diff --git a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityClient.java b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityClient.java
index 6ac1d3f395c..6eafb6fb912 100644
--- a/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityClient.java
+++ b/hbase-client/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityClient.java
@@ -92,7 +92,11 @@ public class VisibilityClient {
             }
           }
           service.addLabels(controller, builder.build(), rpcCallback);
-          return rpcCallback.get();
+          VisibilityLabelsResponse response = rpcCallback.get();
+          if (controller.failedOnException()) {
+            throw controller.getFailedOn();
+          }
+          return response;
         }
       };
       Map<byte[], VisibilityLabelsResponse> result = ht.coprocessorService(
@@ -140,7 +144,11 @@ public class VisibilityClient {
           GetAuthsRequest.Builder getAuthReqBuilder = GetAuthsRequest.newBuilder();
           getAuthReqBuilder.setUser(ByteStringer.wrap(Bytes.toBytes(user)));
           service.getAuths(controller, getAuthReqBuilder.build(), rpcCallback);
-          return rpcCallback.get();
+          GetAuthsResponse response = rpcCallback.get();
+          if (controller.failedOnException()) {
+            throw controller.getFailedOn();
+          }
+          return response;
         }
       };
       Map<byte[], GetAuthsResponse> result = ht.coprocessorService(VisibilityLabelsService.class,
@@ -191,7 +199,11 @@ public class VisibilityClient {
           } else {
             service.clearAuths(controller, setAuthReqBuilder.build(), rpcCallback);
           }
-          return rpcCallback.get();
+          VisibilityLabelsResponse response = rpcCallback.get();
+          if (controller.failedOnException()) {
+            throw controller.getFailedOn();
+          }
+          return response;
         }
       };
       Map<byte[], VisibilityLabelsResponse> result = ht.coprocessorService(
diff --git a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java
index 4986e0ffdb0..b7d46bc640b 100644
--- a/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java
+++ b/hbase-server/src/main/java/org/apache/hadoop/hbase/security/visibility/VisibilityController.java
@@ -740,7 +740,7 @@ public class VisibilityController extends BaseMasterAndRegionObserver implements
           User requestingUser = VisibilityUtils.getActiveUser();
           throw new AccessDeniedException("User '"
               + (requestingUser != null ? requestingUser.getShortName() : "null")
-              + " is not authorized to perform this action.");
+              + "' is not authorized to perform this action.");
         }
         labels = this.visibilityLabelService.getAuths(user, false);
       } catch (IOException e) {