#include "rgw_http_client.h"
#include "rgw_keystone.h"
#include "rgw_sal.h"
+#include "rgw_log.h"
#include "include/str_list.h"
return false;
}
+const std::string rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER;
+const std::string rgw::auth::RemoteApplier::AuthInfo::NO_ACCESS_KEY;
+
/* rgw::auth::RemoteAuthApplier */
uint32_t rgw::auth::RemoteApplier::get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const
{
}
}
+void rgw::auth::RemoteApplier::write_ops_log_entry(rgw_log_entry& entry) const
+{
+ entry.access_key_id = info.access_key_id;
+ entry.subuser = info.subuser;
+}
+
/* TODO(rzarzynski): we need to handle display_name changes. */
void rgw::auth::RemoteApplier::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const /* out */
{
/* rgw::auth::LocalApplier */
/* static declaration */
const std::string rgw::auth::LocalApplier::NO_SUBUSER;
+const std::string rgw::auth::LocalApplier::NO_ACCESS_KEY;
uint32_t rgw::auth::LocalApplier::get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const
{
user_info = this->user_info;
}
+void rgw::auth::LocalApplier::write_ops_log_entry(rgw_log_entry& entry) const
+{
+ entry.access_key_id = access_key_id;
+ entry.subuser = subuser;
+}
+
void rgw::auth::RoleApplier::to_str(std::ostream& out) const {
out << "rgw::auth::LocalApplier(role name =" << role.name;
for (auto& policy: role.role_policies) {
auto apl = \
apl_factory->create_apl_local(cct, s, user_info,
rgw::auth::LocalApplier::NO_SUBUSER,
- boost::none);
+ boost::none, rgw::auth::LocalApplier::NO_ACCESS_KEY);
return result_t::grant(std::move(apl));
}
}
#define RGW_USER_ANON_ID "anonymous"
class RGWCtl;
+struct rgw_log_entry;
namespace rgw {
namespace auth {
virtual string get_subuser() const = 0;
virtual string get_role_tenant() const { return ""; }
+
+ /* write any auth-specific fields that are safe to expose in the ops log */
+ virtual void write_ops_log_entry(rgw_log_entry& entry) const {};
};
inline std::ostream& operator<<(std::ostream& out,
const uint32_t perm_mask;
const bool is_admin;
const uint32_t acct_type;
+ const std::string access_key_id;
+ const std::string subuser;
public:
enum class acct_privilege_t {
IS_PLAIN_ACCT
};
+ static const std::string NO_SUBUSER;
+ static const std::string NO_ACCESS_KEY;
+
AuthInfo(const rgw_user& acct_user,
const std::string& acct_name,
const uint32_t perm_mask,
const acct_privilege_t level,
+ const std::string access_key_id,
+ const std::string subuser,
const uint32_t acct_type=TYPE_NONE)
: acct_user(acct_user),
acct_name(acct_name),
perm_mask(perm_mask),
is_admin(acct_privilege_t::IS_ADMIN_ACCT == level),
- acct_type(acct_type) {
+ acct_type(acct_type),
+ access_key_id(access_key_id),
+ subuser(subuser) {
}
};
uint32_t get_perm_mask() const override { return info.perm_mask; }
void to_str(std::ostream& out) const override;
void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
+ void write_ops_log_entry(rgw_log_entry& entry) const override;
uint32_t get_identity_type() const override { return info.acct_type; }
string get_acct_name() const override { return info.acct_name; }
string get_subuser() const override { return {}; }
const RGWUserInfo user_info;
const std::string subuser;
uint32_t perm_mask;
+ const std::string access_key_id;
uint32_t get_perm_mask(const std::string& subuser_name,
const RGWUserInfo &uinfo) const;
public:
static const std::string NO_SUBUSER;
+ static const std::string NO_ACCESS_KEY;
LocalApplier(CephContext* const cct,
const RGWUserInfo& user_info,
std::string subuser,
- const boost::optional<uint32_t>& perm_mask)
+ const boost::optional<uint32_t>& perm_mask,
+ const std::string access_key_id)
: user_info(user_info),
- subuser(std::move(subuser)) {
+ subuser(std::move(subuser)),
+ access_key_id(access_key_id) {
if (perm_mask) {
this->perm_mask = perm_mask.get();
} else {
uint32_t get_identity_type() const override { return TYPE_RGW; }
string get_acct_name() const override { return {}; }
string get_subuser() const override { return subuser; }
+ void write_ops_log_entry(rgw_log_entry& entry) const override;
struct Factory {
virtual ~Factory() {}
const req_state* s,
const RGWUserInfo& user_info,
const std::string& subuser,
- const boost::optional<uint32_t>& perm_mask) const = 0;
+ const boost::optional<uint32_t>& perm_mask,
+ const std::string& access_key_id) const = 0;
};
};
void modify_request_state(const DoutPrefixProvider* dpp, req_state * s) const override { /* in/out */
return get_decoratee().modify_request_state(dpp, s);
}
+
+ void write_ops_log_entry(rgw_log_entry& entry) const override {
+ return get_decoratee().write_ops_log_entry(entry);
+ }
};
* the access rights through the perm_mask. At least at this layer. */
RGW_PERM_FULL_CONTROL,
level,
- TYPE_KEYSTONE,
- };
+ rgw::auth::RemoteApplier::AuthInfo::NO_ACCESS_KEY,
+ rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER,
+ TYPE_KEYSTONE
+};
}
static inline const std::string
EC2Engine::auth_info_t
EC2Engine::get_creds_info(const EC2Engine::token_envelope_t& token,
- const std::vector<std::string>& admin_roles
+ const std::vector<std::string>& admin_roles,
+ const std::string& access_key_id
) const noexcept
{
using acct_privilege_t = \
* the access rights through the perm_mask. At least at this layer. */
RGW_PERM_FULL_CONTROL,
level,
- TYPE_KEYSTONE,
+ access_key_id,
+ rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER,
+ TYPE_KEYSTONE
};
}
<< " expires: " << t->get_expires() << dendl;
auto apl = apl_factory->create_apl_remote(cct, s, get_acl_strategy(*t),
- get_creds_info(*t, accepted_roles.admin));
+ get_creds_info(*t, accepted_roles.admin, std::string(access_key_id)));
return result_t::grant(std::move(apl), completer_factory(boost::none));
}
}
/* Helper methods. */
acl_strategy_t get_acl_strategy(const token_envelope_t& token) const;
auth_info_t get_creds_info(const token_envelope_t& token,
- const std::vector<std::string>& admin_roles
+ const std::vector<std::string>& admin_roles,
+ const std::string& access_key_id
) const noexcept;
std::pair<boost::optional<token_envelope_t>, int>
get_from_keystone(const DoutPrefixProvider* dpp,
const req_state* const s,
const RGWUserInfo& user_info,
const std::string& subuser,
- const boost::optional<uint32_t>& perm_mask) const override {
+ const boost::optional<uint32_t>& perm_mask,
+ const std::string& access_key_id) const override {
auto apl = rgw::auth::add_sysreq(cct, ctl, s,
- rgw::auth::LocalApplier(cct, user_info, subuser, perm_mask));
+ rgw::auth::LocalApplier(cct, user_info, subuser, perm_mask, access_key_id));
return aplptr_t(new decltype(apl)(std::move(apl)));
}
const req_state* const s,
const RGWUserInfo& user_info,
const std::string& subuser,
- const boost::optional<uint32_t>& perm_mask) const override {
+ const boost::optional<uint32_t>& perm_mask,
+ const std::string& access_key_id) const override {
auto apl = rgw::auth::add_sysreq(cct, ctl, s,
- rgw::auth::LocalApplier(cct, user_info, subuser, perm_mask));
+ rgw::auth::LocalApplier(cct, user_info, subuser, perm_mask, access_key_id));
/* TODO(rzarzynski): replace with static_ptr. */
return aplptr_t(new decltype(apl)(std::move(apl)));
}
formatter->close_section();
}
}
-
+ if (!entry.access_key_id.empty()) {
+ formatter->dump_string("access_key_id", entry.access_key_id);
+ }
+ if (!entry.subuser.empty()) {
+ formatter->dump_string("subuser", entry.subuser);
+ }
+ formatter->dump_bool("temp_url", entry.temp_url);
formatter->close_section();
}
if (s->auth.identity) {
entry.identity_type = s->auth.identity->get_identity_type();
+ s->auth.identity->write_ops_log_entry(entry);
} else {
entry.identity_type = TYPE_NONE;
}
string trans_id;
std::vector<string> token_claims;
uint32_t identity_type;
+ std::string access_key_id;
+ std::string subuser;
+ bool temp_url {false};
void encode(bufferlist &bl) const {
- ENCODE_START(12, 5, bl);
+ ENCODE_START(13, 5, bl);
encode(object_owner.id, bl);
encode(bucket_owner.id, bl);
encode(bucket, bl);
encode(trans_id, bl);
encode(token_claims, bl);
encode(identity_type,bl);
+ encode(access_key_id, bl);
+ encode(subuser, bl);
+ encode(temp_url, bl);
ENCODE_FINISH(bl);
}
void decode(bufferlist::const_iterator &p) {
- DECODE_START_LEGACY_COMPAT_LEN(12, 5, 5, p);
+ DECODE_START_LEGACY_COMPAT_LEN(13, 5, 5, p);
decode(object_owner.id, p);
if (struct_v > 3)
decode(bucket_owner.id, p);
if (struct_v >= 12) {
decode(identity_type, p);
}
+ if (struct_v >= 13) {
+ decode(access_key_id, p);
+ decode(subuser, p);
+ decode(temp_url, p);
+ }
DECODE_FINISH(p);
}
void dump(ceph::Formatter *f) const;
token.id,
RGW_PERM_FULL_CONTROL,
acct_privilege_t::IS_PLAIN_ACCT,
+ rgw::auth::RemoteApplier::AuthInfo::NO_ACCESS_KEY,
+ rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER,
TYPE_LDAP
};
}
return result_t::deny(-ERR_SIGNATURE_NO_MATCH);
}
- auto apl = apl_factory->create_apl_local(cct, s, user_info, k.subuser, boost::none);
+ auto apl = apl_factory->create_apl_local(cct, s, user_info, k.subuser, boost::none, access_key_id);
return result_t::grant(std::move(apl), completer_factory(k.key));
}
token.acct_name,
token.perm_mask,
(token.is_admin) ? acct_privilege_t::IS_ADMIN_ACCT: acct_privilege_t::IS_PLAIN_ACCT,
+ token.access_key_id,
+ rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER,
token.acct_type
};
}
return result_t::grant(std::move(apl), completer_factory(token.secret_access_key));
} else { // This is for all local users of type TYPE_RGW or TYPE_NONE
string subuser;
- auto apl = local_apl_factory->create_apl_local(cct, s, user_info, subuser, token.perm_mask);
+ auto apl = local_apl_factory->create_apl_local(cct, s, user_info, subuser, token.perm_mask, std::string(_access_key_id));
return result_t::grant(std::move(apl), completer_factory(token.secret_access_key));
}
}
}
+void TempURLApplier::write_ops_log_entry(rgw_log_entry& entry) const
+{
+ LocalApplier::write_ops_log_entry(entry);
+ entry.temp_url = true;
+}
+
/* TempURL: engine */
bool TempURLEngine::is_applicable(const req_state* const s) const noexcept
{
auto apl = apl_factory->create_apl_local(cct, s, tmp_uinfo,
extract_swift_subuser(swift_user),
- boost::none);
+ boost::none,
+ rgw::auth::LocalApplier::NO_ACCESS_KEY);
return result_t::grant(std::move(apl));
}
auto apl = apl_factory->create_apl_local(cct, s, user_info,
extract_swift_subuser(swift_user),
- boost::none);
+ boost::none, rgw::auth::LocalApplier::NO_ACCESS_KEY);
return result_t::grant(std::move(apl));
}
public:
TempURLApplier(CephContext* const cct,
const RGWUserInfo& user_info)
- : LocalApplier(cct, user_info, LocalApplier::NO_SUBUSER, boost::none) {
+ : LocalApplier(cct, user_info, LocalApplier::NO_SUBUSER, boost::none, LocalApplier::NO_ACCESS_KEY) {
};
void modify_request_state(const DoutPrefixProvider* dpp, req_state * s) const override; /* in/out */
+ void write_ops_log_entry(rgw_log_entry& entry) const override;
struct Factory {
virtual ~Factory() {}
public:
SwiftAnonymousApplier(CephContext* const cct,
const RGWUserInfo& user_info)
- : LocalApplier(cct, user_info, LocalApplier::NO_SUBUSER, boost::none) {
+ : LocalApplier(cct, user_info, LocalApplier::NO_SUBUSER, boost::none, LocalApplier::NO_ACCESS_KEY) {
};
bool is_admin_of(const rgw_user& uid) const {return false;}
bool is_owner_of(const rgw_user& uid) const {return uid.id.compare(RGW_USER_ANON_ID) == 0;}
const req_state* const s,
const RGWUserInfo& user_info,
const std::string& subuser,
- const boost::optional<uint32_t>& perm_mask) const override {
+ const boost::optional<uint32_t>& perm_mask,
+ const std::string& access_key_id) const override {
auto apl = \
rgw::auth::add_3rdparty(ctl, rgw_user(s->account_name),
rgw::auth::add_sysreq(cct, ctl, s,
- rgw::auth::LocalApplier(cct, user_info, subuser, perm_mask)));
+ rgw::auth::LocalApplier(cct, user_info, subuser, perm_mask, access_key_id)));
/* TODO(rzarzynski): replace with static_ptr. */
return aplptr_t(new decltype(apl)(std::move(apl)));
}
projects / ceph.git / commitdiff