[ https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=15189183#comment-15189183 ]
Hudson commented on HADOOP-11404: --------------------------------- FAILURE: Integrated in Hadoop-trunk-Commit #9447 (See [https://builds.apache.org/job/Hadoop-trunk-Commit/9447/]) HADOOP-11404. Clarify the "expected client Kerberos principal is null" (harsh: rev 318c9b68b059981796f2742b4b7ee604ccdc47e5) * hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java > Clarify the "expected client Kerberos principal is null" authorization message > ------------------------------------------------------------------------------ > > Key: HADOOP-11404 > URL: https://issues.apache.org/jira/browse/HADOOP-11404 > Project: Hadoop Common > Issue Type: Improvement > Components: security > Affects Versions: 2.2.0 > Reporter: Stephen Chu > Assignee: Stephen Chu > Priority: Minor > Labels: BB2015-05-TBR, supportability > Attachments: HADOOP-11404.001.patch, HADOOP-11404.002.patch, > HADOOP-11404.003.patch > > > In {{ServiceAuthorizationManager#authorize}}, we throw an > {{AuthorizationException}} with message "expected client Kerberos principal > is null" when authorization fails. > However, this is a confusing log message, because it leads users to believe > there was a Kerberos authentication problem, when in fact the the user could > have authenticated successfully. > {code} > if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) > || > acls.length != 2 || !acls[0].isUserAllowed(user) || > acls[1].isUserAllowed(user)) { > AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol > + ", expected client Kerberos principal is " + clientPrincipal); > throw new AuthorizationException("User " + user + > " is not authorized for protocol " + protocol + > ", expected client Kerberos principal is " + clientPrincipal); > } > AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol); > {code} > In the above code, if clientPrincipal is null, then the user is authenticated > successfully but denied by a configured ACL, not a Kerberos issue. We should > improve this log message to state this. > Thanks to [~tlipcon] for finding this and proposing a fix. -- This message was sent by Atlassian JIRA (v6.3.4#6332)