Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-11332

KerberosAuthenticator#doSpnegoSequence should check if kerberos TGT is available in the subject

    XMLWordPrintableJSON

    Details

    • Type: Bug
    • Status: Closed
    • Priority: Major
    • Resolution: Fixed
    • Affects Version/s: 2.6.0
    • Fix Version/s: 2.7.0
    • Component/s: security
    • Labels:
      None
    • Target Version/s:
    • Hadoop Flags:
      Reviewed

      Description

      In KerberosAuthenticator#doSpnegoSequence, it first check if the subject is null before actually doing spnego, if the subject is null, it will first perform kerberos login before doing spnego. We should also check if kerberos TGT exists in the subject, if not, we should also perform kerberos login. This situation will occur when we configure KMS as kerberos enabled (via configure hadoop.kms.authentication.type as kerberos) and other hadoop services not kerberos enabled(via configure hadoop.security.authentication as simple). In this case, when client connect to KMS, KMS will trigger kerberos authentication and as hadoop.security.authentication is configured as simple in hadoop cluster, the client side haven't login with kerberos method currently, but maybe it has already login using simple method which will make subject not null.

        Attachments

        1. HADOOP-11332.patch
          1 kB
          Dian Fu

          Activity

            People

            • Assignee:
              dian.fu Dian Fu
              Reporter:
              dian.fu Dian Fu
            • Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: