Stephen Chu created HADOOP-11404:
------------------------------------
Summary: Clarify the "expected client Kerberos principal is null"
authorization message
Key: HADOOP-11404
URL: https://issues.apache.org/jira/browse/HADOOP-11404
Project: Hadoop Common
Issue Type: Improvement
Components: security
Affects Versions: 2.2.0
Reporter: Stephen Chu
Assignee: Stephen Chu
Priority: Minor
In {{ServiceAuthorizationManager#authorize}}, we throw an
{{AuthorizationException}} with message "expected client Kerberos principal is
null" when authorization fails.
However, this is a confusing log message, because it leads users to believe
there was a Kerberos authentication problem, when in fact the the user could
have authenticated successfully.
{code}
if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) ||
acls.length != 2 || !acls[0].isUserAllowed(user) ||
acls[1].isUserAllowed(user)) {
AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol
+ ", expected client Kerberos principal is " + clientPrincipal);
throw new AuthorizationException("User " + user +
" is not authorized for protocol " + protocol +
", expected client Kerberos principal is " + clientPrincipal);
}
AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol);
{code}
In the above code, if clientPrincipal is null, then the user is authenticated
successfully but denied by a configured ACL, not a Kerberos issue. We should
improve this log message to state this.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
