hadoop-ozone-common is vulnerable to user impersonation. The vulnerability exists due to an insecure validation of owner field of S3AUTHINFO type delegation token, allowing authenticated users with valid Ozone S3 credentials to create specific OM requests and impersonate other user.