You are viewing a plain text version of this content. The canonical link for it is here.
Posted to common-issues@hadoop.apache.org by "Dian Fu (JIRA)" <ji...@apache.org> on 2014/11/25 11:45:12 UTC
[jira] [Created] (HADOOP-11332)
KerberosAuthenticator#doSpnegoSequence should check if kerberos TGT is
available in the subject
Dian Fu created HADOOP-11332:
--------------------------------
Summary: KerberosAuthenticator#doSpnegoSequence should check if kerberos TGT is available in the subject
Key: HADOOP-11332
URL: https://issues.apache.org/jira/browse/HADOOP-11332
Project: Hadoop Common
Issue Type: Bug
Components: security
Reporter: Dian Fu
Assignee: Dian Fu
In {{KerberosAuthenticator#doSpnegoSequence}}, it first check if the subject is {{null}} before actually doing spnego, if the subject is {{null}}, it will first perform kerberos login before doing spnego. We should also check if kerberos TGT exists in the subject, if not, we should also perform kerberos login. This situation will occur when we configure KMS as kerberos enabled (via configure {{hadoop.kms.authentication.type}} as {{kerberos}}) and other hadoop services not kerberos enabled(via configure {{hadoop.security.authentication}} as {{simple}}). In this case, when client connect to KMS, KMS will trigger kerberos authentication and as {{hadoop.security.authentication}} is configured as {{simple}} in hadoop cluster, the client side haven't login with kerberos method currently, but maybe it has already login using simple method which will make {{subject}} not null.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)