aurora-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benjamin Staffin (JIRA)" <j...@apache.org>
Subject [jira] [Created] (AURORA-1746) Shiro authorization errors could be friendlier
Date Mon, 08 Aug 2016 16:16:20 GMT
Benjamin Staffin created AURORA-1746:
----------------------------------------

             Summary: Shiro authorization errors could be friendlier
                 Key: AURORA-1746
                 URL: https://issues.apache.org/jira/browse/AURORA-1746
             Project: Aurora
          Issue Type: Story
          Components: Scheduler
            Reporter: Benjamin Staffin
            Priority: Minor


When the scheduler is configured to use Kerberos auth with shiro, the error messages it returns
to clients are not as informative as they could be.  For example:

{code}
Subject org.apache.shiro.web.subject.support.WebDelegatingSubject@585fe96c is not permitted
to JobScopedRpcPermission{rpc=startJobUpdate, permittedJob=IJobKey{role=foo, environment=devel,
name=fancyjob}}
{code}

It would be very nice if the message masked the {{org.apache.shiro.web.subject[...]}} class
name and either (a) listed the actual subject/principal name of the client ({{username@SOME.REALM}}),
or (b) generically referred to "the client".

I would also suggest using the term "authorized" rather than "permitted".  This is probably
debatable, and the semantic difference is minimal, but to me the former more directly hints
at a thing that can be configured, whereas the current message might be misinterpreted to
mean something that cannot be done at all.

For bonus points, also rewrite the {{JobScopedRpcPermission}} part of the message to be friendlier.
 That part at least includes enough details that an informed user could figure out what it
means after staring at it a bit.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message