rgw: allow user disabling presigned urls in rgw configuration

Fixes: https://tracker.ceph.com/issues/64797
Signed-off-by: Marc Singer <marc@singer.services>
(cherry picked from commit 5e7a78c)

 Conflicts:
        src/rgw/rgw_auth.cc
        src/rgw/rgw_common.h
- quincy does not do signature url expiration check; removed

diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in
index e82a0147b1caa605c6009bf4dea77a861ae4dff2..b908b7bd8a05aed0b5c30a351e1c3969bbb5d4de 100644 (file)
--- a/src/common/options/rgw.yaml.in
+++ b/src/common/options/rgw.yaml.in
@@ -871,6 +871,14 @@ options:
   services:
   - rgw
   with_legacy: true
+- name: rgw_s3_auth_disable_signature_url
+  type: bool
+  level: advanced
+  desc: Should authentification with presigned URLs be disabled
+  long_desc: 'If enabled, any request that is presigned with either V2 or V4 signature will be denied'
+  default: false
+  services:
+  - rgw
 - name: rgw_barbican_url
   type: str
   level: advanced

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index 369627c6d7b8b5b8ac7788a6c042e5971809d5d7..e5925ee5f8e8f182bbc435be50896f596c8fde55 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -299,6 +299,11 @@ rgw::auth::Strategy::apply(const DoutPrefixProvider *dpp, const rgw::auth::Strat
        * nullptr inside. */
       ldpp_dout(dpp, 5) << "Failed the auth strategy, reason="
                        << result.get_reason() << dendl;
+      // Special handling for disabled presigned URL
+      if (result.get_reason() == ERR_PRESIGNED_URL_DISABLED) {
+        result = result_t::deny(-EPERM);
+        set_req_state_err(s, -EPERM, "Presigned URLs are disabled by admin");
+      }
       return result.get_reason();
     }
 

diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index c6f79c35fa852cb318ef36722a7f7bc3e2d022a9..ac02c85558d8e6e351cdb6624a83b61ee924020e 100644 (file)
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -266,6 +266,7 @@ using ceph::crypto::MD5;
 #define ERR_OBJECT_NOT_APPENDABLE                        2220
 #define ERR_INVALID_BUCKET_STATE                         2221
 #define ERR_INVALID_OBJECT_STATE                        2222
+#define ERR_PRESIGNED_URL_DISABLED     2223
 
 #define ERR_BUSY_RESHARDING      2300
 #define ERR_NO_SUCH_ENTITY       2301

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index bda2f2f3c511fac5992b9bb62ae975934dcf43b4..c019f0607e713598c89214189fa5a49689d4c464 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -5439,13 +5439,18 @@ AWSGeneralAbstractor::get_auth_data(const req_state* const s) const
   AwsRoute route;
   std::tie(version, route) = discover_aws_flavour(s->info);
 
-  if (version == AwsVersion::V2) {
-    return get_auth_data_v2(s);
-  } else if (version == AwsVersion::V4) {
-    return get_auth_data_v4(s, route == AwsRoute::QUERY_STRING);
+  if (! s->cct->_conf->rgw_s3_auth_disable_signature_url) {
+    if (version == AwsVersion::V2) {
+      return get_auth_data_v2(s);
+    } else if (version == AwsVersion::V4) {
+      return get_auth_data_v4(s, route == AwsRoute::QUERY_STRING);
+    } else {
+      /* FIXME(rzarzynski): handle anon user. */
+      throw -EINVAL;
+    }
   } else {
-    /* FIXME(rzarzynski): handle anon user. */
-    throw -EINVAL;
+    ldpp_dout(s, 0) << "Presigned URLs are disabled by admin" << dendl;
+    throw -ERR_PRESIGNED_URL_DISABLED;
   }
 }