Ivan Andika created HDDS-15467:
----------------------------------
Summary: OmClientRequest#getUserInfoNotExists should not fallback
to admin by default
Key: HDDS-15467
URL: https://issues.apache.org/jira/browse/HDDS-15467
Project: Apache Ozone
Issue Type: Improvement
Reporter: Ivan Andika
Assignee: Ivan Andika
Found a possible security issue where OmClientRequest#getUserInfoNotExists
might user an admin user (OM starter user) privilege if the client does not
specify any user info. I don't think normal clients will gain admin user
currently since both Hadoop RPC and gRPC clients should already have the user
info. However, I think it's best to for getUserInfoNotExists to not fallback to
the admin user since if we make any changes in getUserInfo that causes
userInfo's remoteAddress and userInfo's username to not be set, it might cause
cause privilege escalations.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
