minor: added comment for using subject

SML0127 · SML0127 · commit 262f07b60f1d · 2026-02-05T21:37:09.000+09:00
diff --git a/fluss-common/src/main/java/org/apache/fluss/security/auth/sasl/authenticator/SaslClientAuthenticator.java b/fluss-common/src/main/java/org/apache/fluss/security/auth/sasl/authenticator/SaslClientAuthenticator.java
@@ -82,6 +82,12 @@ public String protocol() {
     @Override
     public byte[] authenticate(byte[] data) throws AuthenticationException {
         try {
+            // Use Subject.doAs to bind the login subject to the current AccessControlContext.
+            // This is required for Kerberos (GSSAPI) authentication because:
+            // - GssKrb5Client.evaluateChallenge() -> GSSContextImpl.initSecContext()
+            //   retrieves the Subject via Subject.getSubject(AccessController.getContext())
+            //   to obtain Kerberos credentials (TGT and service tickets).
+            // - Without Subject.doAs, GSSAPI cannot find the credentials and authentication fails.
             return Subject.doAs(
                     loginManager.subject(),
                     (PrivilegedExceptionAction<byte[]>) () -> saslClient.evaluateChallenge(data));
diff --git a/fluss-common/src/main/java/org/apache/fluss/security/auth/sasl/authenticator/SaslServerAuthenticator.java b/fluss-common/src/main/java/org/apache/fluss/security/auth/sasl/authenticator/SaslServerAuthenticator.java
@@ -139,6 +139,12 @@ public void matchProtocol(String protocol) {
     @Override
     public byte[] evaluateResponse(byte[] token) throws AuthenticationException {
         try {
+            // Use Subject.doAs to bind the login subject to the current AccessControlContext.
+            // This is required for Kerberos (GSSAPI) authentication because:
+            // - GssKrb5Server.evaluateResponse() -> GSSContextImpl.acceptSecContext()
+            //   retrieves the Subject via Subject.getSubject(AccessController.getContext())
+            //   to obtain server credentials from the keytab for validating client service tickets.
+            // - Without Subject.doAs, GSSAPI cannot find the credentials and authentication fails.
             return Subject.doAs(
                     loginManager.subject(),
                     (PrivilegedExceptionAction<byte[]>) () -> saslServer.evaluateResponse(token));
