You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@ozone.apache.org by "Siyao Meng (Jira)" <ji...@apache.org> on 2022/05/09 18:44:00 UTC

[jira] [Commented] (HDDS-6609) [MultiTenancy] Kerberos principal should be replaced with actual user

    [ https://issues.apache.org/jira/browse/HDDS-6609?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17533958#comment-17533958 ] 

Siyao Meng commented on HDDS-6609:
----------------------------------

So do you mean returning short name will be better in this case? That might leak server side auth_to_local config (security concern?). Or we just don't print user name back to the client and simply say "Ozone admin privilege required. Current login user is not an Ozone admin."

What do you think [~ppogde]

> [MultiTenancy] Kerberos principal should be replaced with actual user
> ---------------------------------------------------------------------
>
>                 Key: HDDS-6609
>                 URL: https://issues.apache.org/jira/browse/HDDS-6609
>             Project: Apache Ozone
>          Issue Type: Bug
>          Components: Ozone CLI
>    Affects Versions: 1.3.0
>            Reporter: Soumitra Sulav
>            Priority: Trivial
>              Labels: ozone-multitenancy
>
> In many API outputs, the user name is printed as Kerberos Principal.
> Kerberos user with realm isn't an actual user and one might create an ozone admin with that user as per the console output.
> {code:java}
> bash-4.2$ ozone tenant create testing
> 2022-04-19 16:54:53,660 [main] INFO rpc.RpcClient: Creating Tenant: 'testing', with new volume: 'testing'
> PERMISSION_DENIED User 'testuser2/scm@EXAMPLE.COM' is not an Ozone admin. {code}



--
This message was sent by Atlassian Jira
(v8.20.7#820007)

---------------------------------------------------------------------
To unsubscribe, e-mail: issues-unsubscribe@ozone.apache.org
For additional commands, e-mail: issues-help@ozone.apache.org