rgw: handle Swift auth errors in a way compatible with new Tempests.

We have to differentiate the error codes depending on whether user is
anonymous (401 Unauthorized) or he doesn't have necessary permissions
(403 Forbidden). The reason behind that is the change in Tempest. See
commit ID: 6b1cd29b763dbc556137c89c5fed54c624da7f69.

Fixes: http://tracker.ceph.com/issues/16590
Signed-off-by: Radoslaw Zarzynski <rzarzynski@mirantis.com>

diff --git a/src/rgw/rgw_auth_decoimpl.h b/src/rgw/rgw_auth_decoimpl.h
index fb232d91397d285dbb32b1cea4f1a1cf7088a73e..53625db767ca6f519e7a195384db8afc87707955 100644 (file)
--- a/src/rgw/rgw_auth_decoimpl.h
+++ b/src/rgw/rgw_auth_decoimpl.h
@@ -153,7 +153,11 @@ void RGWThirdPartyAccountAuthApplier<T>::load_acct_info(RGWUserInfo& user_info)
     if (ret < 0) {
       /* We aren't trying to recover from ENOENT here. It's supposed that creating
        * someone else's account isn't a thing we want to support in this filter. */
-      throw ret;
+      if (ret == -ENOENT) {
+        throw -EACCES;
+      } else {
+        throw ret;
+      }
     }
 
   }

diff --git a/src/rgw/rgw_http_errors.h b/src/rgw/rgw_http_errors.h
index 4e6107e1e4dc460829d3e22e74a02cdd1a0bd148..fec8b6f0ab03239f7fe287b8ee2969748a44f96b 100644 (file)
--- a/src/rgw/rgw_http_errors.h
+++ b/src/rgw/rgw_http_errors.h
@@ -71,7 +71,7 @@ const static struct rgw_http_errors RGW_HTTP_ERRORS[] = {
 };
 
 const static struct rgw_http_errors RGW_HTTP_SWIFT_ERRORS[] = {
-    { EACCES, 401, "AccessDenied" },
+    { EACCES, 403, "AccessDenied" },
     { EPERM, 401, "AccessDenied" },
     { ERR_USER_SUSPENDED, 401, "UserSuspended" },
     { ERR_INVALID_UTF8, 412, "Invalid UTF8" },

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index f198ea6c3093896c542b9f9f6cb03be8995d2cce..06c93c0bd7a31580b9d7b7ce7e895c9fdb1c6af6 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -3051,7 +3051,7 @@ int RGWPutMetadataAccount::verify_permission()
    * override in rgw_process.cc. This is the way to specify a given RGWOp
    * expect extra privileges.  */
   if (new_quota_extracted) {
-    return -EPERM;
+    return -EACCES;
   }
 
   return 0;

diff --git a/src/rgw/rgw_rest_swift.cc b/src/rgw/rgw_rest_swift.cc
index 3a3537ba8027675eb26c79d388a0f3aaf619796c..9ff33fe7f04a039b528ca553ee9a6710ff921b2e 100644 (file)
--- a/src/rgw/rgw_rest_swift.cc
+++ b/src/rgw/rgw_rest_swift.cc
@@ -678,6 +678,20 @@ static int get_delete_at_param(req_state *s, real_time *delete_at)
   return 0;
 }
 
+int RGWPutObj_ObjStore_SWIFT::verify_permission()
+{
+  op_ret = RGWPutObj_ObjStore::verify_permission();
+
+  /* We have to differentiate error codes depending on whether user is
+   * anonymous (401 Unauthorized) or he doesn't have necessary permissions
+   * (403 Forbidden). */
+  if (s->auth_identity->is_anonymous() && op_ret == -EACCES) {
+    return -EPERM;
+  } else {
+    return op_ret;
+  }
+}
+
 int RGWPutObj_ObjStore_SWIFT::get_params()
 {
   if (s->has_bad_meta) {
@@ -968,6 +982,20 @@ static void bulkdelete_respond(const unsigned num_deleted,
   formatter.close_section();
 }
 
+int RGWDeleteObj_ObjStore_SWIFT::verify_permission()
+{
+  op_ret = RGWDeleteObj_ObjStore::verify_permission();
+
+  /* We have to differentiate error codes depending on whether user is
+   * anonymous (401 Unauthorized) or he doesn't have necessary permissions
+   * (403 Forbidden). */
+  if (s->auth_identity->is_anonymous() && op_ret == -EACCES) {
+    return -EPERM;
+  } else {
+    return op_ret;
+  }
+}
+
 int RGWDeleteObj_ObjStore_SWIFT::get_params()
 {
   const string& mm = s->info.args.get("multipart-manifest");

diff --git a/src/rgw/rgw_rest_swift.h b/src/rgw/rgw_rest_swift.h
index 0c4b1e25100cb113955a960bf0a4450a6e38b6f2..87b01e235f8b918712c240c7a81d80c90437842f 100644 (file)
--- a/src/rgw/rgw_rest_swift.h
+++ b/src/rgw/rgw_rest_swift.h
@@ -95,6 +95,7 @@ public:
   RGWPutObj_ObjStore_SWIFT() {}
   ~RGWPutObj_ObjStore_SWIFT() {}
 
+  int verify_permission() override;
   int get_params();
   void send_response();
 };
@@ -132,6 +133,7 @@ public:
   RGWDeleteObj_ObjStore_SWIFT() {}
   ~RGWDeleteObj_ObjStore_SWIFT() {}
 
+  int verify_permission() override;
   int get_params();
   bool need_object_expiration() { return true; }
   void send_response();