You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Allen Wittenauer (JIRA)" <ji...@apache.org> on 2015/05/06 05:39:31 UTC

[jira] [Updated] (HADOOP-11404) Clarify the "expected client Kerberos principal is null" authorization message

     [ https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Allen Wittenauer updated HADOOP-11404:
--------------------------------------
    Labels: BB2015-05-TBR supportability  (was: supportability)

> Clarify the "expected client Kerberos principal is null" authorization message
> ------------------------------------------------------------------------------
>
>                 Key: HADOOP-11404
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11404
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.2.0
>            Reporter: Stephen Chu
>            Assignee: Stephen Chu
>            Priority: Minor
>              Labels: BB2015-05-TBR, supportability
>         Attachments: HADOOP-11404.001.patch
>
>
> In {{ServiceAuthorizationManager#authorize}}, we throw an {{AuthorizationException}} with message "expected client Kerberos principal is null" when authorization fails.
> However, this is a confusing log message, because it leads users to believe there was a Kerberos authentication problem, when in fact the the user could have authenticated successfully.
> {code}
> if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || 
>        acls.length != 2  || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) {
>       AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol
>           + ", expected client Kerberos principal is " + clientPrincipal);
>       throw new AuthorizationException("User " + user + 
>           " is not authorized for protocol " + protocol + 
>           ", expected client Kerberos principal is " + clientPrincipal);
>     }
>     AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol);
> {code}
> In the above code, if clientPrincipal is null, then the user is authenticated successfully but denied by a configured ACL, not a Kerberos issue. We should improve this log message to state this.
> Thanks to [~tlipcon] for finding this and proposing a fix.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)