In ServiceAuthorizationManager#authorize, we throw an AuthorizationException with message "expected client Kerberos principal is null" when authorization fails.
However, this is a confusing log message, because it leads users to believe there was a Kerberos authentication problem, when in fact the the user could have authenticated successfully.
In the above code, if clientPrincipal is null, then the user is authenticated successfully but denied by a configured ACL, not a Kerberos issue. We should improve this log message to state this.
Thanks to Todd Lipcon for finding this and proposing a fix.