aurora-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Benjamin Staffin (JIRA)" <>
Subject [jira] [Created] (AURORA-1746) Shiro authorization errors could be friendlier
Date Mon, 08 Aug 2016 16:16:20 GMT
Benjamin Staffin created AURORA-1746:

             Summary: Shiro authorization errors could be friendlier
                 Key: AURORA-1746
             Project: Aurora
          Issue Type: Story
          Components: Scheduler
            Reporter: Benjamin Staffin
            Priority: Minor

When the scheduler is configured to use Kerberos auth with shiro, the error messages it returns
to clients are not as informative as they could be.  For example:

Subject is not permitted
to JobScopedRpcPermission{rpc=startJobUpdate, permittedJob=IJobKey{role=foo, environment=devel,

It would be very nice if the message masked the {{org.apache.shiro.web.subject[...]}} class
name and either (a) listed the actual subject/principal name of the client ({{username@SOME.REALM}}),
or (b) generically referred to "the client".

I would also suggest using the term "authorized" rather than "permitted".  This is probably
debatable, and the semantic difference is minimal, but to me the former more directly hints
at a thing that can be configured, whereas the current message might be misinterpreted to
mean something that cannot be done at all.

For bonus points, also rewrite the {{JobScopedRpcPermission}} part of the message to be friendlier.
 That part at least includes enough details that an informed user could figure out what it
means after staring at it a bit.

This message was sent by Atlassian JIRA

View raw message