You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Hadoop QA (JIRA)" <ji...@apache.org> on 2015/05/03 07:35:06 UTC

[jira] [Commented] (HADOOP-11404) Clarify the "expected client Kerberos principal is null" authorization message

    [ https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14525671#comment-14525671 ] 

Hadoop QA commented on HADOOP-11404:
------------------------------------

(!) The patch artifact directory has been removed! 
This is a fatal error for test-patch.sh.  Aborting. 
Jenkins (node H4) information at https://builds.apache.org/job/PreCommit-HADOOP-Build/6453/ may provide some hints.

> Clarify the "expected client Kerberos principal is null" authorization message
> ------------------------------------------------------------------------------
>
>                 Key: HADOOP-11404
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11404
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.2.0
>            Reporter: Stephen Chu
>            Assignee: Stephen Chu
>            Priority: Minor
>              Labels: supportability
>         Attachments: HADOOP-11404.001.patch
>
>
> In {{ServiceAuthorizationManager#authorize}}, we throw an {{AuthorizationException}} with message "expected client Kerberos principal is null" when authorization fails.
> However, this is a confusing log message, because it leads users to believe there was a Kerberos authentication problem, when in fact the the user could have authenticated successfully.
> {code}
> if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || 
>        acls.length != 2  || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) {
>       AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol
>           + ", expected client Kerberos principal is " + clientPrincipal);
>       throw new AuthorizationException("User " + user + 
>           " is not authorized for protocol " + protocol + 
>           ", expected client Kerberos principal is " + clientPrincipal);
>     }
>     AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol);
> {code}
> In the above code, if clientPrincipal is null, then the user is authenticated successfully but denied by a configured ACL, not a Kerberos issue. We should improve this log message to state this.
> Thanks to [~tlipcon] for finding this and proposing a fix.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)