hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Hudson (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-11332) KerberosAuthenticator#doSpnegoSequence should check if kerberos TGT is available in the subject
Date Thu, 04 Dec 2014 03:04:13 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-11332?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14233865#comment-14233865
] 

Hudson commented on HADOOP-11332:
---------------------------------

SUCCESS: Integrated in Hadoop-trunk-Commit #6647 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/6647/])
HADOOP-11332. KerberosAuthenticator#doSpnegoSequence should check if kerberos TGT is available
in the subject. Contributed by Dian Fu. (atm: rev 9d1a8f5897d585bec96de32116fbd2118f8e0f95)
* hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
* hadoop-common-project/hadoop-common/CHANGES.txt


> KerberosAuthenticator#doSpnegoSequence should check if kerberos TGT is available in the
subject 
> ------------------------------------------------------------------------------------------------
>
>                 Key: HADOOP-11332
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11332
>             Project: Hadoop Common
>          Issue Type: Bug
>          Components: security
>    Affects Versions: 2.6.0
>            Reporter: Dian Fu
>            Assignee: Dian Fu
>             Fix For: 2.7.0
>
>         Attachments: HADOOP-11332.patch
>
>
> In {{KerberosAuthenticator#doSpnegoSequence}}, it first check if the subject is {{null}}
before actually doing spnego, if the subject is {{null}}, it will first perform kerberos login
before doing spnego. We should also check if kerberos TGT exists in the subject, if not, we
should also perform kerberos login. This situation will occur when we configure KMS as kerberos
enabled (via configure {{hadoop.kms.authentication.type}} as {{kerberos}}) and other hadoop
services not kerberos enabled(via configure {{hadoop.security.authentication}} as {{simple}}).
In this case, when client connect to KMS, KMS will trigger kerberos authentication and as
{{hadoop.security.authentication}} is configured as {{simple}} in hadoop cluster, the client
side haven't login with kerberos method currently, but maybe it has already login using simple
method which will make {{subject}} not null.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message