return ret;
}
- info->identity = rgw::auth::transform_old_authinfo(sync_env->cct,
- uid,
+ info->identity = rgw::auth::transform_old_authinfo(sync_env->cct, uid,
+ info->user_info.display_name,
RGW_PERM_FULL_CONTROL,
false, /* system_request? */
TYPE_RGW);
std::unique_ptr<rgw::auth::Identity>
transform_old_authinfo(CephContext* const cct,
const rgw_user& auth_id,
+ const std::string& display_name,
const int perm_mask,
const bool is_admin,
const uint32_t type)
* the identity info as this was the policy for doing that before the
* new auth. */
const rgw_user id;
+ const std::string display_name;
const int perm_mask;
const bool is_admin;
const uint32_t type;
public:
DummyIdentityApplier(CephContext* const cct,
const rgw_user& auth_id,
+ const std::string display_name,
const int perm_mask,
const bool is_admin,
const uint32_t type)
: cct(cct),
id(auth_id),
+ display_name(display_name),
perm_mask(perm_mask),
is_admin(is_admin),
type(type) {
}
+ ACLOwner get_aclowner() const {
+ ACLOwner owner;
+ owner.id = id;
+ owner.display_name = display_name;
+ return owner;
+ }
+
uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
return rgw_perms_from_aclspec_default_strategy(id, aclspec, dpp);
}
return std::unique_ptr<rgw::auth::Identity>(
new DummyIdentityApplier(cct,
auth_id,
+ display_name,
perm_mask,
is_admin,
type));
{
return transform_old_authinfo(s->cct,
s->user->get_id(),
+ s->user->get_display_name(),
s->perm_mask,
/* System user has admin permissions by default - it's supposed to pass
* through any security check. */
const std::string rgw::auth::RemoteApplier::AuthInfo::NO_ACCESS_KEY;
/* rgw::auth::RemoteAuthApplier */
+ACLOwner rgw::auth::RemoteApplier::get_aclowner() const
+{
+ ACLOwner owner;
+ owner.id = info.acct_user;
+ owner.display_name = info.acct_name;
+ return owner;
+}
+
uint32_t rgw::auth::RemoteApplier::get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const
{
uint32_t perm = 0;
const std::string rgw::auth::LocalApplier::NO_SUBUSER;
const std::string rgw::auth::LocalApplier::NO_ACCESS_KEY;
+ACLOwner rgw::auth::LocalApplier::get_aclowner() const
+{
+ ACLOwner owner;
+ owner.id = user_info.user_id;
+ owner.display_name = user_info.display_name;
+ return owner;
+}
+
uint32_t rgw::auth::LocalApplier::get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const
{
return rgw_perms_from_aclspec_default_strategy(user_info.user_id, aclspec, dpp);
entry.subuser = subuser;
}
+ACLOwner rgw::auth::RoleApplier::get_aclowner() const
+{
+ ACLOwner owner;
+ owner.id = token_attrs.user_id;
+ owner.display_name = role.name;
+ return owner;
+}
+
void rgw::auth::RoleApplier::to_str(std::ostream& out) const {
out << "rgw::auth::RoleApplier(role name =" << role.name;
for (auto& policy: role.role_policies) {
virtual ~Identity() = default;
+ /* Return the ACLOwner for resources created by this identity. */
+ virtual ACLOwner get_aclowner() const = 0;
+
/* Translate the ACL provided in @aclspec into concrete permission set that
* can be used during the authorization phase (RGWOp::verify_permission).
* On error throws rgw::auth::Exception storing the reason.
std::unique_ptr<rgw::auth::Identity>
transform_old_authinfo(CephContext* const cct,
const rgw_user& auth_id,
+ const std::string& display_name,
const int perm_mask,
const bool is_admin,
const uint32_t type);
void modify_request_state(const DoutPrefixProvider *dpp, req_state* s) const override;
+ ACLOwner get_aclowner() const override {
+ ACLOwner owner;
+ owner.id = rgw_user{role_tenant, sub, "oidc"};
+ owner.display_name = user_name;
+ return owner;
+ }
+
uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
return RGW_PERM_NONE;
}
implicit_tenant_bit(implicit_tenant_bit) {
}
+ ACLOwner get_aclowner() const override;
uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override;
bool is_admin_of(const rgw_user& uid) const override;
bool is_owner_of(const rgw_user& uid) const override;
access_key_id(access_key_id) {
}
-
+ ACLOwner get_aclowner() const override;
uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override;
bool is_admin_of(const rgw_user& uid) const override;
bool is_owner_of(const rgw_user& uid) const override;
: role(role),
token_attrs(token_attrs) {}
+ ACLOwner get_aclowner() const override;
uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
return 0;
}
: decoratee(std::forward<DecorateeT>(decoratee)) {
}
+ ACLOwner get_aclowner() const override {
+ return get_decoratee().get_aclowner();
+ }
+
uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
return get_decoratee().get_perms_from_aclspec(dpp, aclspec);
}
public:
explicit FakeIdentity(Principal&& id) : id(std::move(id)) {}
+
+ ACLOwner get_aclowner() const override {
+ ceph_abort();
+ return {};
+ }
+
uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
ceph_abort();
return 0;
public:
FakeIdentity() = default;
+ ACLOwner get_aclowner() const override {
+ return {};
+ }
+
uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
return 0;
};
projects / ceph.git / commitdiff