[prev in list] [next in list] [prev in thread] [next in thread] 

List:       hadoop-dev
Subject:    [jira] [Created] (HADOOP-11332) KerberosAuthenticator#doSpnegoSequence should check if kerberos TGT 
From:       "Dian Fu (JIRA)" <jira () apache ! org>
Date:       2014-11-25 10:45:12
Message-ID: JIRA.12757657.1416912262000.14816.1416912312492 () Atlassian ! JIRA
[Download RAW message or body]

Dian Fu created HADOOP-11332:
--------------------------------

             Summary: KerberosAuthenticator#doSpnegoSequence should check if kerberos \
TGT is available in the subject   Key: HADOOP-11332
                 URL: https://issues.apache.org/jira/browse/HADOOP-11332
             Project: Hadoop Common
          Issue Type: Bug
          Components: security
            Reporter: Dian Fu
            Assignee: Dian Fu


In {{KerberosAuthenticator#doSpnegoSequence}}, it first check if the subject is \
{{null}} before actually doing spnego, if the subject is {{null}}, it will first \
perform kerberos login before doing spnego. We should also check if kerberos TGT \
exists in the subject, if not, we should also perform kerberos login. This situation \
will occur when we configure KMS as kerberos enabled (via configure \
{{hadoop.kms.authentication.type}} as {{kerberos}}) and other hadoop services not \
kerberos enabled(via configure {{hadoop.security.authentication}} as {{simple}}). In \
this case, when client connect to KMS, KMS will trigger kerberos authentication and \
as {{hadoop.security.authentication}} is configured as {{simple}} in hadoop cluster, \
the client side haven't login with kerberos method currently, but maybe it has \
already login using simple method which will make {{subject}} not null.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)


[prev in list] [next in list] [prev in thread] [next in thread]