get_caller_identity utility

Tracker: https://tracker.ceph.com/issues/72157

Signed-off-by: Raja Sharma <raja@ibm.com>

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index a4abe024e53df9e198ff35d8bd696ef35aa5905c..0d6c749af050e7d4be5e2e536af3bc7ea70082b8 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -280,6 +280,10 @@ static auto transform_old_authinfo(const RGWUserInfo& user,
       return type;
     }
 
+    std::optional<rgw::ARN> get_caller_identity() const override {
+      return std::nullopt;
+    }
+
     string get_acct_name() const override {
       return {};
     }

diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
index 87fbd47c0b109d064beb899ce94ffd8c10579a84..f4e469fb2625a077d4df1e4d26791d85332ca1b6 100644 (file)
--- a/src/rgw/rgw_auth.h
+++ b/src/rgw/rgw_auth.h
@@ -87,6 +87,9 @@ public:
   /* Identity Type: RGW/ LDAP/ Keystone */
   virtual uint32_t get_identity_type() const = 0;
 
+  /* Identity ARN */
+  virtual std::optional<rgw::ARN> get_caller_identity() const = 0;
+
   /* Name of Account */
   virtual std::string get_acct_name() const = 0;
 
@@ -504,6 +507,10 @@ public:
     return TYPE_WEB;
   }
 
+  std::optional<rgw::ARN> get_caller_identity() const override {
+    return std::nullopt;
+  }
+
   std::string get_acct_name() const override {
     return this->user_name;
   }
@@ -679,6 +686,11 @@ public:
   void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override;
   void write_ops_log_entry(rgw_log_entry& entry) const override;
   uint32_t get_identity_type() const override { return info.acct_type; }
+
+  std::optional<rgw::ARN> get_caller_identity() const override {
+    return std::nullopt;
+  }
+
   std::string get_acct_name() const override { return info.acct_name; }
   std::string get_subuser() const override { return {}; }
   const std::string& get_tenant() const override {
@@ -749,6 +761,19 @@ public:
   auto load_acct_info(const DoutPrefixProvider* dpp) const -> std::unique_ptr<rgw::sal::User> override; /* out */
   void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override;
   uint32_t get_identity_type() const override { return user_info.type; }
+
+  std::optional<rgw::ARN> get_caller_identity() const override {
+    bool has_account_id = !user_info.account_id.empty();
+    std::string acct = has_account_id ? user_info.account_id : user_info.user_id.tenant;
+    if(user_info.type == TYPE_ROOT) {
+      return rgw::ARN("", "root", acct, true);
+    }
+
+    std::string username = has_account_id ? user_info.display_name : user_info.user_id.id;
+    std::string path = user_info.path.empty() ? "/" : user_info.path;
+    return rgw::ARN(string_cat_reserve(path, username), "user", acct, true);
+  }
+
   std::string get_acct_name() const override { return {}; }
   std::string get_subuser() const override { return subuser; }
   const std::string& get_tenant() const override {
@@ -828,6 +853,16 @@ public:
   void to_str(std::ostream& out) const override;
   auto load_acct_info(const DoutPrefixProvider* dpp) const -> std::unique_ptr<rgw::sal::User> override; /* out */
   uint32_t get_identity_type() const override { return TYPE_ROLE; }
+
+  std::optional<rgw::ARN> get_caller_identity() const override {
+    rgw::Partition partition = rgw::Partition::aws;
+    rgw::Service service = rgw::Service::sts;
+    std::string acct = role.account->id.empty() ? role.tenant : role.account->id;
+    std::string resource = "assumed-role/" + role.name + "/" + token_attrs.role_session_name;
+
+    return rgw::ARN(partition, service, "", acct, resource);
+  }
+
   std::string get_acct_name() const override { return {}; }
   std::string get_subuser() const override { return {}; }
   const std::string& get_tenant() const override { return role.tenant; }
@@ -886,6 +921,10 @@ public:
     return TYPE_RGW;
   }
 
+  std::optional<rgw::ARN> get_caller_identity() const override {
+    return std::nullopt;
+  }
+
   std::string get_acct_name() const override {
     return {};
   }

diff --git a/src/rgw/rgw_auth_filters.h b/src/rgw/rgw_auth_filters.h
index aed3449f13b11407e7bd3e750050a6d8f7932bf5..09d9e07b0795d1fcfc19048742221263479b3f86 100644 (file)
--- a/src/rgw/rgw_auth_filters.h
+++ b/src/rgw/rgw_auth_filters.h
@@ -97,6 +97,10 @@ public:
     return get_decoratee().get_identity_type();
   }
 
+  std::optional<rgw::ARN> get_caller_identity() const override {
+    return get_decoratee().get_caller_identity();
+  }
+
   std::string get_acct_name() const override {
     return get_decoratee().get_acct_name();
   }

diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc
index 057bcab362b6399cb57568aea321a9d8a3743c07..d3a285a14ca597cb31d00cddf99e41ffd9b80bf3 100644 (file)
--- a/src/test/rgw/test_rgw_iam_policy.cc
+++ b/src/test/rgw/test_rgw_iam_policy.cc
@@ -213,6 +213,10 @@ public:
   uint32_t get_identity_type() const override {
     return TYPE_RGW;
   }
+
+  std::optional<rgw::ARN> get_caller_identity() const override {
+    return std::nullopt;
+  }
 };
 
 class PolicyTest : public ::testing::Test {

diff --git a/src/test/rgw/test_rgw_lua.cc b/src/test/rgw/test_rgw_lua.cc
index e773e15891f5fc73c442c3d8d0e76328b8ca6b05..c057c341153c1f74cf6f1ff59624834c0a7645aa 100644 (file)
--- a/src/test/rgw/test_rgw_lua.cc
+++ b/src/test/rgw/test_rgw_lua.cc
@@ -49,6 +49,10 @@ public:
     return TYPE_RGW;
   }
 
+  std::optional<rgw::ARN> get_caller_identity() const override {
+    return std::nullopt;
+  }
+
   string get_acct_name() const override {
     return "";
   }