We are developing a web application that interacts with hadoop components such as HDFS, HBase and Impala. The cluster is kerberized, we are authenticating with JAAS config. We are configuring JAAS in VM arguments as below

-Djava.security.auth.login.config=/user/gss-jaas.conf
-Djava.security.krb5.conf=/user/krb5.ini
-Djavax.security.auth.useSubjectCredsOnly=false 

Our JAAS config is as below

com.sun.security.jgss.initiate {
  com.sun.security.auth.module.Krb5LoginModule required
  useTicketCache=false
  doNotPrompt=true
  useKeyTab=true
  keyTab="file:C:/blah/blah/dummy.keytab"
  principal="dummy@SOME.REALM"
  debug=false;
};

It works fine when connecting to hbase and Hdfs. But while connecting with Impala, we are facing problems. We can connect with Impala when we change com.sun.security.jgss.initiate to Client But we don't want to change or switch between Jaas configs.

Is there any way we can use the same JAAS config file for all service? We don't want to use System.setProperties to do this. and also when switching between JAAS configs we are getting exceptions. So using the same config file would be better.

Any help?

You don't have to switch. Just use both!

Did you wonder why there are two mandatory ; -- one after the last parameter, and one after the brace? That's because you can have multiple mechanisms defined inside the section (tried from 1st to last), and multiple sections (with different names) in the same config file.

Look into the Kafka documentation for example, how they set the JAAS configuration for both the broker and the client apps in the same file: http://docs.confluent.io/current/kafka/sasl.html

And in case you are curious about the multiple mechanisms, look into the Java documentation (but be careful, that stuff is a nightmare to tweak and debug...) https://docs.oracle.com/javase/8/docs/jre/api/security/jaas/spec/com/sun/security/auth/module/Krb5LoginModule.html