Major Description
In KerberosAuthenticator#doSpnegoSequence, it first check if the subject is null before actually doing spnego, if the subject is null, it will first perform kerberos login before doing spnego. We should also check if kerberos TGT exists in the subject, if not, we should also perform kerberos login. This situation will occur when we configure KMS as kerberos enabled (via configure hadoop.kms.authentication.type as kerberos) and other hadoop services not kerberos enabled(via configure hadoop.security.authentication as simple). In this case, when client connect to KMS, KMS will trigger kerberos authentication and as hadoop.security.authentication is configured as simple in hadoop cluster, the client side haven't login with kerberos method currently, but maybe it has already login using simple method which will make subject not null.