for (auto& p : ids) {
if (p.is_wildcard()) {
return true;
- } else if (p.is_tenant() && p.get_tenant() == id.tenant) {
+ } else if (p.is_account() && p.get_account() == id.tenant) {
return true;
} else if (p.is_user() &&
- (p.get_tenant() == id.tenant) &&
+ (p.get_account() == id.tenant) &&
(p.get_id() == id.id)) {
return true;
}
// We also need to cover cases where rgw_keystone_implicit_tenants
// was enabled. */
- } else if (id.is_tenant() &&
+ } else if (id.is_account() &&
(info.acct_user.tenant.empty() ?
info.acct_user.id :
- info.acct_user.tenant) == id.get_tenant()) {
+ info.acct_user.tenant) == id.get_account()) {
return true;
} else if (id.is_user() &&
info.acct_user.id == id.get_id() &&
(info.acct_user.tenant.empty() ?
info.acct_user.id :
- info.acct_user.tenant) == id.get_tenant()) {
+ info.acct_user.tenant) == id.get_account()) {
return true;
}
}
for (auto& id : ids) {
if (id.is_wildcard()) {
return true;
- } else if (id.is_tenant() &&
- id.get_tenant() == user_info.user_id.tenant) {
+ } else if (id.is_account() &&
+ id.get_account() == user_info.user_id.tenant) {
return true;
} else if (id.is_user() &&
- (id.get_tenant() == user_info.user_id.tenant)) {
+ (id.get_account() == user_info.user_id.tenant)) {
if (id.get_id() == user_info.user_id.id) {
return true;
}
return true;
} else if (p.is_role()) {
string name = p.get_id();
- string tenant = p.get_tenant();
+ string tenant = p.get_account();
if (name == role.name && tenant == role.tenant) {
return true;
}
} else if (p.is_assumed_role()) {
- string tenant = p.get_tenant();
+ string tenant = p.get_account();
string role_session = role.name + "/" + token_attrs.role_session_name; //role/role-session
if (role.tenant == tenant && role_session == p.get_role_session()) {
return true;
}
} else {
string id = p.get_id();
- string tenant = p.get_tenant();
+ string tenant = p.get_account();
string oidc_id;
if (token_attrs.user_id.ns.empty()) {
oidc_id = token_attrs.user_id.id;
return m << "*";
}
- m << "arn:aws:iam:" << p.get_tenant() << ":";
- if (p.is_tenant()) {
+ m << "arn:aws:iam:" << p.get_account() << ":";
+ if (p.is_account()) {
return m << "root";
}
return m << (p.is_user() ? "user/" : "role/") << p.get_id();
namespace rgw {
namespace auth {
class Principal {
- enum types { User, Role, Tenant, Wildcard, OidcProvider, AssumedRole };
+ enum types { User, Role, Account, Wildcard, OidcProvider, AssumedRole };
types t;
rgw_user u;
std::string idp_url;
return Principal(Role, std::move(t), std::move(u));
}
- static Principal tenant(std::string&& t) {
- return Principal(Tenant, std::move(t), {});
+ static Principal account(std::string&& t) {
+ return Principal(Account, std::move(t), {});
}
static Principal oidc_provider(std::string&& idp_url) {
return t == Role;
}
- bool is_tenant() const {
- return t == Tenant;
+ bool is_account() const {
+ return t == Account;
}
bool is_oidc_provider() const {
return t == AssumedRole;
}
- const std::string& get_tenant() const {
+ const std::string& get_account() const {
return u.tenant;
}
// AWS and Federated ARNs
if (auto a = ARN::parse(s)) {
if (a->resource == "root") {
- return Principal::tenant(std::move(a->account));
+ return Principal::account(std::move(a->account));
}
static const char rx_str[] = "([^/]*)/(.*)";
// Since tenants are simply prefixes, there's no really good
// way to see if one exists or not. So we return the thing and
// let them try to match against it.
- return Principal::tenant(std::move(s));
+ return Principal::account(std::move(s));
}
if (errmsg)
*errmsg =
EXPECT_FALSE(p->statements[0].princ.empty());
EXPECT_EQ(p->statements[0].princ.size(), 1U);
EXPECT_EQ(*p->statements[0].princ.begin(),
- Principal::tenant("ACCOUNT-ID-WITHOUT-HYPHENS"));
+ Principal::account("ACCOUNT-ID-WITHOUT-HYPHENS"));
EXPECT_TRUE(p->statements[0].noprinc.empty());
EXPECT_EQ(p->statements[0].effect, Effect::Allow);
Action_t act;
Environment e;
auto trueacct = FakeIdentity(
- Principal::tenant("ACCOUNT-ID-WITHOUT-HYPHENS"));
+ Principal::account("ACCOUNT-ID-WITHOUT-HYPHENS"));
auto notacct = FakeIdentity(
- Principal::tenant("some-other-account"));
+ Principal::account("some-other-account"));
for (auto i = 0ULL; i < s3All; ++i) {
ARN arn1(Partition::aws, Service::s3,
"", arbitrary_tenant, "mybucket");
EXPECT_EQ(p->statements[0].resource.begin()->resource, "mybucket/*");
EXPECT_TRUE(p->statements[0].princ.begin()->is_user());
EXPECT_FALSE(p->statements[0].princ.begin()->is_wildcard());
- EXPECT_EQ(p->statements[0].princ.begin()->get_tenant(), "");
+ EXPECT_EQ(p->statements[0].princ.begin()->get_account(), "");
EXPECT_EQ(p->statements[0].princ.begin()->get_id(), "A:subA");
EXPECT_TRUE(p->statements[0].notresource.empty());
EXPECT_TRUE(p->statements[0].conditions.empty());
blocklistedIPv6.emplace("aws:SourceIp", "2001:0db8:85a3:0000:0000:8a2e:0370:7334");
auto trueacct = FakeIdentity(
- Principal::tenant("ACCOUNT-ID-WITHOUT-HYPHENS"));
+ Principal::account("ACCOUNT-ID-WITHOUT-HYPHENS"));
// Without an IP address in the environment then evaluation will always pass
ARN arn1(Partition::aws, Service::s3,
"", arbitrary_tenant, "example_bucket");