After some fights with build I've tested the patch HADOOP-12617 . And SPNEGO started to work! Everything you need is to replace /usr/lib/hadoop/hadoop-auth-2.6.0-cdh5.5.1.jar file by this version: http://scientific.zcu.cz/repos/hadoop/MetaCentrum/hadoop-auth-2.6.0-cdh5.5.1.jar
The patch (slightly modified for hadoop-2.6.0+cdh5.5.1) is published here: http://scientific.zcu.cz/repos/hadoop/MetaCentrum/HADOOP-12617-MetaCentrum.patch
Any chance to put it into next releases of Hadoop in Cloudera?
We rebuilt several new Cloudera versions over the time:
...although we have only the CDH 5.5.1 throughfully tested and in production.
It looks like the planned CDH 6.x still contains the older version of Hadoop (2.6.0). We would be interrested in including HADOOP-12617 patch in Cloudera. It is already in upstream and planned for 2.8.0 (backported patch is here).
This would fix SPNEGO with cross-realms for recent Java versions (Java 8 and Java >= 7u80), with all dependent features (HDFS journal nodes and HDFS HA, ...).
CDH 5.14.0 is still broken. The workaround is the patched hadoop-auth.jar:
There is needed to backoport HADOOP-12617: http://scientific.zcu.cz/repos/hadoop/MetaCentrum/HADOOP-12617-MetaCentrum.patch
Thank you for reporting the issue. This specific fix (HADOOP-10786) is targeting CDH6 at this point.
You should also consider filing a DISTRO jira at Cloudera's JIRA system: https://issues.cloudera.org for Cloudera to consider backporting it to CDH5.x.