[jira] [Updated] (HADOOP-11404) Clarify the "expected client Kerberos principal is null" authorization message
[ https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Harsh J updated HADOOP-11404: - Resolution: Fixed Fix Version/s: 2.9.0 Status: Resolved (was: Patch Available) Committed to branch-2 and trunk. > Clarify the "expected client Kerberos principal is null" authorization message > -- > > Key: HADOOP-11404 > URL: https://issues.apache.org/jira/browse/HADOOP-11404 > Project: Hadoop Common > Issue Type: Improvement > Components: security >Affects Versions: 2.2.0 >Reporter: Stephen Chu >Assignee: Stephen Chu >Priority: Minor > Labels: BB2015-05-TBR, supportability > Fix For: 2.9.0 > > Attachments: HADOOP-11404.001.patch, HADOOP-11404.002.patch, > HADOOP-11404.003.patch > > > In {{ServiceAuthorizationManager#authorize}}, we throw an > {{AuthorizationException}} with message "expected client Kerberos principal > is null" when authorization fails. > However, this is a confusing log message, because it leads users to believe > there was a Kerberos authentication problem, when in fact the the user could > have authenticated successfully. > {code} > if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) > || >acls.length != 2 || !acls[0].isUserAllowed(user) || > acls[1].isUserAllowed(user)) { > AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol > + ", expected client Kerberos principal is " + clientPrincipal); > throw new AuthorizationException("User " + user + > " is not authorized for protocol " + protocol + > ", expected client Kerberos principal is " + clientPrincipal); > } > AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol); > {code} > In the above code, if clientPrincipal is null, then the user is authenticated > successfully but denied by a configured ACL, not a Kerberos issue. We should > improve this log message to state this. > Thanks to [~tlipcon] for finding this and proposing a fix. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HADOOP-11404) Clarify the "expected client Kerberos principal is null" authorization message
[ https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Harsh J updated HADOOP-11404: - Attachment: HADOOP-11404.003.patch Fixing the indent issue. Retrying. > Clarify the "expected client Kerberos principal is null" authorization message > -- > > Key: HADOOP-11404 > URL: https://issues.apache.org/jira/browse/HADOOP-11404 > Project: Hadoop Common > Issue Type: Improvement > Components: security >Affects Versions: 2.2.0 >Reporter: Stephen Chu >Assignee: Stephen Chu >Priority: Minor > Labels: BB2015-05-TBR, supportability > Attachments: HADOOP-11404.001.patch, HADOOP-11404.002.patch, > HADOOP-11404.003.patch > > > In {{ServiceAuthorizationManager#authorize}}, we throw an > {{AuthorizationException}} with message "expected client Kerberos principal > is null" when authorization fails. > However, this is a confusing log message, because it leads users to believe > there was a Kerberos authentication problem, when in fact the the user could > have authenticated successfully. > {code} > if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) > || >acls.length != 2 || !acls[0].isUserAllowed(user) || > acls[1].isUserAllowed(user)) { > AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol > + ", expected client Kerberos principal is " + clientPrincipal); > throw new AuthorizationException("User " + user + > " is not authorized for protocol " + protocol + > ", expected client Kerberos principal is " + clientPrincipal); > } > AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol); > {code} > In the above code, if clientPrincipal is null, then the user is authenticated > successfully but denied by a configured ACL, not a Kerberos issue. We should > improve this log message to state this. > Thanks to [~tlipcon] for finding this and proposing a fix. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HADOOP-11404) Clarify the "expected client Kerberos principal is null" authorization message
[ https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Harsh J updated HADOOP-11404: - Attachment: HADOOP-11404.002.patch Resubmitting for jenkins (fixed a 84 line change to clear probable checkstyle nit) > Clarify the "expected client Kerberos principal is null" authorization message > -- > > Key: HADOOP-11404 > URL: https://issues.apache.org/jira/browse/HADOOP-11404 > Project: Hadoop Common > Issue Type: Improvement > Components: security >Affects Versions: 2.2.0 >Reporter: Stephen Chu >Assignee: Stephen Chu >Priority: Minor > Labels: BB2015-05-TBR, supportability > Attachments: HADOOP-11404.001.patch, HADOOP-11404.002.patch > > > In {{ServiceAuthorizationManager#authorize}}, we throw an > {{AuthorizationException}} with message "expected client Kerberos principal > is null" when authorization fails. > However, this is a confusing log message, because it leads users to believe > there was a Kerberos authentication problem, when in fact the the user could > have authenticated successfully. > {code} > if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) > || >acls.length != 2 || !acls[0].isUserAllowed(user) || > acls[1].isUserAllowed(user)) { > AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol > + ", expected client Kerberos principal is " + clientPrincipal); > throw new AuthorizationException("User " + user + > " is not authorized for protocol " + protocol + > ", expected client Kerberos principal is " + clientPrincipal); > } > AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol); > {code} > In the above code, if clientPrincipal is null, then the user is authenticated > successfully but denied by a configured ACL, not a Kerberos issue. We should > improve this log message to state this. > Thanks to [~tlipcon] for finding this and proposing a fix. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HADOOP-11404) Clarify the "expected client Kerberos principal is null" authorization message
[ https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Steve Loughran updated HADOOP-11404: Status: Open (was: Patch Available) > Clarify the "expected client Kerberos principal is null" authorization message > -- > > Key: HADOOP-11404 > URL: https://issues.apache.org/jira/browse/HADOOP-11404 > Project: Hadoop Common > Issue Type: Improvement > Components: security >Affects Versions: 2.2.0 >Reporter: Stephen Chu >Assignee: Stephen Chu >Priority: Minor > Labels: BB2015-05-TBR, supportability > Attachments: HADOOP-11404.001.patch > > > In {{ServiceAuthorizationManager#authorize}}, we throw an > {{AuthorizationException}} with message "expected client Kerberos principal > is null" when authorization fails. > However, this is a confusing log message, because it leads users to believe > there was a Kerberos authentication problem, when in fact the the user could > have authenticated successfully. > {code} > if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) > || >acls.length != 2 || !acls[0].isUserAllowed(user) || > acls[1].isUserAllowed(user)) { > AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol > + ", expected client Kerberos principal is " + clientPrincipal); > throw new AuthorizationException("User " + user + > " is not authorized for protocol " + protocol + > ", expected client Kerberos principal is " + clientPrincipal); > } > AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol); > {code} > In the above code, if clientPrincipal is null, then the user is authenticated > successfully but denied by a configured ACL, not a Kerberos issue. We should > improve this log message to state this. > Thanks to [~tlipcon] for finding this and proposing a fix. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HADOOP-11404) Clarify the "expected client Kerberos principal is null" authorization message
[ https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Steve Loughran updated HADOOP-11404: Status: Patch Available (was: Open) +1 submitting a patch to make sure it takes and I'll commit it if all is well > Clarify the "expected client Kerberos principal is null" authorization message > -- > > Key: HADOOP-11404 > URL: https://issues.apache.org/jira/browse/HADOOP-11404 > Project: Hadoop Common > Issue Type: Improvement > Components: security >Affects Versions: 2.2.0 >Reporter: Stephen Chu >Assignee: Stephen Chu >Priority: Minor > Labels: BB2015-05-TBR, supportability > Attachments: HADOOP-11404.001.patch > > > In {{ServiceAuthorizationManager#authorize}}, we throw an > {{AuthorizationException}} with message "expected client Kerberos principal > is null" when authorization fails. > However, this is a confusing log message, because it leads users to believe > there was a Kerberos authentication problem, when in fact the the user could > have authenticated successfully. > {code} > if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) > || >acls.length != 2 || !acls[0].isUserAllowed(user) || > acls[1].isUserAllowed(user)) { > AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol > + ", expected client Kerberos principal is " + clientPrincipal); > throw new AuthorizationException("User " + user + > " is not authorized for protocol " + protocol + > ", expected client Kerberos principal is " + clientPrincipal); > } > AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol); > {code} > In the above code, if clientPrincipal is null, then the user is authenticated > successfully but denied by a configured ACL, not a Kerberos issue. We should > improve this log message to state this. > Thanks to [~tlipcon] for finding this and proposing a fix. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HADOOP-11404) Clarify the expected client Kerberos principal is null authorization message
[ https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Allen Wittenauer updated HADOOP-11404: -- Labels: BB2015-05-TBR supportability (was: supportability) Clarify the expected client Kerberos principal is null authorization message -- Key: HADOOP-11404 URL: https://issues.apache.org/jira/browse/HADOOP-11404 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 2.2.0 Reporter: Stephen Chu Assignee: Stephen Chu Priority: Minor Labels: BB2015-05-TBR, supportability Attachments: HADOOP-11404.001.patch In {{ServiceAuthorizationManager#authorize}}, we throw an {{AuthorizationException}} with message expected client Kerberos principal is null when authorization fails. However, this is a confusing log message, because it leads users to believe there was a Kerberos authentication problem, when in fact the the user could have authenticated successfully. {code} if((clientPrincipal != null !clientPrincipal.equals(user.getUserName())) || acls.length != 2 || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) { AUDITLOG.warn(AUTHZ_FAILED_FOR + user + for protocol= + protocol + , expected client Kerberos principal is + clientPrincipal); throw new AuthorizationException(User + user + is not authorized for protocol + protocol + , expected client Kerberos principal is + clientPrincipal); } AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + for protocol=+protocol); {code} In the above code, if clientPrincipal is null, then the user is authenticated successfully but denied by a configured ACL, not a Kerberos issue. We should improve this log message to state this. Thanks to [~tlipcon] for finding this and proposing a fix. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HADOOP-11404) Clarify the expected client Kerberos principal is null authorization message
[ https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stephen Chu updated HADOOP-11404: - Description: In {{ServiceAuthorizationManager#authorize}}, we throw an {{AuthorizationException}} with message expected client Kerberos principal is null when authorization fails. However, this is a confusing log message, because it leads users to believe there was a Kerberos authentication problem, when in fact the the user could have authenticated successfully. {code} if((clientPrincipal != null !clientPrincipal.equals(user.getUserName())) || acls.length != 2 || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) { AUDITLOG.warn(AUTHZ_FAILED_FOR + user + for protocol= + protocol + , expected client Kerberos principal is + clientPrincipal); throw new AuthorizationException(User + user + is not authorized for protocol + protocol + , expected client Kerberos principal is + clientPrincipal); } AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + for protocol=+protocol); {code} In the above code, if clientPrincipal is null, then the user is authenticated successfully but denied by a configured ACL, not a Kerberos issue. We should improve this log message to state this. Thanks to [~tlipcon] for finding this and proposing a fix. was: In {{ServiceAuthorizationManager#authorize}}, we throw an {{AuthorizationException}} with message expected client Kerberos principal is null when authorization fails. However, this is a confusing log message, because it leads users to believe there was a Kerberos authentication problem, when in fact the the user could have authenticated successfully. {code} if((clientPrincipal != null !clientPrincipal.equals(user.getUserName())) || acls.length != 2 || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) { AUDITLOG.warn(AUTHZ_FAILED_FOR + user + for protocol= + protocol + , expected client Kerberos principal is + clientPrincipal); throw new AuthorizationException(User + user + is not authorized for protocol + protocol + , expected client Kerberos principal is + clientPrincipal); } AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + for protocol=+protocol); {code} In the above code, if clientPrincipal is null, then the user is authenticated successfully but denied by a configured ACL, not a Kerberos issue. We should improve this log message to state this. Clarify the expected client Kerberos principal is null authorization message -- Key: HADOOP-11404 URL: https://issues.apache.org/jira/browse/HADOOP-11404 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 2.2.0 Reporter: Stephen Chu Assignee: Stephen Chu Priority: Minor Labels: supportability In {{ServiceAuthorizationManager#authorize}}, we throw an {{AuthorizationException}} with message expected client Kerberos principal is null when authorization fails. However, this is a confusing log message, because it leads users to believe there was a Kerberos authentication problem, when in fact the the user could have authenticated successfully. {code} if((clientPrincipal != null !clientPrincipal.equals(user.getUserName())) || acls.length != 2 || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) { AUDITLOG.warn(AUTHZ_FAILED_FOR + user + for protocol= + protocol + , expected client Kerberos principal is + clientPrincipal); throw new AuthorizationException(User + user + is not authorized for protocol + protocol + , expected client Kerberos principal is + clientPrincipal); } AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + for protocol=+protocol); {code} In the above code, if clientPrincipal is null, then the user is authenticated successfully but denied by a configured ACL, not a Kerberos issue. We should improve this log message to state this. Thanks to [~tlipcon] for finding this and proposing a fix. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HADOOP-11404) Clarify the expected client Kerberos principal is null authorization message
[ https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stephen Chu updated HADOOP-11404: - Status: Patch Available (was: Open) Clarify the expected client Kerberos principal is null authorization message -- Key: HADOOP-11404 URL: https://issues.apache.org/jira/browse/HADOOP-11404 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 2.2.0 Reporter: Stephen Chu Assignee: Stephen Chu Priority: Minor Labels: supportability Attachments: HADOOP-11404.001.patch In {{ServiceAuthorizationManager#authorize}}, we throw an {{AuthorizationException}} with message expected client Kerberos principal is null when authorization fails. However, this is a confusing log message, because it leads users to believe there was a Kerberos authentication problem, when in fact the the user could have authenticated successfully. {code} if((clientPrincipal != null !clientPrincipal.equals(user.getUserName())) || acls.length != 2 || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) { AUDITLOG.warn(AUTHZ_FAILED_FOR + user + for protocol= + protocol + , expected client Kerberos principal is + clientPrincipal); throw new AuthorizationException(User + user + is not authorized for protocol + protocol + , expected client Kerberos principal is + clientPrincipal); } AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + for protocol=+protocol); {code} In the above code, if clientPrincipal is null, then the user is authenticated successfully but denied by a configured ACL, not a Kerberos issue. We should improve this log message to state this. Thanks to [~tlipcon] for finding this and proposing a fix. -- This message was sent by Atlassian JIRA (v6.3.4#6332)
[jira] [Updated] (HADOOP-11404) Clarify the expected client Kerberos principal is null authorization message
[ https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ] Stephen Chu updated HADOOP-11404: - Attachment: HADOOP-11404.001.patch Clarify the expected client Kerberos principal is null authorization message -- Key: HADOOP-11404 URL: https://issues.apache.org/jira/browse/HADOOP-11404 Project: Hadoop Common Issue Type: Improvement Components: security Affects Versions: 2.2.0 Reporter: Stephen Chu Assignee: Stephen Chu Priority: Minor Labels: supportability Attachments: HADOOP-11404.001.patch In {{ServiceAuthorizationManager#authorize}}, we throw an {{AuthorizationException}} with message expected client Kerberos principal is null when authorization fails. However, this is a confusing log message, because it leads users to believe there was a Kerberos authentication problem, when in fact the the user could have authenticated successfully. {code} if((clientPrincipal != null !clientPrincipal.equals(user.getUserName())) || acls.length != 2 || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) { AUDITLOG.warn(AUTHZ_FAILED_FOR + user + for protocol= + protocol + , expected client Kerberos principal is + clientPrincipal); throw new AuthorizationException(User + user + is not authorized for protocol + protocol + , expected client Kerberos principal is + clientPrincipal); } AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + for protocol=+protocol); {code} In the above code, if clientPrincipal is null, then the user is authenticated successfully but denied by a configured ACL, not a Kerberos issue. We should improve this log message to state this. Thanks to [~tlipcon] for finding this and proposing a fix. -- This message was sent by Atlassian JIRA (v6.3.4#6332)