smengcl commented on a change in pull request #3177:
URL: https://github.com/apache/ozone/pull/3177#discussion_r828296938
##########
File path:
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/OzoneManager.java
##########
@@ -3089,11 +3088,11 @@ public TenantUserList listUsersInTenant(String
tenantId, String prefix)
boolean lockAcquired =
metadataManager.getLock().acquireReadLock(VOLUME_LOCK, volumeName);
try {
- String userName = getRemoteUser().getUserName();
- if (!multiTenantManager.isTenantAdmin(userName, tenantId)
- && !omAdminUsernames.contains(userName)) {
- throw new IOException("Only tenant and ozone admins can access this " +
- "API. '" + userName + "' is not an admin.");
+ final UserGroupInformation ugi =
ProtobufRpcEngine.Server.getRemoteUser();
Review comment:
`listUsersInTenant` is only accessible from CLI right now.
This is not used in S3 Gateway. If in the future S3 Gateway is extended to
expose this functionality via some custom S3 action and then yes, the `ugi`
would become S3 Gateway's and it could be an issue.
If we do want to extend this, something similar to what `RpcClient#getDEK`
does can be added in these tenant calls that uses `getThreadLocalS3Auth() /
getS3Auth()` if not null instead of `ugi`.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
