We saw that SDSC ran jobs under user_1@ospdevadmin, a user in their site's administrative tenant. To prevent this from happening, we'll implement these changes in the Java security code:
[ ] JWTValidateRequestFilter reject any user JWT in a site-administrative tenant.
[ ] SK disallows the granting of the token_generator role for site-admin tenants.
When similar changes are made to the Python code, Tapis will prevent a user JWT in a site-admin tenant from being useful even if one is handcrafted.
We saw that SDSC ran jobs under user_1@ospdevadmin, a user in their site's administrative tenant. To prevent this from happening, we'll implement these changes in the Java security code:
When similar changes are made to the Python code, Tapis will prevent a user JWT in a site-admin tenant from being useful even if one is handcrafted.