diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java index e4ebf1b0d9a..928866c532c 100644 --- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java +++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java @@ -23,6 +23,8 @@ import org.slf4j.Logger; import org.slf4j.LoggerFactory; import javax.security.auth.Subject; +import javax.security.auth.kerberos.KerberosKey; +import javax.security.auth.kerberos.KerberosTicket; import javax.security.auth.login.AppConfigurationEntry; import javax.security.auth.login.Configuration; import javax.security.auth.login.LoginContext; @@ -247,7 +249,9 @@ public class KerberosAuthenticator implements Authenticator { try { AccessControlContext context = AccessController.getContext(); Subject subject = Subject.getSubject(context); - if (subject == null) { + if (subject == null + || (subject.getPrivateCredentials(KerberosKey.class).isEmpty() + && subject.getPrivateCredentials(KerberosTicket.class).isEmpty())) { LOG.debug("No subject in context, logging in"); subject = new Subject(); LoginContext login = new LoginContext("", subject, diff --git a/hadoop-common-project/hadoop-common/CHANGES.txt b/hadoop-common-project/hadoop-common/CHANGES.txt index 7a2159f4e46..f53bcebb38e 100644 --- a/hadoop-common-project/hadoop-common/CHANGES.txt +++ b/hadoop-common-project/hadoop-common/CHANGES.txt @@ -496,6 +496,9 @@ Release 2.7.0 - UNRELEASED HADOOP-11342. KMS key ACL should ignore ALL operation for default key ACL and whitelist key ACL. (Dian Fu via wang) + HADOOP-11332. KerberosAuthenticator#doSpnegoSequence should check if + kerberos TGT is available in the subject. (Dian Fu via atm) + Release 2.6.0 - 2014-11-18 INCOMPATIBLE CHANGES