smengcl commented on a change in pull request #2239:
URL: https://github.com/apache/ozone/pull/2239#discussion_r634774354
##########
File path:
hadoop-ozone/ozone-manager/src/main/java/org/apache/hadoop/ozone/om/request/s3/security/S3GetSecretRequest.java
##########
@@ -73,10 +73,14 @@ public OMRequest preExecute(OzoneManager ozoneManager)
throws IOException {
String kerberosID = s3GetSecretRequest.getKerberosID();
UserGroupInformation user = ProtobufRpcEngine.Server.getRemoteUser();
+ // Permission check. Users need to be themselves or have admin privilege
if (!user.getUserName().equals(kerberosID)) {
- throw new OMException("User mismatch. Requested user name is " +
- "mismatched " + kerberosID +", with current user " +
- user.getUserName(), OMException.ResultCodes.USER_MISMATCH);
+ if (!ozoneManager.isAdmin(kerberosID)) {
+ throw new OMException("Requested user name '" + kerberosID +
+ "' doesn't match current user '" + user.getUserName() +
+ "', nor does current user has administrator privilege.",
+ OMException.ResultCodes.USER_MISMATCH);
+ }
Review comment:
Hey @vivekratnavel thanks for the comment. But the added `else`
wouldn't work because it is triggered when an admin is revoking another user's
secret. We want to allow admins to revoke other user's secret, throwing
exception would prevent this.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
