rgw: configurable set of enabled apis

We can now specify which set of apis the gateway supports. Also,
passed resource should not start with a slash, we prepend that
automatically.

Signed-off-by: Yehuda Sadeh <yehuda@inktank.com>

diff --git a/src/common/config_opts.h b/src/common/config_opts.h
index f2a0089da725dc1d16ab57b51a51db1860fd8a67..f6a8ed6aab95835100338f848203298d8f19a438 100644 (file)
--- a/src/common/config_opts.h
+++ b/src/common/config_opts.h
@@ -397,6 +397,7 @@ OPTION(rbd_cache_max_dirty, OPT_LONGLONG, 24<<20)    // dirty limit in bytes - s
 OPTION(rbd_cache_target_dirty, OPT_LONGLONG, 16<<20) // target dirty limit in bytes
 OPTION(rbd_cache_max_dirty_age, OPT_FLOAT, 1.0)      // seconds in cache before writeback starts
 OPTION(rgw_data, OPT_STR, "/var/lib/ceph/radosgw/$cluster-$id")
+OPTION(rgw_enable_apis, OPT_STR, "s3, swift, swift_auth, admin")
 OPTION(rgw_cache_enabled, OPT_BOOL, true)   // rgw cache enabled
 OPTION(rgw_cache_lru_size, OPT_INT, 10000)   // num of entries in rgw cache
 OPTION(rgw_socket_path, OPT_STR, "")   // path to unix domain socket, if not specified, rgw will not run as external fcgi
@@ -404,6 +405,7 @@ OPTION(rgw_dns_name, OPT_STR, "")
 OPTION(rgw_swift_url, OPT_STR, "")              // 
 OPTION(rgw_swift_url_prefix, OPT_STR, "swift")  // 
 OPTION(rgw_swift_auth_entry, OPT_STR, "auth")  // entry point for which a url is considered a swift auth url
+OPTION(rgw_admin_entry, OPT_STR, "admin")  // entry point for which a url is considered an admin request
 OPTION(rgw_enforce_swift_acls, OPT_BOOL, true)
 OPTION(rgw_print_continue, OPT_BOOL, true)  // enable if 100-Continue works
 OPTION(rgw_remote_addr_param, OPT_STR, "REMOTE_ADDR")  // e.g. X-Forwarded-For, if you have a reverse proxy

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 7e1a3d9680757c5edc03c986aa573ff05aeeaf38..7261b147ad1a19db480d25470f47db9f1f1ec92a 100644 (file)
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -686,12 +686,15 @@ void RGWUserCaps::dump(Formatter *f) const
   f->close_section();
 }
 
-bool RGWUserCaps::check_cap(const string& cap, uint32_t perm)
+int RGWUserCaps::check_cap(const string& cap, uint32_t perm)
 {
   map<string, uint32_t>::iterator iter = caps.find(cap);
-  if (iter == caps.end())
-    return false;
 
-  return (iter->second & perm) == perm;
+  if ((iter == caps.end()) ||
+      (iter->second & perm) != perm) {
+    return -EPERM;
+  }
+
+  return 0;
 }
 

diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index 3535b985ff6022fd0ccdd1de6ea474b03e06f183..162838ba4711a8fda7fa9851268a5cdfcee03e56 100644 (file)
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -335,7 +335,7 @@ public:
      ::decode(caps, bl);
      DECODE_FINISH(bl);
   }
-  bool check_cap(const string& cap, uint32_t perm);
+  int check_cap(const string& cap, uint32_t perm);
   void dump(Formatter *f) const;
 };
 WRITE_CLASS_ENCODER(RGWUserCaps);

diff --git a/src/rgw/rgw_main.cc b/src/rgw/rgw_main.cc
index 26e371e0e6c640e62b3f796e7ab54eb43d676d89..d088abe149cc5e8f0a7b0035b5fc709ec26b447d 100644 (file)
--- a/src/rgw/rgw_main.cc
+++ b/src/rgw/rgw_main.cc
@@ -27,6 +27,7 @@
 #include "common/WorkQueue.h"
 #include "common/Timer.h"
 #include "common/Throttle.h"
+#include "include/str_list.h"
 #include "rgw_common.h"
 #include "rgw_rados.h"
 #include "rgw_acl.h"
@@ -451,13 +452,29 @@ int main(int argc, const char **argv)
 
   RGWREST rest;
 
-  rest.register_default_mgr(new RGWRESTMgr_S3);
-  rest.register_resource(g_conf->rgw_swift_url_prefix, new RGWRESTMgr_SWIFT);
-  rest.register_resource(g_conf->rgw_swift_auth_entry, new RGWRESTMgr_SWIFT_Auth);
+  list<string> apis;
 
-  RGWRESTMgr_Admin *admin_resource = new RGWRESTMgr_Admin;
-  admin_resource->register_resource("/usage", new RGWRESTMgr_Usage);
-  rest.register_resource("/admin", admin_resource);
+  get_str_list(g_conf->rgw_enable_apis, apis);
+
+  map<string, bool> apis_map;
+  for (list<string>::iterator li = apis.begin(); li != apis.end(); ++li) {
+    apis_map[*li] = true;
+  }
+
+  if (apis_map.count("s3") > 0)
+    rest.register_default_mgr(new RGWRESTMgr_S3);
+
+  if (apis_map.count("swift") > 0)
+    rest.register_resource(g_conf->rgw_swift_url_prefix, new RGWRESTMgr_SWIFT);
+
+  if (apis_map.count("swift_auth") > 0)
+    rest.register_resource(g_conf->rgw_swift_auth_entry, new RGWRESTMgr_SWIFT_Auth);
+
+  if (apis_map.count("admin") > 0) {
+    RGWRESTMgr_Admin *admin_resource = new RGWRESTMgr_Admin;
+    admin_resource->register_resource("usage", new RGWRESTMgr_Usage);
+    rest.register_resource(g_conf->rgw_admin_entry, admin_resource);
+  }
 
   RGWProcess process(g_ceph_context, g_conf->rgw_thread_pool_size, &rest);
   process.run();

diff --git a/src/rgw/rgw_rest.cc b/src/rgw/rgw_rest.cc
index 7394a8f1eb2a1a662e1c785f783129a6bdf72b7a..2ed495396f4da5e4275145e747b9f17b950e719d 100644 (file)
--- a/src/rgw/rgw_rest.cc
+++ b/src/rgw/rgw_rest.cc
@@ -642,6 +642,11 @@ void RGWRESTOp::send_response()
   flusher.flush();
 }
 
+int RGWRESTOp::verify_permission()
+{
+  return check_caps(s->user.caps);
+}
+
 static void line_unfold(const char *line, string& sdest)
 {
   char dest[strlen(line) + 1];
@@ -876,8 +881,10 @@ int RGWHandler_ObjStore::read_permissions(RGWOp *op_obj)
 
 void RGWRESTMgr::register_resource(string resource, RGWRESTMgr *mgr)
 {
-  resource_mgrs[resource] = mgr;
-  resources_by_size[resource.size()] = resource;
+  string r = "/";
+  r.append(resource);
+  resource_mgrs[r] = mgr;
+  resources_by_size.insert(pair<size_t, string>(r.size(), r));
 }
 
 void RGWRESTMgr::register_default_mgr(RGWRESTMgr *mgr)
@@ -891,7 +898,7 @@ RGWRESTMgr *RGWRESTMgr::get_resource_mgr(struct req_state *s, const string& uri)
   if (resources_by_size.empty())
     return this;
 
-  map<size_t, string>::reverse_iterator iter;
+  multimap<size_t, string>::reverse_iterator iter;
 
   for (iter = resources_by_size.rbegin(); iter != resources_by_size.rend(); ++iter) {
     string& resource = iter->second;

diff --git a/src/rgw/rgw_rest.h b/src/rgw/rgw_rest.h
index 3e525d9caa11059fc98ba2672e0f1b777bdb9431..2750a24c47c82513a0a509ddade8a3175c4e2ca7 100644 (file)
--- a/src/rgw/rgw_rest.h
+++ b/src/rgw/rgw_rest.h
@@ -191,6 +191,8 @@ public:
     flusher.init(s);
   }
   virtual void send_response();
+  virtual int check_caps(RGWUserCaps& caps) { return -EPERM; } /* should to be implemented! */
+  virtual int verify_permission();
 };
 
 class RGWHandler_ObjStore : public RGWHandler {
@@ -222,7 +224,7 @@ class RGWHandler_ObjStore_S3;
 class RGWRESTMgr {
 protected:
   map<string, RGWRESTMgr *> resource_mgrs;
-  map<size_t, string> resources_by_size;
+  multimap<size_t, string> resources_by_size;
   RGWRESTMgr *default_mgr;
 
 public:

diff --git a/src/rgw/rgw_rest_usage.cc b/src/rgw/rgw_rest_usage.cc
index ec9641588ea49742434dbe3b4ee94920145f78d4..37641dba3424434c489340ee9b8100ba465f2f9f 100644 (file)
--- a/src/rgw/rgw_rest_usage.cc
+++ b/src/rgw/rgw_rest_usage.cc
@@ -2,12 +2,16 @@
 #include "rgw_usage.h"
 #include "rgw_rest_usage.h"
 
+#define dout_subsys ceph_subsys_rgw
+
 class RGWOp_Usage_Get : public RGWRESTOp {
 
 public:
   RGWOp_Usage_Get() {}
 
-  int verify_permission() { return 0; }
+  int check_caps(RGWUserCaps& caps) {
+    return caps.check_cap("usage", RGW_CAP_READ);
+  }
   void execute();
 
   virtual const char *name() { return "get_usage"; }
@@ -35,7 +39,9 @@ class RGWOp_Usage_Delete : public RGWRESTOp {
 public:
   RGWOp_Usage_Delete() {}
 
-  int verify_permission() { return 0; }
+  int check_caps(RGWUserCaps& caps) {
+    return caps.check_cap("usage", RGW_CAP_WRITE);
+  }
   void execute();
 
   virtual const char *name() { return "trim_usage"; }

diff --git a/src/rgw/rgw_rest_usage.h b/src/rgw/rgw_rest_usage.h
index 6e5224ec0af25098451f7abba58f34cb84f188a3..a6eb3d57200f02db505ba7144011b841265e6aa2 100644 (file)
--- a/src/rgw/rgw_rest_usage.h
+++ b/src/rgw/rgw_rest_usage.h
@@ -16,9 +16,6 @@ public:
   int read_permissions(RGWOp*) {
     return 0;
   }
-  int authorize() {
-    return 0;
-  }
 };
 
 class RGWRESTMgr_Usage : public RGWRESTMgr {