[jira] [Updated] (HADOOP-11404) Clarify the "expected client Kerberos principal is null" authorization message
[
https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Harsh J updated HADOOP-11404:
-
Resolution: Fixed
Fix Version/s: 2.9.0
Status: Resolved (was: Patch Available)
Committed to branch-2 and trunk.
> Clarify the "expected client Kerberos principal is null" authorization message
> --
>
> Key: HADOOP-11404
> URL: https://issues.apache.org/jira/browse/HADOOP-11404
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
>Affects Versions: 2.2.0
>Reporter: Stephen Chu
>Assignee: Stephen Chu
>Priority: Minor
> Labels: BB2015-05-TBR, supportability
> Fix For: 2.9.0
>
> Attachments: HADOOP-11404.001.patch, HADOOP-11404.002.patch,
> HADOOP-11404.003.patch
>
>
> In {{ServiceAuthorizationManager#authorize}}, we throw an
> {{AuthorizationException}} with message "expected client Kerberos principal
> is null" when authorization fails.
> However, this is a confusing log message, because it leads users to believe
> there was a Kerberos authentication problem, when in fact the the user could
> have authenticated successfully.
> {code}
> if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName()))
> ||
>acls.length != 2 || !acls[0].isUserAllowed(user) ||
> acls[1].isUserAllowed(user)) {
> AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol
> + ", expected client Kerberos principal is " + clientPrincipal);
> throw new AuthorizationException("User " + user +
> " is not authorized for protocol " + protocol +
> ", expected client Kerberos principal is " + clientPrincipal);
> }
> AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol);
> {code}
> In the above code, if clientPrincipal is null, then the user is authenticated
> successfully but denied by a configured ACL, not a Kerberos issue. We should
> improve this log message to state this.
> Thanks to [~tlipcon] for finding this and proposing a fix.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (HADOOP-11404) Clarify the "expected client Kerberos principal is null" authorization message
[
https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Harsh J updated HADOOP-11404:
-
Attachment: HADOOP-11404.003.patch
Fixing the indent issue. Retrying.
> Clarify the "expected client Kerberos principal is null" authorization message
> --
>
> Key: HADOOP-11404
> URL: https://issues.apache.org/jira/browse/HADOOP-11404
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
>Affects Versions: 2.2.0
>Reporter: Stephen Chu
>Assignee: Stephen Chu
>Priority: Minor
> Labels: BB2015-05-TBR, supportability
> Attachments: HADOOP-11404.001.patch, HADOOP-11404.002.patch,
> HADOOP-11404.003.patch
>
>
> In {{ServiceAuthorizationManager#authorize}}, we throw an
> {{AuthorizationException}} with message "expected client Kerberos principal
> is null" when authorization fails.
> However, this is a confusing log message, because it leads users to believe
> there was a Kerberos authentication problem, when in fact the the user could
> have authenticated successfully.
> {code}
> if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName()))
> ||
>acls.length != 2 || !acls[0].isUserAllowed(user) ||
> acls[1].isUserAllowed(user)) {
> AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol
> + ", expected client Kerberos principal is " + clientPrincipal);
> throw new AuthorizationException("User " + user +
> " is not authorized for protocol " + protocol +
> ", expected client Kerberos principal is " + clientPrincipal);
> }
> AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol);
> {code}
> In the above code, if clientPrincipal is null, then the user is authenticated
> successfully but denied by a configured ACL, not a Kerberos issue. We should
> improve this log message to state this.
> Thanks to [~tlipcon] for finding this and proposing a fix.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (HADOOP-11404) Clarify the "expected client Kerberos principal is null" authorization message
[
https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Harsh J updated HADOOP-11404:
-
Attachment: HADOOP-11404.002.patch
Resubmitting for jenkins (fixed a 84 line change to clear probable checkstyle
nit)
> Clarify the "expected client Kerberos principal is null" authorization message
> --
>
> Key: HADOOP-11404
> URL: https://issues.apache.org/jira/browse/HADOOP-11404
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
>Affects Versions: 2.2.0
>Reporter: Stephen Chu
>Assignee: Stephen Chu
>Priority: Minor
> Labels: BB2015-05-TBR, supportability
> Attachments: HADOOP-11404.001.patch, HADOOP-11404.002.patch
>
>
> In {{ServiceAuthorizationManager#authorize}}, we throw an
> {{AuthorizationException}} with message "expected client Kerberos principal
> is null" when authorization fails.
> However, this is a confusing log message, because it leads users to believe
> there was a Kerberos authentication problem, when in fact the the user could
> have authenticated successfully.
> {code}
> if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName()))
> ||
>acls.length != 2 || !acls[0].isUserAllowed(user) ||
> acls[1].isUserAllowed(user)) {
> AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol
> + ", expected client Kerberos principal is " + clientPrincipal);
> throw new AuthorizationException("User " + user +
> " is not authorized for protocol " + protocol +
> ", expected client Kerberos principal is " + clientPrincipal);
> }
> AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol);
> {code}
> In the above code, if clientPrincipal is null, then the user is authenticated
> successfully but denied by a configured ACL, not a Kerberos issue. We should
> improve this log message to state this.
> Thanks to [~tlipcon] for finding this and proposing a fix.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (HADOOP-11404) Clarify the "expected client Kerberos principal is null" authorization message
[
https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Steve Loughran updated HADOOP-11404:
Status: Open (was: Patch Available)
> Clarify the "expected client Kerberos principal is null" authorization message
> --
>
> Key: HADOOP-11404
> URL: https://issues.apache.org/jira/browse/HADOOP-11404
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
>Affects Versions: 2.2.0
>Reporter: Stephen Chu
>Assignee: Stephen Chu
>Priority: Minor
> Labels: BB2015-05-TBR, supportability
> Attachments: HADOOP-11404.001.patch
>
>
> In {{ServiceAuthorizationManager#authorize}}, we throw an
> {{AuthorizationException}} with message "expected client Kerberos principal
> is null" when authorization fails.
> However, this is a confusing log message, because it leads users to believe
> there was a Kerberos authentication problem, when in fact the the user could
> have authenticated successfully.
> {code}
> if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName()))
> ||
>acls.length != 2 || !acls[0].isUserAllowed(user) ||
> acls[1].isUserAllowed(user)) {
> AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol
> + ", expected client Kerberos principal is " + clientPrincipal);
> throw new AuthorizationException("User " + user +
> " is not authorized for protocol " + protocol +
> ", expected client Kerberos principal is " + clientPrincipal);
> }
> AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol);
> {code}
> In the above code, if clientPrincipal is null, then the user is authenticated
> successfully but denied by a configured ACL, not a Kerberos issue. We should
> improve this log message to state this.
> Thanks to [~tlipcon] for finding this and proposing a fix.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (HADOOP-11404) Clarify the "expected client Kerberos principal is null" authorization message
[
https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Steve Loughran updated HADOOP-11404:
Status: Patch Available (was: Open)
+1
submitting a patch to make sure it takes and I'll commit it if all is well
> Clarify the "expected client Kerberos principal is null" authorization message
> --
>
> Key: HADOOP-11404
> URL: https://issues.apache.org/jira/browse/HADOOP-11404
> Project: Hadoop Common
> Issue Type: Improvement
> Components: security
>Affects Versions: 2.2.0
>Reporter: Stephen Chu
>Assignee: Stephen Chu
>Priority: Minor
> Labels: BB2015-05-TBR, supportability
> Attachments: HADOOP-11404.001.patch
>
>
> In {{ServiceAuthorizationManager#authorize}}, we throw an
> {{AuthorizationException}} with message "expected client Kerberos principal
> is null" when authorization fails.
> However, this is a confusing log message, because it leads users to believe
> there was a Kerberos authentication problem, when in fact the the user could
> have authenticated successfully.
> {code}
> if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName()))
> ||
>acls.length != 2 || !acls[0].isUserAllowed(user) ||
> acls[1].isUserAllowed(user)) {
> AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol
> + ", expected client Kerberos principal is " + clientPrincipal);
> throw new AuthorizationException("User " + user +
> " is not authorized for protocol " + protocol +
> ", expected client Kerberos principal is " + clientPrincipal);
> }
> AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol);
> {code}
> In the above code, if clientPrincipal is null, then the user is authenticated
> successfully but denied by a configured ACL, not a Kerberos issue. We should
> improve this log message to state this.
> Thanks to [~tlipcon] for finding this and proposing a fix.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (HADOOP-11404) Clarify the expected client Kerberos principal is null authorization message
[
https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Allen Wittenauer updated HADOOP-11404:
--
Labels: BB2015-05-TBR supportability (was: supportability)
Clarify the expected client Kerberos principal is null authorization message
--
Key: HADOOP-11404
URL: https://issues.apache.org/jira/browse/HADOOP-11404
Project: Hadoop Common
Issue Type: Improvement
Components: security
Affects Versions: 2.2.0
Reporter: Stephen Chu
Assignee: Stephen Chu
Priority: Minor
Labels: BB2015-05-TBR, supportability
Attachments: HADOOP-11404.001.patch
In {{ServiceAuthorizationManager#authorize}}, we throw an
{{AuthorizationException}} with message expected client Kerberos principal
is null when authorization fails.
However, this is a confusing log message, because it leads users to believe
there was a Kerberos authentication problem, when in fact the the user could
have authenticated successfully.
{code}
if((clientPrincipal != null !clientPrincipal.equals(user.getUserName()))
||
acls.length != 2 || !acls[0].isUserAllowed(user) ||
acls[1].isUserAllowed(user)) {
AUDITLOG.warn(AUTHZ_FAILED_FOR + user + for protocol= + protocol
+ , expected client Kerberos principal is + clientPrincipal);
throw new AuthorizationException(User + user +
is not authorized for protocol + protocol +
, expected client Kerberos principal is + clientPrincipal);
}
AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + for protocol=+protocol);
{code}
In the above code, if clientPrincipal is null, then the user is authenticated
successfully but denied by a configured ACL, not a Kerberos issue. We should
improve this log message to state this.
Thanks to [~tlipcon] for finding this and proposing a fix.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (HADOOP-11404) Clarify the expected client Kerberos principal is null authorization message
[
https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stephen Chu updated HADOOP-11404:
-
Description:
In {{ServiceAuthorizationManager#authorize}}, we throw an
{{AuthorizationException}} with message expected client Kerberos principal is
null when authorization fails.
However, this is a confusing log message, because it leads users to believe
there was a Kerberos authentication problem, when in fact the the user could
have authenticated successfully.
{code}
if((clientPrincipal != null !clientPrincipal.equals(user.getUserName())) ||
acls.length != 2 || !acls[0].isUserAllowed(user) ||
acls[1].isUserAllowed(user)) {
AUDITLOG.warn(AUTHZ_FAILED_FOR + user + for protocol= + protocol
+ , expected client Kerberos principal is + clientPrincipal);
throw new AuthorizationException(User + user +
is not authorized for protocol + protocol +
, expected client Kerberos principal is + clientPrincipal);
}
AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + for protocol=+protocol);
{code}
In the above code, if clientPrincipal is null, then the user is authenticated
successfully but denied by a configured ACL, not a Kerberos issue. We should
improve this log message to state this.
Thanks to [~tlipcon] for finding this and proposing a fix.
was:
In {{ServiceAuthorizationManager#authorize}}, we throw an
{{AuthorizationException}} with message expected client Kerberos principal is
null when authorization fails.
However, this is a confusing log message, because it leads users to believe
there was a Kerberos authentication problem, when in fact the the user could
have authenticated successfully.
{code}
if((clientPrincipal != null !clientPrincipal.equals(user.getUserName())) ||
acls.length != 2 || !acls[0].isUserAllowed(user) ||
acls[1].isUserAllowed(user)) {
AUDITLOG.warn(AUTHZ_FAILED_FOR + user + for protocol= + protocol
+ , expected client Kerberos principal is + clientPrincipal);
throw new AuthorizationException(User + user +
is not authorized for protocol + protocol +
, expected client Kerberos principal is + clientPrincipal);
}
AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + for protocol=+protocol);
{code}
In the above code, if clientPrincipal is null, then the user is authenticated
successfully but denied by a configured ACL, not a Kerberos issue. We should
improve this log message to state this.
Clarify the expected client Kerberos principal is null authorization message
--
Key: HADOOP-11404
URL: https://issues.apache.org/jira/browse/HADOOP-11404
Project: Hadoop Common
Issue Type: Improvement
Components: security
Affects Versions: 2.2.0
Reporter: Stephen Chu
Assignee: Stephen Chu
Priority: Minor
Labels: supportability
In {{ServiceAuthorizationManager#authorize}}, we throw an
{{AuthorizationException}} with message expected client Kerberos principal
is null when authorization fails.
However, this is a confusing log message, because it leads users to believe
there was a Kerberos authentication problem, when in fact the the user could
have authenticated successfully.
{code}
if((clientPrincipal != null !clientPrincipal.equals(user.getUserName()))
||
acls.length != 2 || !acls[0].isUserAllowed(user) ||
acls[1].isUserAllowed(user)) {
AUDITLOG.warn(AUTHZ_FAILED_FOR + user + for protocol= + protocol
+ , expected client Kerberos principal is + clientPrincipal);
throw new AuthorizationException(User + user +
is not authorized for protocol + protocol +
, expected client Kerberos principal is + clientPrincipal);
}
AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + for protocol=+protocol);
{code}
In the above code, if clientPrincipal is null, then the user is authenticated
successfully but denied by a configured ACL, not a Kerberos issue. We should
improve this log message to state this.
Thanks to [~tlipcon] for finding this and proposing a fix.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (HADOOP-11404) Clarify the expected client Kerberos principal is null authorization message
[
https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stephen Chu updated HADOOP-11404:
-
Status: Patch Available (was: Open)
Clarify the expected client Kerberos principal is null authorization message
--
Key: HADOOP-11404
URL: https://issues.apache.org/jira/browse/HADOOP-11404
Project: Hadoop Common
Issue Type: Improvement
Components: security
Affects Versions: 2.2.0
Reporter: Stephen Chu
Assignee: Stephen Chu
Priority: Minor
Labels: supportability
Attachments: HADOOP-11404.001.patch
In {{ServiceAuthorizationManager#authorize}}, we throw an
{{AuthorizationException}} with message expected client Kerberos principal
is null when authorization fails.
However, this is a confusing log message, because it leads users to believe
there was a Kerberos authentication problem, when in fact the the user could
have authenticated successfully.
{code}
if((clientPrincipal != null !clientPrincipal.equals(user.getUserName()))
||
acls.length != 2 || !acls[0].isUserAllowed(user) ||
acls[1].isUserAllowed(user)) {
AUDITLOG.warn(AUTHZ_FAILED_FOR + user + for protocol= + protocol
+ , expected client Kerberos principal is + clientPrincipal);
throw new AuthorizationException(User + user +
is not authorized for protocol + protocol +
, expected client Kerberos principal is + clientPrincipal);
}
AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + for protocol=+protocol);
{code}
In the above code, if clientPrincipal is null, then the user is authenticated
successfully but denied by a configured ACL, not a Kerberos issue. We should
improve this log message to state this.
Thanks to [~tlipcon] for finding this and proposing a fix.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
[jira] [Updated] (HADOOP-11404) Clarify the expected client Kerberos principal is null authorization message
[
https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Stephen Chu updated HADOOP-11404:
-
Attachment: HADOOP-11404.001.patch
Clarify the expected client Kerberos principal is null authorization message
--
Key: HADOOP-11404
URL: https://issues.apache.org/jira/browse/HADOOP-11404
Project: Hadoop Common
Issue Type: Improvement
Components: security
Affects Versions: 2.2.0
Reporter: Stephen Chu
Assignee: Stephen Chu
Priority: Minor
Labels: supportability
Attachments: HADOOP-11404.001.patch
In {{ServiceAuthorizationManager#authorize}}, we throw an
{{AuthorizationException}} with message expected client Kerberos principal
is null when authorization fails.
However, this is a confusing log message, because it leads users to believe
there was a Kerberos authentication problem, when in fact the the user could
have authenticated successfully.
{code}
if((clientPrincipal != null !clientPrincipal.equals(user.getUserName()))
||
acls.length != 2 || !acls[0].isUserAllowed(user) ||
acls[1].isUserAllowed(user)) {
AUDITLOG.warn(AUTHZ_FAILED_FOR + user + for protocol= + protocol
+ , expected client Kerberos principal is + clientPrincipal);
throw new AuthorizationException(User + user +
is not authorized for protocol + protocol +
, expected client Kerberos principal is + clientPrincipal);
}
AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + for protocol=+protocol);
{code}
In the above code, if clientPrincipal is null, then the user is authenticated
successfully but denied by a configured ACL, not a Kerberos issue. We should
improve this log message to state this.
Thanks to [~tlipcon] for finding this and proposing a fix.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
