rgw: allow user disabling presigned urls in rgw configuration

Fixes: https://tracker.ceph.com/issues/64797
Signed-off-by: Marc Singer <marc@singer.services>
(cherry picked from commit 5e7a78cd900891611fd5463523d8bb22b62831db)

diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in
index a7af43ae05f53d8a8449619c2a6124db46cc7c28..d6f7a56aba0741f0015b194e9a213272c3fe2836 100644 (file)
--- a/src/common/options/rgw.yaml.in
+++ b/src/common/options/rgw.yaml.in
@@ -892,6 +892,14 @@ options:
   services:
   - rgw
   with_legacy: true
+- name: rgw_s3_auth_disable_signature_url
+  type: bool
+  level: advanced
+  desc: Should authentification with presigned URLs be disabled
+  long_desc: 'If enabled, any request that is presigned with either V2 or V4 signature will be denied'
+  default: false
+  services:
+  - rgw
 - name: rgw_barbican_url
   type: str
   level: advanced

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index 4b3f33e9c70e87d56daa5254478670d15f197d98..5d98933063c84043270b8716f1901f570be55810 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -299,11 +299,16 @@ rgw::auth::Strategy::apply(const DoutPrefixProvider *dpp, const rgw::auth::Strat
        * nullptr inside. */
       ldpp_dout(dpp, 5) << "Failed the auth strategy, reason="
                        << result.get_reason() << dendl;
-      //Special handling for expired pre-signed URL
+      // Special handling for expired pre-signed URL
       if (result.get_reason() == ERR_PRESIGNED_URL_EXPIRED) {
         result = result_t::deny(-EPERM);
         set_req_state_err(s, -EPERM, "The pre-signed URL has expired");
       }
+      // Special handling for disabled presigned URL
+      if (result.get_reason() == ERR_PRESIGNED_URL_DISABLED) {
+        result = result_t::deny(-EPERM);
+        set_req_state_err(s, -EPERM, "Presigned URLs are disabled by admin");
+      }
       return result.get_reason();
     }
 

diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index e76e552a938521b04560bc18242707a1281270d5..6f405235b193ad7753602e107318de54bda5788b 100644 (file)
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -308,6 +308,7 @@ static inline const char* to_mime_type(const RGWFormat f)
 #define ERR_INVALID_BUCKET_STATE                         2221
 #define ERR_INVALID_OBJECT_STATE                        2222
 #define ERR_PRESIGNED_URL_EXPIRED                       2223
+#define ERR_PRESIGNED_URL_DISABLED     2224
 
 #define ERR_BUSY_RESHARDING      2300
 #define ERR_NO_SUCH_ENTITY       2301

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 1b964742a6854b0804b913da1251f98add25b845..df582dd811d29b7d1b8b3c08632753f862a2e724 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -5551,13 +5551,18 @@ AWSGeneralAbstractor::get_auth_data(const req_state* const s) const
   AwsRoute route;
   std::tie(version, route) = discover_aws_flavour(s->info);
 
-  if (version == AwsVersion::V2) {
-    return get_auth_data_v2(s);
-  } else if (version == AwsVersion::V4) {
-    return get_auth_data_v4(s, route == AwsRoute::QUERY_STRING);
+  if (! s->cct->_conf->rgw_s3_auth_disable_signature_url) {
+    if (version == AwsVersion::V2) {
+      return get_auth_data_v2(s);
+    } else if (version == AwsVersion::V4) {
+      return get_auth_data_v4(s, route == AwsRoute::QUERY_STRING);
+    } else {
+      /* FIXME(rzarzynski): handle anon user. */
+      throw -EINVAL;
+    }
   } else {
-    /* FIXME(rzarzynski): handle anon user. */
-    throw -EINVAL;
+    ldpp_dout(s, 0) << "Presigned URLs are disabled by admin" << dendl;
+    throw -ERR_PRESIGNED_URL_DISABLED;
   }
 }