hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Aaron T. Myers (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-11332) KerberosAuthenticator#doSpnegoSequence should check if kerberos TGT is available in the subject
Date Thu, 04 Dec 2014 02:48:12 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-11332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14233852#comment-14233852
] 

Aaron T. Myers commented on HADOOP-11332:
-----------------------------------------

+1, the patch looks good to me. I'm OK forgoing tests in this instance since doing so would
require a fairly complex Kerberos setup.

I'm going to commit this momentarily.

> KerberosAuthenticator#doSpnegoSequence should check if kerberos TGT is available in the
subject 
> ------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-11332
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11332
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: Dian Fu
>            Assignee: Dian Fu
>         Attachments: HADOOP-11332.patch
>
>
> In {{KerberosAuthenticator#doSpnegoSequence}}, it first check if the subject is {{null}}
before actually doing spnego, if the subject is {{null}}, it will first perform kerberos login
before doing spnego. We should also check if kerberos TGT exists in the subject, if not, we
should also perform kerberos login. This situation will occur when we configure KMS as kerberos
enabled (via configure {{hadoop.kms.authentication.type}} as {{kerberos}}) and other hadoop
services not kerberos enabled(via configure {{hadoop.security.authentication}} as {{simple}}).
In this case, when client connect to KMS, KMS will trigger kerberos authentication and as
{{hadoop.security.authentication}} is configured as {{simple}} in hadoop cluster, the client
side haven't login with kerberos method currently, but maybe it has already login using simple
method which will make {{subject}} not null.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message