diff --git a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
index 3bfa349880..1eca1bee77 100644
--- a/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
+++ b/hadoop-common-project/hadoop-auth/src/main/java/org/apache/hadoop/security/authentication/client/KerberosAuthenticator.java
@@ -200,9 +200,11 @@ public void authenticate(URL url, AuthenticatedURL.Token token)
           needFallback = true;
         }
         if (!needFallback && isNegotiate(conn)) {
+		  // 对于普通的HTTP的kerberos认证(SPNEGO)，需要现在客户端登录KDC服务
           LOG.debug("Performing our own SPNEGO sequence.");
           doSpnegoSequence(token);
         } else {
+		  // 当前主要适用于对认证方式需要扩展的场景。
           LOG.debug("Using fallback authenticator sequence.");
           Authenticator auth = getFallBackAuthenticator();
           // Make sure that the fall back authenticator have the same
@@ -301,6 +303,7 @@ private void doSpnegoSequence(final AuthenticatedURL.Token token)
         subject = new Subject();
         LoginContext login = new LoginContext("", subject,
             null, new KerberosConfiguration());
+		// 登录KDC服务
         login.login();
       }
 
@@ -314,12 +317,14 @@ public Void run() throws Exception {
           GSSContext gssContext = null;
           try {
             GSSManager gssManager = GSSManager.getInstance();
+			// 设置服务端的域名，由于是HTTP协议，所以当前要求principal的格式为：HTTP/HOST_NAME的方式。
             String servicePrincipal = KerberosUtil.getServicePrincipal("HTTP",
                 KerberosAuthenticator.this.url.getHost());
             Oid oid = KerberosUtil.NT_GSS_KRB5_PRINCIPAL_OID;
             GSSName serviceName = gssManager.createName(servicePrincipal,
                                                         oid);
             oid = KerberosUtil.GSS_KRB5_MECH_OID;
+			// 创建获取token的上下文信息。
             gssContext = gssManager.createContext(serviceName, oid, null,
                                                   GSSContext.DEFAULT_LIFETIME);
             gssContext.requestCredDeleg(true);
@@ -333,14 +338,19 @@ public Void run() throws Exception {
             while (!established) {
               HttpURLConnection conn =
                   token.openConnection(url, connConfigurator);
-              outToken = gssContext.initSecContext(inToken, 0, inToken.length);
+              // 获取客户端的token。对于第一次的场景，inToken为空。
+			  // 对于中间过程，需要将服务端给的token传进去校验。
+			  outToken = gssContext.initSecContext(inToken, 0, inToken.length);
               if (outToken != null) {
+				// 将token发送给服务端
                 sendToken(conn, outToken);
               }
 
               if (!gssContext.isEstablished()) {
-                inToken = readToken(conn);
+                // 读取服务端发送的token。
+				inToken = readToken(conn);
               } else {
+				// 认证完成,认证结束
                 established = true;
               }
             }