CurlでWebHDFSへアクセス、ただしKerberosはON、でDEBUGログを見てみる

[hdfs@node3 hdfs]$ export HADOOP_OPTS="$HADOOP_OPTS -Dsun.security.krb5.debug=true -Djava.security.debug=gssloginconfig,configfile,configparser,logincontext"
[hdfs@node3 hdfs]$ kill `cat /var/run/hadoop/hdfs/hadoop-hdfs-namenode.pid`; sleep 3; /usr/hdp/current/hadoop-client/sbin/hadoop-daemon.sh --config /usr/hdp/current/hadoop-client/conf start namenode
[hdfs@node3 hdfs]$ tail -f hadoop-hdfs-namenode-node3.localdomain.out

違うノードから
[hajime@node1 ~]$ curl -sS -L -v -w '%{http_code}' -X GET --negotiate -u : 'http://node3.localdomain:50070/webhdfs/v1/tmp?op=GETFILESTATUS&user.name=incorrect_user'

Node3(NameNode)にもどって：
Found KeyTab /etc/security/keytabs/spnego.service.keytab for HTTP/node3.localdomain@HO-UBU02
Found KeyTab /etc/security/keytabs/spnego.service.keytab for HTTP/node3.localdomain@HO-UBU02
Entered Krb5Context.acceptSecContext with state=STATE_NEW
>>> KeyTabInputStream, readName(): HO-UBU02
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): node3.localdomain
>>> KeyTab: load() entry length: 66; type: 17
>>> KeyTabInputStream, readName(): HO-UBU02
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): node3.localdomain
>>> KeyTab: load() entry length: 66; type: 23
>>> KeyTabInputStream, readName(): HO-UBU02
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): node3.localdomain
>>> KeyTab: load() entry length: 58; type: 3
>>> KeyTabInputStream, readName(): HO-UBU02
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): node3.localdomain
>>> KeyTab: load() entry length: 82; type: 18
>>> KeyTabInputStream, readName(): HO-UBU02
>>> KeyTabInputStream, readName(): HTTP
>>> KeyTabInputStream, readName(): node3.localdomain
>>> KeyTab: load() entry length: 74; type: 16
Looking for keys for: HTTP/node3.localdomain@HO-UBU02
Added key: 16version: 1
Added key: 18version: 1
Found unsupported keytype (3) for HTTP/node3.localdomain@HO-UBU02
Added key: 23version: 1
Added key: 17version: 1
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
Using builtin default etypes for permitted_enctypes
default etypes for permitted_enctypes: 18 17 16 23.
>>> EType: sun.security.krb5.internal.crypto.Aes256CtsHmacSha1EType
MemoryCache: add 1480393332/553854/1D11869D8DDC6C3FDAE645FD45DEA27B/hajime@HO-UBU02 to hajime@HO-UBU02|HTTP/node3.localdomain@HO-UBU02
>>> KrbApReq: authenticate succeed.
Krb5Context setting peerSeqNumber to: 1055634594
Krb5Context setting mySeqNumber to: 1055634594
Nov 29, 2016 4:22:11 AM com.sun.jersey.api.core.PackagesResourceConfig init
INFO: Scanning for root resource and provider classes in the packages:
  org.apache.hadoop.hdfs.server.namenode.web.resources
  org.apache.hadoop.hdfs.web.resources
Found ticket for nn/node3.localdomain@HO-UBU02 to go to krbtgt/HO-UBU02@HO-UBU02 expiring on Tue Nov 29 14:18:04 UTC 2016
Entered Krb5Context.initSecContext with state=STATE_NEW
Found ticket for nn/node3.localdomain@HO-UBU02 to go to krbtgt/HO-UBU02@HO-UBU02 expiring on Tue Nov 29 14:18:04 UTC 2016
Found ticket for nn/node3.localdomain@HO-UBU02 to go to jn/node2.localdomain@HO-UBU02 expiring on Tue Nov 29 14:18:04 UTC 2016
Found ticket for nn/node3.localdomain@HO-UBU02 to go to jn/node3.localdomain@HO-UBU02 expiring on Tue Nov 29 14:18:04 UTC 2016
Found ticket for nn/node3.localdomain@HO-UBU02 to go to jn/node1.localdomain@HO-UBU02 expiring on Tue Nov 29 14:18:04 UTC 2016
Found ticket for nn/node3.localdomain@HO-UBU02 to go to nn/node2.localdomain@HO-UBU02 expiring on Tue Nov 29 14:18:04 UTC 2016
Found service ticket in the subjectTicket (hex) =
0000: 61 82 01 5E 30 82 01 5A   A0 03 02 01 05 A1 0A 1B  a..^0..Z........
...
0160: C7 7D                                              ..

Client Principal = nn/node3.localdomain@HO-UBU02
Server Principal = nn/node2.localdomain@HO-UBU02
Session Key = EncryptionKey: keyType=18 keyBytes (hex dump)=
0000: B3 F2 F3 5D 03 A2 01 B6   E7 D8 B2 87 82 FC 2B 6A  ...]..........+j
0010: A8 FD 37 68 E7 EC 74 68   22 D6 AD 63 C3 F5 06 E0  ..7h..th"..c....


Forwardable Ticket true
Forwarded Ticket false
Proxiable Ticket false
Proxy Ticket false
Postdated Ticket false
Renewable Ticket false
Initial Ticket false
Auth Time = Tue Nov 29 04:18:04 UTC 2016
Start Time = Tue Nov 29 04:20:11 UTC 2016
End Time = Tue Nov 29 14:18:04 UTC 2016
Renew Till = null
Client Addresses  Null
...