------------------------------------------------------------
>
> Key: HADOOP-11332
> URL: https://issues.apache.org/jira/browse/HADOOP-11332
> Project: Hadoop Common
> Issue Type: Bug
> Components: security
> Affects Versions: 2.6.0
> Reporter: Dian Fu
> Assignee: Dian Fu
> Fix For: 2.7.0
>
> Attachments: HADOOP-11332.patch
>
>
> In {{KerberosAuthenticator#doSpnegoSequence}}, it first check if the subject
> is {{null}} before actually doing spnego, if the subject is {{null}}, it will
> first perform kerberos login before doing spnego. We should also check if
> kerberos TGT exists in the subject, if not, we should also perform kerberos
> login. This situation will occur when we configure KMS as kerberos enabled
> (via configure {{hadoop.kms.authentication.type}} as {{kerberos}}) and other
> hadoop services not kerberos enabled(via configure
> {{hadoop.security.authentication}} as {{simple}}). In this case, when client
> connect to KMS, KMS will trigger kerberos authentication and as
> {{hadoop.security.authentication}} is configured as {{simple}} in hadoop
> cluster, the client side haven't login with kerberos method currently, but
> maybe it has already login using simple method which will make {{subject}}
> not null.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
