Uploaded image for project: 'Hadoop Common'
  1. Hadoop Common
  2. HADOOP-11404

Clarify the "expected client Kerberos principal is null" authorization message

    Details

      Description

      In ServiceAuthorizationManager#authorize, we throw an AuthorizationException with message "expected client Kerberos principal is null" when authorization fails.

      However, this is a confusing log message, because it leads users to believe there was a Kerberos authentication problem, when in fact the the user could have authenticated successfully.

      if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || 
             acls.length != 2  || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) {
            AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol
                + ", expected client Kerberos principal is " + clientPrincipal);
            throw new AuthorizationException("User " + user + 
                " is not authorized for protocol " + protocol + 
                ", expected client Kerberos principal is " + clientPrincipal);
          }
          AUDITLOG.info(AUTHZ_SUCCESSFUL_FOR + user + " for protocol="+protocol);
      

      In the above code, if clientPrincipal is null, then the user is authenticated successfully but denied by a configured ACL, not a Kerberos issue. We should improve this log message to state this.

      Thanks to Todd Lipcon for finding this and proposing a fix.

        Attachments

        1. HADOOP-11404.003.patch
          2 kB
          Harsh J
        2. HADOOP-11404.002.patch
          2 kB
          Harsh J
        3. HADOOP-11404.001.patch
          2 kB
          Stephen Chu

          Issue Links

            Activity

              People

              • Assignee:
                schu Stephen Chu
                Reporter:
                schu Stephen Chu
              • Votes:
                0 Vote for this issue
                Watchers:
                4 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: