[
https://issues.apache.org/jira/browse/HDDS-6609?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17533958#comment-17533958
]
Siyao Meng edited comment on HDDS-6609 at 5/9/22 6:45 PM:
----------------------------------------------------------
So do you mean returning short name will be better in this case? That might
leak server side auth_to_local config (security concern?).
Or we just don't print user name back to the client and simply say "Ozone admin
privilege required. Current login user is not an Ozone admin." Admins can still
tail the OM log and see what went wrong.
What do you think [~ppogde]
was (Author: smeng):
So do you mean returning short name will be better in this case? That might
leak server side auth_to_local config (security concern?). Or we just don't
print user name back to the client and simply say "Ozone admin privilege
required. Current login user is not an Ozone admin."
What do you think [~ppogde]
> [MultiTenancy] Kerberos principal should be replaced with actual user
> ---------------------------------------------------------------------
>
> Key: HDDS-6609
> URL: https://issues.apache.org/jira/browse/HDDS-6609
> Project: Apache Ozone
> Issue Type: Bug
> Components: Ozone CLI
> Affects Versions: 1.3.0
> Reporter: Soumitra Sulav
> Priority: Trivial
> Labels: ozone-multitenancy
>
> In many API outputs, the user name is printed as Kerberos Principal.
> Kerberos user with realm isn't an actual user and one might create an ozone
> admin with that user as per the console output.
> {code:java}
> bash-4.2$ ozone tenant create testing
> 2022-04-19 16:54:53,660 [main] INFO rpc.RpcClient: Creating Tenant:
> 'testing', with new volume: 'testing'
> PERMISSION_DENIED User 'testuser2/[email protected]' is not an Ozone admin.
> {code}
--
This message was sent by Atlassian Jira
(v8.20.7#820007)
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
