Soumitra Sulav created HDDS-6693:
------------------------------------
Summary: [MultiTenancy] User info should have limited access
except for admin
Key: HDDS-6693
URL: https://issues.apache.org/jira/browse/HDDS-6693
Project: Apache Ozone
Issue Type: Bug
Components: Ozone Manager
Affects Versions: 1.3.0
Reporter: Soumitra Sulav
Currently, user info API can be accessed by any user and get the tenant
information even for non-admin users.
{code:java}
bash-4.2$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: testuser2/[email protected] starting Expires
Service principal
05/03/22 12:33:03 05/04/22 12:33:03 krbtgt/[email protected]
renew until 05/10/22 12:33:03
bash-4.2$ ozone tenant user info testuser2 om testuser
User 'testuser2' is assigned to:
- Tenant 'tenantone' with accessId 'tenantone$testuser2'
User 'om' is assigned to:
- Tenant 'tenantone' with accessId 'tenantone$om'
User 'testuser' is assigned to:
- Tenant 'tenantone' delegated admin with accessId 'tenantone$testuser' {code}
The information should be limited to the user principal session or only be
allowed for the admin user.
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
