rgw: improve handling account privilege level in the auth infrastructure.

Signed-off-by: Radoslaw Zarzynski <rzarzynski@mirantis.com>

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index fb265281213c379d6ece180c4532806f7d5d929e..4b5f784933c0de5b79e591eb14c68204559a6652 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -368,11 +368,13 @@ RGWKeystoneAuthEngine::get_creds_info(const KeystoneToken& token,
                                       const std::vector<std::string>& admin_roles
                                     ) const noexcept
 {
+  using acct_privilege_t = RGWRemoteAuthApplier::AuthInfo::acct_privilege_t;
+
   /* Check whether the user has an admin status. */
-  bool is_admin = false;
+  acct_privilege_t level = acct_privilege_t::IS_PLAIN_ACCT;
   for (const auto& admin_role : admin_roles) {
     if (token.has_role(admin_role)) {
-      is_admin = true;
+      level = acct_privilege_t::IS_ADMIN_ACCT;
       break;
     }
   }
@@ -385,7 +387,7 @@ RGWKeystoneAuthEngine::get_creds_info(const KeystoneToken& token,
     /* Keystone doesn't support RGW's subuser concept, so we cannot cut down
      * the access rights through the perm_mask. At least at this layer. */
     RGW_PERM_FULL_CONTROL,
-    is_admin,
+    level,
   };
 }
 

diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
index d1ec8fc41849f3b3b1ffcc30c033f479d4440018..79d5263257a170d7552d5153d963c0ecc07d3705 100644 (file)
--- a/src/rgw/rgw_auth.h
+++ b/src/rgw/rgw_auth.h
@@ -120,15 +120,20 @@ public:
     const uint32_t acct_type;
 
   public:
+    enum class acct_privilege_t {
+      IS_ADMIN_ACCT,
+      IS_PLAIN_ACCT
+    };
+
     AuthInfo(const rgw_user& acct_user,
              const std::string& acct_name,
              const uint32_t perm_mask,
-             const bool is_admin,
+             const acct_privilege_t level,
              const uint32_t acct_type=TYPE_NONE)
     : acct_user(acct_user),
       acct_name(acct_name),
       perm_mask(perm_mask),
-      is_admin(is_admin),
+      is_admin(acct_privilege_t::IS_ADMIN_ACCT == level),
       acct_type(acct_type) {
     }
   };

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 69e6980fe3df1160ce4b2b8a40230a9a7169e963..df570c74f764a929017884b2ca5ee8a85f0225a5 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -4357,11 +4357,13 @@ RGWRemoteAuthApplier::acl_strategy_t RGWLDAPAuthEngine::get_acl_strategy() const
 RGWRemoteAuthApplier::AuthInfo
 RGWLDAPAuthEngine::get_creds_info(const rgw::RGWToken& token) const noexcept
 {
+  using acct_privilege_t = RGWRemoteAuthApplier::AuthInfo::acct_privilege_t;
+
   return RGWRemoteAuthApplier::AuthInfo {
     rgw_user(token.id),
     token.id,
     RGW_PERM_FULL_CONTROL,
-    false,
+    acct_privilege_t::IS_PLAIN_ACCT,
     TYPE_LDAP
   };
 }