You are viewing a plain text version of this content. The canonical link for it is here.

Posted to common-issues@hadoop.apache.org by "Harsh J (JIRA)" <ji...@apache.org> on 2016/03/10 06:41:40 UTC

[jira] [Commented] (HADOOP-11404) Clarify the "expected client Kerberos principal is null" authorization message

    [ https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15188715#comment-15188715 ] 

Harsh J commented on HADOOP-11404:
----------------------------------

+1, patch still applies. Will commit in a day unless you have any objection, [~stevel@apache.org].

> Clarify the "expected client Kerberos principal is null" authorization message
> ------------------------------------------------------------------------------
>
>                 Key: HADOOP-11404
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11404
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.2.0
>            Reporter: Stephen Chu
>            Assignee: Stephen Chu
>            Priority: Minor
>              Labels: BB2015-05-TBR, supportability
>         Attachments: HADOOP-11404.001.patch
>
>
> In {{ServiceAuthorizationManager#authorize}}, we throw an {{AuthorizationException}} with message "expected client Kerberos principal is null" when authorization fails.
> However, this is a confusing log message, because it leads users to believe there was a Kerberos authentication problem, when in fact the the user could have authenticated successfully.
> {code}
> if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || 
>        acls.length != 2  || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) {
>       AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol
>           + ", expected client Kerberos principal is " + clientPrincipal);
>       throw new AuthorizationException("User " + user + 
>           " is not authorized for protocol " + protocol + 
>           ", expected client Kerberos principal is " + clientPrincipal);
>     }
>     AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol);
> {code}
> In the above code, if clientPrincipal is null, then the user is authenticated successfully but denied by a configured ACL, not a Kerberos issue. We should improve this log message to state this.
> Thanks to [~tlipcon] for finding this and proposing a fix.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)