HADOOP-11404. Clarify the "expected client Kerberos principal is null" authorization message. Contributed by Stephen Chu

2016-03-10 17:05:09 +05:30 · 2016-03-10 17:05:09 +05:30 · 318c9b68b0
commit 318c9b68b0
parent 2e040d31c7
1 changed files with 7 additions and 5 deletions
--- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
+++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/authorize/ServiceAuthorizationManager.java
@ -116,11 +116,13 @@ public void authorize(UserGroupInformation user,
    }
    if((clientPrincipal != null && !clientPrincipal.equals(user.getUserName())) || 
       acls.length != 2  || !acls[0].isUserAllowed(user) || acls[1].isUserAllowed(user)) {
-      AUDITLOG.warn(AUTHZ_FAILED_FOR + user + " for protocol=" + protocol
-          + ", expected client Kerberos principal is " + clientPrincipal);
-      throw new AuthorizationException("User " + user + 
-          " is not authorized for protocol " + protocol + 
-          ", expected client Kerberos principal is " + clientPrincipal);
+      String cause = clientPrincipal != null ?
+          ": this service is only accessible by " + clientPrincipal :
+          ": denied by configured ACL";
+      AUDITLOG.warn(AUTHZ_FAILED_FOR + user
+          + " for protocol=" + protocol + cause);
+      throw new AuthorizationException("User " + user +
+          " is not authorized for protocol " + protocol + cause);
    }
    if (addr != null) {
      String hostAddress = addr.getHostAddress();