Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Fixed
-
1.18.0, 1.17.2
Description
In KerberosLoginProvider.isLoginPossible there is a call to UserGroupInformation.getCurrentUser() before principal check (keytab usage). This triggers an accidental login with either kerberos credentials if available, or as the local OS user, based on security settings. This is not problematic most of the time since KerberosLoginProvider.doLogin overwrites the credentials with keytab. The problem hurts however when login fails for whatever reason. Such case the workload is just not starting.