Apache
/
hadoop
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

HADOOP-11404. Clarify the "expected client Kerberos principal is null" authorization message. Contributed by Stephen Chu 

(cherry picked from commit 318c9b68b0)
This commit is contained in:
Harsh J 2016-03-10 17:05:09 +05:30
parent 95d30a6ec6
commit 2e32aa5475
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
View File

@ -116,11 +116,13 @@ public void authorize(UserGroupInformation user,
} }
if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) ||
acls.length != 2 || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) { acls.length != 2 || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) {
AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol String cause = clientPrincipal != null ?
+ ", expected client Kerberos principal is " + clientPrincipal); ": this service is only accessible by " + clientPrincipal :
": denied by configured ACL";
AUDITLOG.warn(AUTHZ_FAILED_FOR + user
+ " for protocol=" + protocol + cause);
throw new AuthorizationException("User " + user + throw new AuthorizationException("User " + user +
" is not authorized for protocol " + protocol + " is not authorized for protocol " + protocol + cause);
", expected client Kerberos principal is " + clientPrincipal);
} }
if (addr != null) { if (addr != null) {
String hostAddress = addr.getHostAddress(); String hostAddress = addr.getHostAddress();