Hi, Do you know that Hadoop core (all services) coded for Oracle ecosystem (JavaAPI). But it is technically wrong for non-Oracle platforms.
Microsoft Active Directory use own Kerberos standard oriented to specific Kerberos ticket for authentication and authorization (PAC). Redhat (POSIX core) use own MIT Kerberos standard without PAC but it is closer to Active Directory. Both of Kerberos mechanism don't support JavaAPI, because Kerberos is oriented for C/C++ applications. Oracle used to keep classic MIT model like C till it has changed way to proprietary JavaAPI. For Microsoft workaround Oracle developed AD bridge to communicate JavaAPI to MSLSA storage However for MIT Kerberos there is no bridge except Sun common module as known as Java Native GSSAPI. Because Oracle doesn't support MIT credential cache format it is impossible to build optimized authentication model so in Linux whole Hadoop infrastructure will do DDoS attack to KDC servers. Some sources say that DDoS can be solved by DELEGATION TOKEN storage but it is not fit for multi-tasks processing where any new request generate new session with out tickets and delegation token. If to switch all Hadoop core services to Native MIT then cached tickets (TGT & TGS) in service-specified cache will feel better in high-loaded mode because only one unique ticket initiated for for thousand threads of service will be active for some hours (24h in POSIX MIT and 10h in Windows by default ) This is an issue for any Java application, not only Hadoop. Fix this asap due to it's impossible to use with well-known Redhat FreeIPA project. This is official documentation https://docs.oracle.com/en/java/javase/17/security/accessing-native-gss-api.html Best Regards Alex
