rgw: link account root to account user index

account root users were not linked to the account's user index because
they're not visible to iam apis like ListUsers

but now that 'account rm' is prevented from deleting the account while
users are still present, we want account root users to prevent deletion
too

add root users back to the account user index, but filter them out of
the iam user apis

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit b60335997266932f0a2c26fefc128732c66551a1)

diff --git a/src/rgw/rgw_rest_iam_user.cc b/src/rgw/rgw_rest_iam_user.cc
index 06c0d5bde0834d3700fea769293b5b36ffce0a5e..ae413e6d1856e042fb93261217596491cb24fe37 100644 (file)
--- a/src/rgw/rgw_rest_iam_user.cc
+++ b/src/rgw/rgw_rest_iam_user.cc
@@ -275,7 +275,9 @@ int RGWGetUser_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   int r = driver->load_account_user_by_name(this, y, account_id,
                                             tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     s->err.message = "No such UserName in the account";
     return -ERR_NO_SUCH_ENTITY;
   }
@@ -375,7 +377,9 @@ int RGWUpdateUser_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   int r = driver->load_account_user_by_name(this, y, account_id,
                                             tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     s->err.message = "No such UserName in the account";
     return -ERR_NO_SUCH_ENTITY;
   }
@@ -514,7 +518,9 @@ int RGWDeleteUser_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   int r = driver->load_account_user_by_name(this, y, account_id,
                                             tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     s->err.message = "No such UserName in the account";
     return -ERR_NO_SUCH_ENTITY;
   }
@@ -764,6 +770,9 @@ void RGWListUsers_IAM::send_response_data(std::span<RGWUserInfo> users)
   }
 
   for (const auto& info : users) {
+    if (info.type == TYPE_ROOT) {
+      continue; // root user is hidden from user apis
+    }
     s->formatter->open_object_section("member");
     dump_iam_user(info, s->formatter);
     s->formatter->close_section(); // member
@@ -838,7 +847,9 @@ int RGWCreateAccessKey_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   int r = driver->load_account_user_by_name(this, y, account_id,
                                             tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     s->err.message = "No such UserName in the account";
     return -ERR_NO_SUCH_ENTITY;
   }
@@ -1059,7 +1070,9 @@ int RGWUpdateAccessKey_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   int r = driver->load_account_user_by_name(this, y, account_id,
                                             tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     s->err.message = "No such UserName in the account";
     return -ERR_NO_SUCH_ENTITY;
   }
@@ -1205,7 +1218,9 @@ int RGWDeleteAccessKey_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   int r = driver->load_account_user_by_name(this, y, account_id,
                                             tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     s->err.message = "No such UserName in the account";
     return -ERR_NO_SUCH_ENTITY;
   }
@@ -1350,7 +1365,9 @@ int RGWListAccessKeys_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   r = driver->load_account_user_by_name(this, y, account_id,
                                         tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     return -ERR_NO_SUCH_ENTITY;
   }
   return r;

diff --git a/src/rgw/services/svc_user_rados.cc b/src/rgw/services/svc_user_rados.cc
index c061b964239f26550da82009ca6643c4683d169d..a7cdc08185e326a7c6026617ffa24a52e24c1a23 100644 (file)
--- a/src/rgw/services/svc_user_rados.cc
+++ b/src/rgw/services/svc_user_rados.cc
@@ -164,7 +164,7 @@ struct users_entry {
 };
 
 static users_entry account_users_link(const RGWUserInfo* info) {
-  if (info && !info->account_id.empty() && info->type != TYPE_ROOT) {
+  if (info && !info->account_id.empty()) {
     return {info->account_id, info->path, info->display_name};
   }
   return {};