Benjamin Staffin created AURORA-1746: ----------------------------------------
Summary: Shiro authorization errors could be friendlier Key: AURORA-1746 URL: https://issues.apache.org/jira/browse/AURORA-1746 Project: Aurora Issue Type: Story Components: Scheduler Reporter: Benjamin Staffin Priority: Minor When the scheduler is configured to use Kerberos auth with shiro, the error messages it returns to clients are not as informative as they could be. For example: {code} Subject org.apache.shiro.web.subject.support.WebDelegatingSubject@585fe96c is not permitted to JobScopedRpcPermission{rpc=startJobUpdate, permittedJob=IJobKey{role=foo, environment=devel, name=fancyjob}} {code} It would be very nice if the message masked the {{org.apache.shiro.web.subject[...]}} class name and either (a) listed the actual subject/principal name of the client ({{username@SOME.REALM}}), or (b) generically referred to "the client". I would also suggest using the term "authorized" rather than "permitted". This is probably debatable, and the semantic difference is minimal, but to me the former more directly hints at a thing that can be configured, whereas the current message might be misinterpreted to mean something that cannot be done at all. For bonus points, also rewrite the {{JobScopedRpcPermission}} part of the message to be friendlier. That part at least includes enough details that an informed user could figure out what it means after staring at it a bit. -- This message was sent by Atlassian JIRA (v6.3.4#6332)