Add it back to OBO and take away from api token

Signed-off-by: Derek Ho <[email protected]>
derek-ho · Dec 20, 2024 · 7ab4a2a · 7ab4a2a
1 parent 09018dc
commit 7ab4a2a
Showing 1 changed file with 3 additions and 3 deletions.
diff --git a/src/main/java/org/opensearch/security/identity/SecurityTokenManager.java b/src/main/java/org/opensearch/security/identity/SecurityTokenManager.java
@@ -118,6 +118,9 @@ public ExpiringBearerAuthToken issueOnBehalfOfToken(final Subject subject, final
         }
 
         final User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
+        if (user == null) {
+            throw new OpenSearchSecurityException("Unsupported user to generate OnBehalfOfToken");
+        }
 
         final TransportAddress callerAddress = null; /* OBO tokens must not roles based on location from network address */
         final Set<String> mappedRoles = configModel.mapSecurityRoles(user, callerAddress);
@@ -145,9 +148,6 @@ public ExpiringBearerAuthToken issueApiToken(
         final List<ApiToken.IndexPermission> indexPermissions
     ) {
         final User user = threadPool.getThreadContext().getTransient(ConfigConstants.OPENDISTRO_SECURITY_USER);
-        if (user == null) {
-            throw new OpenSearchSecurityException("Unsupported user to generate Api Token");
-        }
 
         try {
             return apiTokenJwtVendor.createJwt(cs.getClusterName().value(), name, name, expiration, clusterPermissions, indexPermissions);