_add_grant(grant);
}
-uint32_t RGWAccessControlList::get_perm(const rgw::auth::Identity& auth_identity,
+uint32_t RGWAccessControlList::get_perm(const DoutPrefixProvider* dpp,
+ const rgw::auth::Identity& auth_identity,
const uint32_t perm_mask)
{
- ldout(cct, 5) << "Searching permissions for identity=" << auth_identity
+ ldpp_dout(dpp, 5) << "Searching permissions for identity=" << auth_identity
<< " mask=" << perm_mask << dendl;
- return perm_mask & auth_identity.get_perms_from_aclspec(acl_user_map);
+ return perm_mask & auth_identity.get_perms_from_aclspec(dpp, acl_user_map);
}
uint32_t RGWAccessControlList::get_group_perm(ACLGroupTypeEnum group,
return referer_perm & perm_mask;
}
-uint32_t RGWAccessControlPolicy::get_perm(const rgw::auth::Identity& auth_identity,
+uint32_t RGWAccessControlPolicy::get_perm(const DoutPrefixProvider* dpp,
+ const rgw::auth::Identity& auth_identity,
const uint32_t perm_mask,
const char * const http_referer)
{
- ldout(cct, 20) << "-- Getting permissions begin with perm_mask=" << perm_mask
+ ldpp_dout(dpp, 20) << "-- Getting permissions begin with perm_mask=" << perm_mask
<< dendl;
- uint32_t perm = acl.get_perm(auth_identity, perm_mask);
+ uint32_t perm = acl.get_perm(dpp, auth_identity, perm_mask);
if (auth_identity.is_owner_of(owner.get_id())) {
perm |= perm_mask & (RGW_PERM_READ_ACP | RGW_PERM_WRITE_ACP);
perm = acl.get_referer_perm(perm, http_referer, perm_mask);
}
- ldout(cct, 5) << "-- Getting permissions done for identity=" << auth_identity
+ ldpp_dout(dpp, 5) << "-- Getting permissions done for identity=" << auth_identity
<< ", owner=" << owner.get_id()
<< ", perm=" << perm << dendl;
return perm;
}
-bool RGWAccessControlPolicy::verify_permission(const rgw::auth::Identity& auth_identity,
+bool RGWAccessControlPolicy::verify_permission(const DoutPrefixProvider* dpp,
+ const rgw::auth::Identity& auth_identity,
const uint32_t user_perm_mask,
const uint32_t perm,
const char * const http_referer)
{
uint32_t test_perm = perm | RGW_PERM_READ_OBJS | RGW_PERM_WRITE_OBJS;
- uint32_t policy_perm = get_perm(auth_identity, test_perm, http_referer);
+ uint32_t policy_perm = get_perm(dpp, auth_identity, test_perm, http_referer);
/* the swift WRITE_OBJS perm is equivalent to the WRITE obj, just
convert those bits. Note that these bits will only be set on
uint32_t acl_perm = policy_perm & perm & user_perm_mask;
- ldout(cct, 10) << " identity=" << auth_identity
+ ldpp_dout(dpp, 10) << " identity=" << auth_identity
<< " requested perm (type)=" << perm
<< ", policy perm=" << policy_perm
<< ", user_perm_mask=" << user_perm_mask
virtual ~RGWAccessControlList() {}
- uint32_t get_perm(const rgw::auth::Identity& auth_identity,
+ uint32_t get_perm(const DoutPrefixProvider* dpp,
+ const rgw::auth::Identity& auth_identity,
uint32_t perm_mask);
uint32_t get_group_perm(ACLGroupTypeEnum group, uint32_t perm_mask);
uint32_t get_referer_perm(uint32_t current_perm,
acl.set_ctx(ctx);
}
- uint32_t get_perm(const rgw::auth::Identity& auth_identity,
+ uint32_t get_perm(const DoutPrefixProvider* dpp,
+ const rgw::auth::Identity& auth_identity,
uint32_t perm_mask,
const char * http_referer);
uint32_t get_group_perm(ACLGroupTypeEnum group, uint32_t perm_mask);
- bool verify_permission(const rgw::auth::Identity& auth_identity,
+ bool verify_permission(const DoutPrefixProvider* dpp,
+ const rgw::auth::Identity& auth_identity,
uint32_t user_perm_mask,
uint32_t perm,
const char * http_referer = nullptr);
type(type) {
}
- uint32_t get_perms_from_aclspec(const aclspec_t& aclspec) const override {
+ uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
return rgw_perms_from_aclspec_default_strategy(id, aclspec);
}
/* Account used by a given RGWOp is decoupled from identity employed
* in the authorization phase (RGWOp::verify_permissions). */
- applier->load_acct_info(*s->user);
+ applier->load_acct_info(dpp, *s->user);
s->perm_mask = applier->get_perm_mask();
/* This is the single place where we pass req_state as a pointer
* to non-const and thus its modification is allowed. In the time
* of writing only RGWTempURLEngine needed that feature. */
- applier->modify_request_state(s);
+ applier->modify_request_state(dpp, s);
if (completer) {
- completer->modify_request_state(s);
+ completer->modify_request_state(dpp, s);
}
s->auth.identity = std::move(applier);
/* rgw::auth::RemoteAuthApplier */
-uint32_t rgw::auth::RemoteApplier::get_perms_from_aclspec(const aclspec_t& aclspec) const
+uint32_t rgw::auth::RemoteApplier::get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const
{
uint32_t perm = 0;
perm |= extra_acl_strategy(aclspec);
}
- ldout(cct, 20) << "from ACL got perm=" << perm << dendl;
+ ldpp_dout(dpp, 20) << "from ACL got perm=" << perm << dendl;
return perm;
}
<< ", is_admin=" << info.is_admin << ")";
}
-void rgw::auth::RemoteApplier::create_account(const rgw_user& acct_user,
+void rgw::auth::RemoteApplier::create_account(const DoutPrefixProvider* dpp,
+ const rgw_user& acct_user,
RGWUserInfo& user_info) const /* out */
{
rgw_user new_acct_user = acct_user;
int ret = rgw_store_user_info(store, user_info, nullptr, nullptr,
real_time(), true);
if (ret < 0) {
- ldout(cct, 0) << "ERROR: failed to store new user info: user="
+ ldpp_dout(dpp, 0) << "ERROR: failed to store new user info: user="
<< user_info.user_id << " ret=" << ret << dendl;
throw ret;
}
}
/* TODO(rzarzynski): we need to handle display_name changes. */
-void rgw::auth::RemoteApplier::load_acct_info(RGWUserInfo& user_info) const /* out */
+void rgw::auth::RemoteApplier::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const /* out */
{
/* It's supposed that RGWRemoteAuthApplier tries to load account info
* that belongs to the authenticated identity. Another policy may be
}
if (rgw_get_user_info_by_uid(store, acct_user, user_info) < 0) {
- ldout(cct, 0) << "NOTICE: couldn't map swift user " << acct_user << dendl;
- create_account(acct_user, user_info);
+ ldpp_dout(dpp, 0) << "NOTICE: couldn't map swift user " << acct_user << dendl;
+ create_account(dpp, acct_user, user_info);
}
/* Succeeded if we are here (create_account() hasn't throwed). */
/* static declaration */
const std::string rgw::auth::LocalApplier::NO_SUBUSER;
-uint32_t rgw::auth::LocalApplier::get_perms_from_aclspec(const aclspec_t& aclspec) const
+uint32_t rgw::auth::LocalApplier::get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const
{
return rgw_perms_from_aclspec_default_strategy(user_info.user_id, aclspec);
}
}
}
-void rgw::auth::LocalApplier::load_acct_info(RGWUserInfo& user_info) const /* out */
+void rgw::auth::LocalApplier::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const /* out */
{
/* Load the account that belongs to the authenticated identity. An extra call
* to RADOS may be safely skipped in this case. */
user_info = this->user_info;
}
-void rgw::auth::LocalApplier::modify_request_state(req_state* s) const
+void rgw::auth::LocalApplier::modify_request_state(const DoutPrefixProvider *dpp, req_state* s) const
{
for (auto it : role_policies) {
try {
} catch (rgw::IAM::PolicyParseException& e) {
//Control shouldn't reach here as the policy has already been
//verified earlier
- ldout(s->cct, 20) << "failed to parse policy: " << e.what() << dendl;
+ ldpp_dout(dpp, 20) << "failed to parse policy: " << e.what() << dendl;
}
}
}
* NOTE: an implementation is responsible for giving the real semantic to
* the items in @aclspec. That is, their meaning may depend on particular
* applier that is being used. */
- virtual uint32_t get_perms_from_aclspec(const aclspec_t& aclspec) const = 0;
+ virtual uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const = 0;
/* Verify whether a given identity *can be treated as* an admin of rgw_user
* (account in Swift's terminology) specified in @uid. On error throws
*
* XXX: be aware that the "account" term refers to rgw_user. The naming
* is legacy. */
- virtual void load_acct_info(RGWUserInfo& user_info) const = 0; /* out */
+ virtual void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const = 0; /* out */
/* Apply any changes to request state. This method will be most useful for
* TempURL of Swift API. */
- virtual void modify_request_state(req_state* s) const {} /* in/out */
+ virtual void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const {} /* in/out */
};
/* Apply any changes to request state. The initial use case was injecting
* the AWSv4 filter over rgw::io::RestfulClient in req_state. */
- virtual void modify_request_state(req_state* s) = 0; /* in/out */
+ virtual void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) = 0; /* in/out */
};
const AuthInfo info;
const bool implicit_tenants;
- virtual void create_account(const rgw_user& acct_user,
+ virtual void create_account(const DoutPrefixProvider* dpp,
+ const rgw_user& acct_user,
RGWUserInfo& user_info) const; /* out */
public:
implicit_tenants(implicit_tenants) {
}
- uint32_t get_perms_from_aclspec(const aclspec_t& aclspec) const override;
+ uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override;
bool is_admin_of(const rgw_user& uid) const override;
bool is_owner_of(const rgw_user& uid) const override;
bool is_identity(const idset_t& ids) const override;
uint32_t get_perm_mask() const override { return info.perm_mask; }
void to_str(std::ostream& out) const override;
- void load_acct_info(RGWUserInfo& user_info) const override; /* out */
+ void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
uint32_t get_identity_type() const override { return info.acct_type; }
string get_acct_name() const override { return info.acct_name; }
}
- uint32_t get_perms_from_aclspec(const aclspec_t& aclspec) const override;
+ uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override;
bool is_admin_of(const rgw_user& uid) const override;
bool is_owner_of(const rgw_user& uid) const override;
bool is_identity(const idset_t& ids) const override;
}
}
void to_str(std::ostream& out) const override;
- void load_acct_info(RGWUserInfo& user_info) const override; /* out */
+ void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
uint32_t get_identity_type() const override { return TYPE_RGW; }
string get_acct_name() const override { return {}; }
- void modify_request_state(req_state* s) const override;
+ void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override;
struct Factory {
virtual ~Factory() {}
: decoratee(std::forward<DecorateeT>(decoratee)) {
}
- uint32_t get_perms_from_aclspec(const aclspec_t& aclspec) const override {
- return get_decoratee().get_perms_from_aclspec(aclspec);
+ uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
+ return get_decoratee().get_perms_from_aclspec(dpp, aclspec);
}
bool is_admin_of(const rgw_user& uid) const override {
get_decoratee().to_str(out);
}
- void load_acct_info(RGWUserInfo& user_info) const override { /* out */
- return get_decoratee().load_acct_info(user_info);
+ void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override { /* out */
+ return get_decoratee().load_acct_info(dpp, user_info);
}
- void modify_request_state(req_state * s) const override { /* in/out */
- return get_decoratee().modify_request_state(s);
+ void modify_request_state(const DoutPrefixProvider* dpp, req_state * s) const override { /* in/out */
+ return get_decoratee().modify_request_state(dpp, s);
}
};
}
void to_str(std::ostream& out) const override;
- void load_acct_info(RGWUserInfo& user_info) const override; /* out */
+ void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
};
/* static declaration: UNKNOWN_ACCT will be an empty rgw_user that is a result
}
template <typename T>
-void ThirdPartyAccountApplier<T>::load_acct_info(RGWUserInfo& user_info) const
+void ThirdPartyAccountApplier<T>::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const
{
if (UNKNOWN_ACCT == acct_user_override) {
/* There is no override specified by the upper layer. This means that we'll
* load the account owned by the authenticated identity (aka auth_user). */
- DecoratedApplier<T>::load_acct_info(user_info);
+ DecoratedApplier<T>::load_acct_info(dpp, user_info);
} else if (DecoratedApplier<T>::is_owner_of(acct_user_override)) {
/* The override has been specified but the account belongs to the authenticated
* identity. We may safely forward the call to a next stage. */
- DecoratedApplier<T>::load_acct_info(user_info);
+ DecoratedApplier<T>::load_acct_info(dpp, user_info);
} else {
/* Compatibility mechanism for multi-tenancy. For more details refer to
* load_acct_info method of rgw::auth::RemoteApplier. */
}
void to_str(std::ostream& out) const override;
- void load_acct_info(RGWUserInfo& user_info) const override; /* out */
- void modify_request_state(req_state* s) const override; /* in/out */
+ void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
+ void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override; /* in/out */
};
template <typename T>
}
template <typename T>
-void SysReqApplier<T>::load_acct_info(RGWUserInfo& user_info) const
+void SysReqApplier<T>::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const
{
- DecoratedApplier<T>::load_acct_info(user_info);
+ DecoratedApplier<T>::load_acct_info(dpp, user_info);
is_system = user_info.system;
if (is_system) {
- //dout(20) << "system request" << dendl;
+ //ldpp_dout(dpp, 20) << "system request" << dendl;
rgw_user effective_uid(args.sys_get(RGW_SYS_PARAM_PREFIX "uid"));
if (! effective_uid.empty()) {
* calls ::decode instead. */
RGWUserInfo euser_info;
if (rgw_get_user_info_by_uid(store, effective_uid, euser_info) < 0) {
- //ldout(s->cct, 0) << "User lookup failed!" << dendl;
+ //ldpp_dout(dpp, 0) << "User lookup failed!" << dendl;
throw -EACCES;
}
user_info = euser_info;
}
template <typename T>
-void SysReqApplier<T>::modify_request_state(req_state* const s) const
+void SysReqApplier<T>::modify_request_state(const DoutPrefixProvider* dpp, req_state* const s) const
{
if (boost::logic::indeterminate(is_system)) {
RGWUserInfo unused_info;
- load_acct_info(unused_info);
+ load_acct_info(dpp, unused_info);
}
if (is_system) {
s->info.args.set_system();
s->system_request = true;
}
- DecoratedApplier<T>::modify_request_state(s);
+ DecoratedApplier<T>::modify_request_state(dpp, s);
}
template <typename T> static inline
return buf_pos;
}
-void AWSv4ComplMulti::modify_request_state(req_state* const s_rw)
+void AWSv4ComplMulti::modify_request_state(const DoutPrefixProvider* dpp, req_state* const s_rw)
{
const char* const decoded_length = \
s_rw->info.env->get("HTTP_X_AMZ_DECODED_CONTENT_LENGTH");
s_rw->content_length = parse_content_length(decoded_length);
if (s_rw->content_length < 0) {
- ldout(cct, 10) << "negative AWSv4's content length, aborting" << dendl;
+ ldpp_dout(dpp, 10) << "negative AWSv4's content length, aborting" << dendl;
throw -EINVAL;
}
}
return received;
}
-void AWSv4ComplSingle::modify_request_state(req_state* const s_rw)
+void AWSv4ComplSingle::modify_request_state(const DoutPrefixProvider* dpp, req_state* const s_rw)
{
/* Install the filter over rgw::io::RestfulClient. */
AWS_AUTHv4_IO(s_rw)->add_filter(
size_t recv_body(char* buf, size_t max) override;
/* rgw::auth::Completer. */
- void modify_request_state(req_state* s_rw) override;
+ void modify_request_state(const DoutPrefixProvider* dpp, req_state* s_rw) override;
bool complete() override;
/* Factories. */
size_t recv_body(char* buf, size_t max) override;
/* rgw::auth::Completer. */
- void modify_request_state(req_state* s_rw) override;
+ void modify_request_state(const DoutPrefixProvider* dpp, req_state* s_rw) override;
bool complete() override;
/* Factories. */
return usr_policy_res;
}
-bool verify_user_permission(struct req_state * const s,
+bool verify_user_permission(const DoutPrefixProvider* dpp,
+ struct req_state * const s,
RGWAccessControlPolicy * const user_acl,
const vector<rgw::IAM::Policy>& user_policies,
const rgw::IAM::ARN& res,
if (op == rgw::IAM::s3CreateBucket || op == rgw::IAM::s3ListAllMyBuckets) {
auto perm = op_to_perm(op);
- return verify_user_permission_no_policy(s, user_acl, perm);
+ return verify_user_permission_no_policy(dpp, s, user_acl, perm);
}
if (usr_policy_res == Effect::Pass) {
return false;
}
-bool verify_user_permission_no_policy(struct req_state * const s,
+bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp, struct req_state * const s,
RGWAccessControlPolicy * const user_acl,
const int perm)
{
if ((perm & (int)s->perm_mask) != perm)
return false;
- return user_acl->verify_permission(*s->auth.identity, perm, perm);
+ return user_acl->verify_permission(dpp, *s->auth.identity, perm, perm);
}
-bool verify_user_permission(struct req_state * const s,
+bool verify_user_permission(const DoutPrefixProvider* dpp,
+ struct req_state * const s,
const rgw::IAM::ARN& res,
const uint64_t op)
{
- return verify_user_permission(s, s->user_acl.get(), s->iam_user_policies, res, op);
+ return verify_user_permission(dpp, s, s->user_acl.get(), s->iam_user_policies, res, op);
}
-bool verify_user_permission_no_policy(struct req_state * const s,
+bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
+ struct req_state * const s,
const int perm)
{
- return verify_user_permission_no_policy(s, s->user_acl.get(), perm);
+ return verify_user_permission_no_policy(dpp, s, s->user_acl.get(), perm);
}
bool verify_requester_payer_permission(struct req_state *s)
return false;
}
-bool verify_bucket_permission(struct req_state * const s,
+bool verify_bucket_permission(const DoutPrefixProvider* dpp,
+ struct req_state * const s,
const rgw_bucket& bucket,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
const auto perm = op_to_perm(op);
- return verify_bucket_permission_no_policy(s, user_acl, bucket_acl, perm);
+ return verify_bucket_permission_no_policy(dpp, s, user_acl, bucket_acl, perm);
}
-bool verify_bucket_permission_no_policy(struct req_state * const s,
+bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp, struct req_state * const s,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
const int perm)
if ((perm & (int)s->perm_mask) != perm)
return false;
- if (bucket_acl->verify_permission(*s->auth.identity, perm, perm,
+ if (bucket_acl->verify_permission(dpp, *s->auth.identity, perm, perm,
s->info.env->get("HTTP_REFERER")))
return true;
if (!user_acl)
return false;
- return user_acl->verify_permission(*s->auth.identity, perm, perm);
+ return user_acl->verify_permission(dpp, *s->auth.identity, perm, perm);
}
-bool verify_bucket_permission_no_policy(struct req_state * const s, const int perm)
+bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp, struct req_state * const s, const int perm)
{
if (!verify_requester_payer_permission(s))
return false;
- return verify_bucket_permission_no_policy(s,
+ return verify_bucket_permission_no_policy(dpp,
+ s,
s->user_acl.get(),
s->bucket_acl.get(),
perm);
}
-bool verify_bucket_permission(struct req_state * const s, const uint64_t op)
+bool verify_bucket_permission(const DoutPrefixProvider* dpp, struct req_state * const s, const uint64_t op)
{
- return verify_bucket_permission(s,
+ return verify_bucket_permission(dpp,
+ s,
s->bucket,
s->user_acl.get(),
s->bucket_acl.get(),
}
-static inline bool check_deferred_bucket_perms(struct req_state * const s,
+static inline bool check_deferred_bucket_perms(const DoutPrefixProvider* dpp,
+ struct req_state * const s,
const rgw_bucket& bucket,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
const uint64_t op)
{
return (s->defer_to_bucket_acls == deferred_check \
- && verify_bucket_permission(s, bucket, user_acl, bucket_acl, bucket_policy, user_policies,op));
+ && verify_bucket_permission(dpp, s, bucket, user_acl, bucket_acl, bucket_policy, user_policies,op));
}
-static inline bool check_deferred_bucket_only_acl(struct req_state * const s,
+static inline bool check_deferred_bucket_only_acl(const DoutPrefixProvider* dpp,
+ struct req_state * const s,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
const uint8_t deferred_check,
const int perm)
{
return (s->defer_to_bucket_acls == deferred_check \
- && verify_bucket_permission_no_policy(s, user_acl, bucket_acl, perm));
+ && verify_bucket_permission_no_policy(dpp, s, user_acl, bucket_acl, perm));
}
-bool verify_object_permission(struct req_state * const s,
+bool verify_object_permission(const DoutPrefixProvider* dpp, struct req_state * const s,
const rgw_obj& obj,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
const auto perm = op_to_perm(op);
- if (check_deferred_bucket_perms(s, obj.bucket, user_acl, bucket_acl, bucket_policy,
+ if (check_deferred_bucket_perms(dpp, s, obj.bucket, user_acl, bucket_acl, bucket_policy,
user_policies, RGW_DEFER_TO_BUCKET_ACLS_RECURSE, op) ||
- check_deferred_bucket_perms(s, obj.bucket, user_acl, bucket_acl, bucket_policy,
+ check_deferred_bucket_perms(dpp, s, obj.bucket, user_acl, bucket_acl, bucket_policy,
user_policies, RGW_DEFER_TO_BUCKET_ACLS_FULL_CONTROL, rgw::IAM::s3All)) {
return true;
}
return false;
}
- bool ret = object_acl->verify_permission(*s->auth.identity, s->perm_mask, perm);
+ bool ret = object_acl->verify_permission(dpp, *s->auth.identity, s->perm_mask, perm);
if (ret) {
return true;
}
/* we already verified the user mask above, so we pass swift_perm as the mask here,
otherwise the mask might not cover the swift permissions bits */
- if (bucket_acl->verify_permission(*s->auth.identity, swift_perm, swift_perm,
+ if (bucket_acl->verify_permission(dpp, *s->auth.identity, swift_perm, swift_perm,
s->info.env->get("HTTP_REFERER")))
return true;
if (!user_acl)
return false;
- return user_acl->verify_permission(*s->auth.identity, swift_perm, swift_perm);
+ return user_acl->verify_permission(dpp, *s->auth.identity, swift_perm, swift_perm);
}
-bool verify_object_permission_no_policy(struct req_state * const s,
+bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp,
+ struct req_state * const s,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
RGWAccessControlPolicy * const object_acl,
const int perm)
{
- if (check_deferred_bucket_only_acl(s, user_acl, bucket_acl, RGW_DEFER_TO_BUCKET_ACLS_RECURSE, perm) ||
- check_deferred_bucket_only_acl(s, user_acl, bucket_acl, RGW_DEFER_TO_BUCKET_ACLS_FULL_CONTROL, RGW_PERM_FULL_CONTROL)) {
+ if (check_deferred_bucket_only_acl(dpp, s, user_acl, bucket_acl, RGW_DEFER_TO_BUCKET_ACLS_RECURSE, perm) ||
+ check_deferred_bucket_only_acl(dpp, s, user_acl, bucket_acl, RGW_DEFER_TO_BUCKET_ACLS_FULL_CONTROL, RGW_PERM_FULL_CONTROL)) {
return true;
}
return false;
}
- bool ret = object_acl->verify_permission(*s->auth.identity, s->perm_mask, perm);
+ bool ret = object_acl->verify_permission(dpp, *s->auth.identity, s->perm_mask, perm);
if (ret) {
return true;
}
/* we already verified the user mask above, so we pass swift_perm as the mask here,
otherwise the mask might not cover the swift permissions bits */
- if (bucket_acl->verify_permission(*s->auth.identity, swift_perm, swift_perm,
+ if (bucket_acl->verify_permission(dpp, *s->auth.identity, swift_perm, swift_perm,
s->info.env->get("HTTP_REFERER")))
return true;
if (!user_acl)
return false;
- return user_acl->verify_permission(*s->auth.identity, swift_perm, swift_perm);
+ return user_acl->verify_permission(dpp, *s->auth.identity, swift_perm, swift_perm);
}
-bool verify_object_permission_no_policy(struct req_state *s, int perm)
+bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, struct req_state *s, int perm)
{
if (!verify_requester_payer_permission(s))
return false;
- return verify_object_permission_no_policy(s,
+ return verify_object_permission_no_policy(dpp,
+ s,
s->user_acl.get(),
s->bucket_acl.get(),
s->object_acl.get(),
perm);
}
-bool verify_object_permission(struct req_state *s, uint64_t op)
+bool verify_object_permission(const DoutPrefixProvider* dpp, struct req_state *s, uint64_t op)
{
- return verify_object_permission(s,
+ return verify_object_permission(dpp,
+ s,
rgw_obj(s->bucket, s->object),
s->user_acl.get(),
s->bucket_acl.get(),
boost::optional<const rgw::auth::Identity&> id,
const uint64_t op,
const rgw::IAM::ARN& arn);
-bool verify_user_permission(struct req_state * const s,
+bool verify_user_permission(const DoutPrefixProvider* dpp,
+ struct req_state * const s,
RGWAccessControlPolicy * const user_acl,
const vector<rgw::IAM::Policy>& user_policies,
const rgw::IAM::ARN& res,
const uint64_t op);
-bool verify_user_permission_no_policy(struct req_state * const s,
+bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
+ struct req_state * const s,
RGWAccessControlPolicy * const user_acl,
const int perm);
-bool verify_user_permission(struct req_state * const s,
+bool verify_user_permission(const DoutPrefixProvider* dpp,
+ struct req_state * const s,
const rgw::IAM::ARN& res,
const uint64_t op);
-bool verify_user_permission_no_policy(struct req_state * const s,
+bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
+ struct req_state * const s,
int perm);
bool verify_bucket_permission(
+ const DoutPrefixProvider* dpp,
struct req_state * const s,
const rgw_bucket& bucket,
RGWAccessControlPolicy * const user_acl,
const boost::optional<rgw::IAM::Policy>& bucket_policy,
const vector<rgw::IAM::Policy>& user_policies,
const uint64_t op);
-bool verify_bucket_permission(struct req_state * const s, const uint64_t op);
+bool verify_bucket_permission(const DoutPrefixProvider* dpp, struct req_state * const s, const uint64_t op);
bool verify_bucket_permission_no_policy(
+ const DoutPrefixProvider* dpp,
struct req_state * const s,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
const int perm);
-bool verify_bucket_permission_no_policy(struct req_state * const s,
+bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp,
+ struct req_state * const s,
const int perm);
int verify_bucket_owner_or_policy(struct req_state* const s,
const uint64_t op);
extern bool verify_object_permission(
+ const DoutPrefixProvider* dpp,
struct req_state * const s,
const rgw_obj& obj,
RGWAccessControlPolicy * const user_acl,
const boost::optional<rgw::IAM::Policy>& bucket_policy,
const vector<rgw::IAM::Policy>& user_policies,
const uint64_t op);
-extern bool verify_object_permission(struct req_state *s, uint64_t op);
+extern bool verify_object_permission(const DoutPrefixProvider* dpp, struct req_state *s, uint64_t op);
extern bool verify_object_permission_no_policy(
+ const DoutPrefixProvider* dpp,
struct req_state * const s,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
RGWAccessControlPolicy * const object_acl,
int perm);
-extern bool verify_object_permission_no_policy(struct req_state *s,
+extern bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, struct req_state *s,
int perm);
/** Convert an input URL into a sane object name
* by converting %-escaped strings into characters, etc*/
const rgw_user& bucket_owner = bucket_policy.get_owner().get_id();
if (bucket_owner.compare(s->user->user_id) != 0 &&
! s->auth.identity->is_admin_of(bucket_owner) &&
- ! bucket_policy.verify_permission(*s->auth.identity, s->perm_mask,
+ ! bucket_policy.verify_permission(s, *s->auth.identity, s->perm_mask,
RGW_PERM_READ)) {
ret = -EACCES;
} else {
}
}
- if (!verify_object_permission(s, action)) {
+ if (!verify_object_permission(this, s, action)) {
return -EACCES;
}
}
}
}
- if (!verify_object_permission(s,iam_action))
+ if (!verify_object_permission(this, s,iam_action))
return -EACCES;
return 0;
rgw_iam_add_existing_objtags(store, s, obj, iam_action);
}
- if (!verify_object_permission(s,iam_action))
+ if (!verify_object_permission(this, s,iam_action))
return -EACCES;
return 0;
}
}
}
}
- if (!verify_object_permission(s, iam_action))
+ if (!verify_object_permission(this, s, iam_action))
return -EACCES;
}
return 0;
ldpp_dout(this, 2) << "overriding permissions due to system operation" << dendl;
} else if (s->auth.identity->is_admin_of(s->user->user_id)) {
ldpp_dout(this, 2) << "overriding permissions due to admin operation" << dendl;
- } else if (!verify_object_permission(s, part, s->user_acl.get(), bucket_acl,
+ } else if (!verify_object_permission(this, s, part, s->user_acl.get(), bucket_acl,
&obj_policy, bucket_policy, s->iam_user_policies, action)) {
return -EPERM;
}
int RGWListBuckets::verify_permission()
{
- if (!verify_user_permission(s, ARN(), rgw::IAM::s3ListAllMyBuckets)) {
+ if (!verify_user_permission(this, s, ARN(), rgw::IAM::s3ListAllMyBuckets)) {
return -EACCES;
}
int RGWStatAccount::verify_permission()
{
- if (!verify_user_permission_no_policy(s, RGW_PERM_READ)) {
+ if (!verify_user_permission_no_policy(this, s, RGW_PERM_READ)) {
return -EACCES;
}
int RGWStatBucket::verify_permission()
{
// This (a HEAD request on a bucket) is governed by the s3:ListBucket permission.
- if (!verify_bucket_permission(s, rgw::IAM::s3ListBucket)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3ListBucket)) {
return -EACCES;
}
s->env.emplace("s3:max-keys", std::to_string(max));
- if (!verify_bucket_permission(s,
+ if (!verify_bucket_permission(this,
+ s,
list_versions ?
rgw::IAM::s3ListBucketVersions :
rgw::IAM::s3ListBucket)) {
return -EACCES;
}
- if (!verify_user_permission(s, ARN(s->bucket), rgw::IAM::s3CreateBucket)) {
+ if (!verify_user_permission(this, s, ARN(s->bucket), rgw::IAM::s3CreateBucket)) {
return -EACCES;
}
int RGWDeleteBucket::verify_permission()
{
- if (!verify_bucket_permission(s, rgw::IAM::s3DeleteBucket)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3DeleteBucket)) {
return -EACCES;
}
if (e == Effect::Deny) {
return -EACCES;
} else if (usr_policy_res == Effect::Pass && e == Effect::Pass &&
- !cs_acl.verify_permission(*s->auth.identity, s->perm_mask,
+ !cs_acl.verify_permission(this, *s->auth.identity, s->perm_mask,
RGW_PERM_READ)) {
return -EACCES;
}
- } else if (!cs_acl.verify_permission(*s->auth.identity, s->perm_mask,
+ } else if (!cs_acl.verify_permission(this, *s->auth.identity, s->perm_mask,
RGW_PERM_READ)) {
return -EACCES;
}
}
}
- if (!verify_bucket_permission_no_policy(s, RGW_PERM_WRITE)) {
+ if (!verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE)) {
return -EACCES;
}
if (e == Effect::Deny) {
op_ret = -EACCES;
return;
- } else if (usr_policy_res == Effect::Pass && e == Effect::Pass && !verify_bucket_permission_no_policy(s, RGW_PERM_WRITE)) {
+ } else if (usr_policy_res == Effect::Pass && e == Effect::Pass && !verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE)) {
op_ret = -EACCES;
return;
}
- } else if (!verify_bucket_permission_no_policy(s, RGW_PERM_WRITE)) {
+ } else if (!verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE)) {
op_ret = -EACCES;
return;
}
return -EACCES;
}
- if (!verify_user_permission_no_policy(s, RGW_PERM_WRITE)) {
+ if (!verify_user_permission_no_policy(this, s, RGW_PERM_WRITE)) {
return -EACCES;
}
int RGWPutMetadataBucket::verify_permission()
{
- if (!verify_bucket_permission_no_policy(s, RGW_PERM_WRITE)) {
+ if (!verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE)) {
return -EACCES;
}
{
// This looks to be something specific to Swift. We could add
// operations like swift:PutMetadataObject to the Policy Engine.
- if (!verify_object_permission_no_policy(s, RGW_PERM_WRITE)) {
+ if (!verify_object_permission_no_policy(this, s, RGW_PERM_WRITE)) {
return -EACCES;
}
try {
deleter = std::unique_ptr<RGWBulkDelete::Deleter>(\
- new RGWBulkDelete::Deleter(store, s));
+ new RGWBulkDelete::Deleter(this, store, s));
} catch (const std::bad_alloc&) {
return -ENOMEM;
}
return true;
}
- if (!verify_bucket_permission_no_policy(s, RGW_PERM_WRITE)) {
+ if (!verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE)) {
return -EACCES;
}
if (e == Effect::Deny) {
return -EACCES;
} else if (e == Effect::Pass &&
- !src_acl.verify_permission(*s->auth.identity, s->perm_mask,
+ !src_acl.verify_permission(this, *s->auth.identity, s->perm_mask,
RGW_PERM_READ)) {
return -EACCES;
}
- } else if (!src_acl.verify_permission(*s->auth.identity,
+ } else if (!src_acl.verify_permission(this, *s->auth.identity,
s->perm_mask,
RGW_PERM_READ)) {
return -EACCES;
if (e == Effect::Deny) {
return -EACCES;
} else if (e == Effect::Pass &&
- ! dest_bucket_policy.verify_permission(*s->auth.identity,
+ ! dest_bucket_policy.verify_permission(this,
+ *s->auth.identity,
s->perm_mask,
RGW_PERM_WRITE)){
return -EACCES;
}
}
- } else if (! dest_bucket_policy.verify_permission(*s->auth.identity, s->perm_mask,
+ } else if (! dest_bucket_policy.verify_permission(this, *s->auth.identity, s->perm_mask,
RGW_PERM_WRITE)) {
return -EACCES;
}
}
}
}
- perm = verify_object_permission(s, iam_action);
+ perm = verify_object_permission(this, s, iam_action);
} else {
- perm = verify_bucket_permission(s, rgw::IAM::s3GetBucketAcl);
+ perm = verify_bucket_permission(this, s, rgw::IAM::s3GetBucketAcl);
}
if (!perm)
return -EACCES;
auto iam_action = s->object.instance.empty() ? rgw::IAM::s3PutObjectAcl : rgw::IAM::s3PutObjectVersionAcl;
auto obj = rgw_obj(s->bucket, s->object);
op_ret = rgw_iam_add_existing_objtags(store, s, obj, iam_action);
- perm = verify_object_permission(s, iam_action);
+ perm = verify_object_permission(this, s, iam_action);
} else {
- perm = verify_bucket_permission(s, rgw::IAM::s3PutBucketAcl);
+ perm = verify_bucket_permission(this, s, rgw::IAM::s3PutBucketAcl);
}
if (!perm)
return -EACCES;
int RGWGetLC::verify_permission()
{
bool perm;
- perm = verify_bucket_permission(s, rgw::IAM::s3GetLifecycleConfiguration);
+ perm = verify_bucket_permission(this, s, rgw::IAM::s3GetLifecycleConfiguration);
if (!perm)
return -EACCES;
int RGWPutLC::verify_permission()
{
bool perm;
- perm = verify_bucket_permission(s, rgw::IAM::s3PutLifecycleConfiguration);
+ perm = verify_bucket_permission(this, s, rgw::IAM::s3PutLifecycleConfiguration);
if (!perm)
return -EACCES;
int RGWDeleteLC::verify_permission()
{
bool perm;
- perm = verify_bucket_permission(s, rgw::IAM::s3PutLifecycleConfiguration);
+ perm = verify_bucket_permission(this, s, rgw::IAM::s3PutLifecycleConfiguration);
if (!perm)
return -EACCES;
}
}
- if (!verify_bucket_permission_no_policy(s, RGW_PERM_WRITE)) {
+ if (!verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE)) {
return -EACCES;
}
}
}
- if (!verify_bucket_permission_no_policy(s, RGW_PERM_WRITE)) {
+ if (!verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE)) {
return -EACCES;
}
return 0;
}
- if (!verify_bucket_permission_no_policy(s, RGW_PERM_WRITE)) {
+ if (!verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE)) {
return -EACCES;
}
int RGWListMultipart::verify_permission()
{
- if (!verify_object_permission(s, rgw::IAM::s3ListMultipartUploadParts))
+ if (!verify_object_permission(this, s, rgw::IAM::s3ListMultipartUploadParts))
return -EACCES;
return 0;
int RGWListBucketMultiparts::verify_permission()
{
- if (!verify_bucket_permission(s,
+ if (!verify_bucket_permission(this,
+ s,
rgw::IAM::s3ListBucketMultipartUploads))
return -EACCES;
int RGWDeleteMultiObj::verify_permission()
{
- acl_allowed = verify_bucket_permission_no_policy(s, RGW_PERM_WRITE);
+ acl_allowed = verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE);
if (!acl_allowed && !s->iam_policy && s->iam_user_policies.empty())
return -EACCES;
/* We can use global user_acl because each BulkDelete request is allowed
* to work on entities from a single account only. */
- return verify_bucket_permission(s, binfo.bucket, s->user_acl.get(),
+ return verify_bucket_permission(dpp, s, binfo.bucket, s->user_acl.get(),
&bacl, policy, s->iam_user_policies, rgw::IAM::s3DeleteBucket);
}
void RGWBulkDelete::execute()
{
- deleter = std::unique_ptr<Deleter>(new Deleter(store, s));
+ deleter = std::unique_ptr<Deleter>(new Deleter(this, store, s));
bool is_truncated = false;
do {
return -EACCES;
}
- if (! verify_user_permission_no_policy(s, RGW_PERM_WRITE)) {
+ if (! verify_user_permission_no_policy(this, s, RGW_PERM_WRITE)) {
return -EACCES;
}
}
}
- return verify_bucket_permission_no_policy(s, s->user_acl.get(),
+ return verify_bucket_permission_no_policy(this, s, s->user_acl.get(),
&bacl, RGW_PERM_WRITE);
}
// Swift equivalent.
bool perm;
if (!s->object.empty()) {
- perm = verify_object_permission_no_policy(s, RGW_PERM_WRITE);
+ perm = verify_object_permission_no_policy(this, s, RGW_PERM_WRITE);
} else {
- perm = verify_bucket_permission_no_policy(s, RGW_PERM_WRITE);
+ perm = verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE);
}
if (!perm)
return -EACCES;
int RGWPutBucketPolicy::verify_permission()
{
- if (!verify_bucket_permission(s, rgw::IAM::s3PutBucketPolicy)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3PutBucketPolicy)) {
return -EACCES;
}
int RGWGetBucketPolicy::verify_permission()
{
- if (!verify_bucket_permission(s, rgw::IAM::s3GetBucketPolicy)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3GetBucketPolicy)) {
return -EACCES;
}
int RGWDeleteBucketPolicy::verify_permission()
{
- if (!verify_bucket_permission(s, rgw::IAM::s3DeleteBucketPolicy)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3DeleteBucketPolicy)) {
return -EACCES;
}
class Deleter {
protected:
+ const DoutPrefixProvider * dpp;
unsigned int num_deleted;
unsigned int num_unfound;
std::list<fail_desc_t> failures;
req_state * const s;
public:
- Deleter(RGWRados * const str, req_state * const s)
- : num_deleted(0),
+ Deleter(const DoutPrefixProvider* dpp, RGWRados * const str, req_state * const s)
+ : dpp(dpp),
+ num_deleted(0),
num_unfound(0),
store(str),
s(s) {
string resource_name = role.get_path() + role_name;
uint64_t op = get_op();
- if (!verify_user_permission(s,
+ if (!verify_user_permission(this,
+ s,
rgw::IAM::ARN(resource_name,
"role",
s->user->user_id.tenant, true),
string role_path = s->info.args.get("Path");
string resource_name = role_path + role_name;
- if (!verify_user_permission(s,
+ if (!verify_user_permission(this,
+ s,
rgw::IAM::ARN(resource_name,
"role",
s->user->user_id.tenant, true),
}
string resource_name = role.get_path() + role.get_name();
- if (!verify_user_permission(s,
+ if (!verify_user_permission(this,
+ s,
rgw::IAM::ARN(resource_name,
"role",
s->user->user_id.tenant, true),
return ret;
}
- if (!verify_user_permission(s,
+ if (!verify_user_permission(this,
+ s,
rgw::IAM::ARN(),
get_op())) {
return -EACCES;
rgw::auth::Engine::result_t
rgw::auth::s3::STSEngine::authenticate(
+ const DoutPrefixProvider* dpp,
const boost::string_view& _access_key_id,
const boost::string_view& signature,
const boost::string_view& session_token,
//Authentication
//Check if access key is not the same passed in by client
if (token.access_key_id != _access_key_id) {
- ldout(cct, 0) << "Invalid access key" << dendl;
+ ldpp_dout(dpp, 0) << "Invalid access key" << dendl;
return result_t::reject(-EPERM);
}
//Check if the token has expired
if (exp) {
real_clock::time_point now = real_clock::now();
if (now >= *exp) {
- ldout(cct, 0) << "ERROR: Token expired" << dendl;
+ ldpp_dout(dpp, 0) << "ERROR: Token expired" << dendl;
return result_t::reject(-EPERM);
}
} else {
- ldout(cct, 0) << "ERROR: Invalid expiration: " << expiration << dendl;
+ ldpp_dout(dpp, 0) << "ERROR: Invalid expiration: " << expiration << dendl;
return result_t::reject(-EPERM);
}
}
signature_factory(cct, token.secret_access_key, string_to_sign);
auto compare = signature.compare(server_signature);
- ldout(cct, 15) << "string_to_sign="
+ ldpp_dout(dpp, 15) << "string_to_sign="
<< rgw::crypt_sanitize::log_content{string_to_sign}
<< dendl;
- ldout(cct, 15) << "server signature=" << server_signature << dendl;
- ldout(cct, 15) << "client signature=" << signature << dendl;
- ldout(cct, 15) << "compare=" << compare << dendl;
+ ldpp_dout(dpp, 15) << "server signature=" << server_signature << dendl;
+ ldpp_dout(dpp, 15) << "client signature=" << signature << dendl;
+ ldpp_dout(dpp, 15) << "compare=" << compare << dendl;
if (compare != 0) {
return result_t::reject(-ERR_SIGNATURE_NO_MATCH);
// get user info
int ret = rgw_get_user_info_by_uid(store, token.user, user_info, NULL);
if (ret < 0) {
- ldout(cct, 5) << "ERROR: failed reading user info: uid=" << token.user << dendl;
+ ldpp_dout(dpp, 5) << "ERROR: failed reading user info: uid=" << token.user << dendl;
return result_t::reject(-EPERM);
}
}
int get_session_token(const boost::string_view& session_token,
STS::SessionToken& token) const;
- result_t authenticate(const boost::string_view& access_key_id,
+ result_t authenticate(const DoutPrefixProvider* dpp,
+ const boost::string_view& access_key_id,
const boost::string_view& signature,
const boost::string_view& session_token,
const string_to_sign_t& string_to_sign,
int init(RGWRados *store,
struct req_state *s,
rgw::io::BasicClient *cio) override;
- int authorize() override {
- return RGW_Auth_S3::authorize(store, auth_registry, s);
+ int authorize(const DoutPrefixProvider* dpp) override {
+ return RGW_Auth_S3::authorize(dpp, store, auth_registry, s);
}
int postauth_init() override { return 0; }
};
uint64_t op = get_op();
string user_name = s->info.args.get("UserName");
rgw_user user_id(user_name);
- if (! verify_user_permission(s, rgw::IAM::ARN(rgw::IAM::ARN(user_id.id,
+ if (! verify_user_permission(this, s, rgw::IAM::ARN(rgw::IAM::ARN(user_id.id,
"user",
user_id.tenant)), op)) {
return -EACCES;
op_ret = -ERR_NO_SUCH_ENTITY;
return;
}
-}
\ No newline at end of file
+}
namespace swift {
/* TempURL: applier */
-void TempURLApplier::modify_request_state(req_state* s) const /* in/out */
+void TempURLApplier::modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const /* in/out */
{
bool inline_exists = false;
const std::string& filename = s->info.args.get("filename");
s->content_disp.fallback = "attachment; filename=\"" + fenc + "\"";
}
- ldout(s->cct, 20) << "finished applying changes to req_state for TempURL: "
+ ldpp_dout(dpp, 20) << "finished applying changes to req_state for TempURL: "
<< " content_disp override " << s->content_disp.override
<< " content_disp fallback " << s->content_disp.fallback
<< dendl;
: LocalApplier(cct, user_info, LocalApplier::NO_SUBUSER, boost::none, boost::none) {
};
- void modify_request_state(req_state * s) const override; /* in/out */
+ void modify_request_state(const DoutPrefixProvider* dpp, req_state * s) const override; /* in/out */
struct Factory {
virtual ~Factory() {}
public:
explicit FakeIdentity(Principal&& id) : id(std::move(id)) {}
- uint32_t get_perms_from_aclspec(const aclspec_t& aclspec) const override {
+ uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
ceph_abort();
return 0;
};
projects / ceph-ci.git / commitdiff