diff --git a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java index 850f27c2fb..c360937baf 100644 --- a/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java +++ b/hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/security/SaslRpcClient.java @@ -305,13 +305,16 @@ String getServerPrincipal(SaslAuth authType) throws IOException { authType.getProtocol() + "/" + authType.getServerId(), KerberosPrincipal.KRB_NT_SRV_HST).getName(); - boolean isPrincipalValid = false; - // use the pattern if defined String serverKeyPattern = conf.get(serverKey + ".pattern"); if (serverKeyPattern != null && !serverKeyPattern.isEmpty()) { Pattern pattern = GlobPattern.compile(serverKeyPattern); - isPrincipalValid = pattern.matcher(serverPrincipal).matches(); + if (!pattern.matcher(serverPrincipal).matches()) { + throw new IllegalArgumentException(String.format( + "Server has invalid Kerberos principal: %s," + + " doesn't match the pattern: %s", + serverPrincipal, serverKeyPattern)); + } } else { // check that the server advertised principal matches our conf String confPrincipal = SecurityUtil.getServerPrincipal( @@ -330,11 +333,11 @@ String getServerPrincipal(SaslAuth authType) throws IOException { "Kerberos principal name does NOT have the expected hostname part: " + confPrincipal); } - isPrincipalValid = serverPrincipal.equals(confPrincipal); - } - if (!isPrincipalValid) { - throw new IllegalArgumentException( - "Server has invalid Kerberos principal: " + serverPrincipal); + if (!serverPrincipal.equals(confPrincipal)) { + throw new IllegalArgumentException(String.format( + "Server has invalid Kerberos principal: %s, expecting: %s", + serverPrincipal, confPrincipal)); + } } return serverPrincipal; }