hadoop-common-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Stephen Chu (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (HADOOP-11404) Clarify the "expected client Kerberos principal is null" authorization message
Date Sun, 14 Dec 2014 17:16:13 GMT

    [ https://issues.apache.org/jira/browse/HADOOP-11404?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14245998#comment-14245998
] 

Stephen Chu commented on HADOOP-11404:
--------------------------------------

The findbugs warnings and TestOsSecureRandom are unrelated. No new test because this patch
changes only a log message.

> Clarify the "expected client Kerberos principal is null" authorization message
> ------------------------------------------------------------------------------
>
>                 Key: HADOOP-11404
>                 URL: https://issues.apache.org/jira/browse/HADOOP-11404
>             Project: Hadoop Common
>          Issue Type: Improvement
>          Components: security
>    Affects Versions: 2.2.0
>            Reporter: Stephen Chu
>            Assignee: Stephen Chu
>            Priority: Minor
>              Labels: supportability
>         Attachments: HADOOP-11404.001.patch
>
>
> In {{ServiceAuthorizationManager#authorize}}, we throw an {{AuthorizationException}}
with message "expected client Kerberos principal is null" when authorization fails.
> However, this is a confusing log message, because it leads users to believe there was
a Kerberos authentication problem, when in fact the the user could have authenticated successfully.
> {code}
> if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) ||

>        acls.length != 2  || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user))
{
>       AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol
>           + ", expected client Kerberos principal is " + clientPrincipal);
>       throw new AuthorizationException("User " + user + 
>           " is not authorized for protocol " + protocol + 
>           ", expected client Kerberos principal is " + clientPrincipal);
>     }
>     AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol);
> {code}
> In the above code, if clientPrincipal is null, then the user is authenticated successfully
but denied by a configured ACL, not a Kerberos issue. We should improve this log message to
state this.
> Thanks to [~tlipcon] for finding this and proposing a fix.



--
This message was sent by Atlassian JIRA
(v6.3.4#6332)

Mime
View raw message