rgw/role: support Description for Create/Get/UpdateRole

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 44804b1d27c8cd3c0ec57cdd7be0a0deb3f89280)

diff --git a/src/rgw/driver/daos/rgw_sal_daos.cc b/src/rgw/driver/daos/rgw_sal_daos.cc
index 86529befbaad7a13e1b9a127ed0dc1cfec2e46ce..ed50697113ec1659cdc237b1af82abbe1b223016 100644 (file)
--- a/src/rgw/driver/daos/rgw_sal_daos.cc
+++ b/src/rgw/driver/daos/rgw_sal_daos.cc
@@ -2079,7 +2079,7 @@ int DaosMultipartWriter::complete(
 
 std::unique_ptr<RGWRole> DaosStore::get_role(
     std::string name, std::string tenant, rgw_account_id account_id, std::string path,
-    std::string trust_policy, std::string max_session_duration_str,
+    std::string trust_policy, std::string description, std::string max_session_duration_str,
     std::multimap<std::string, std::string> tags) {
   RGWRole* p = nullptr;
   return std::unique_ptr<RGWRole>(p);

diff --git a/src/rgw/driver/daos/rgw_sal_daos.h b/src/rgw/driver/daos/rgw_sal_daos.h
index 2b61347b807d1f6c816611931a2bf577a227741e..c823d00992b90046989b557af18f17b77dca7aed 100644 (file)
--- a/src/rgw/driver/daos/rgw_sal_daos.h
+++ b/src/rgw/driver/daos/rgw_sal_daos.h
@@ -995,7 +995,7 @@ class DaosStore : public StoreDriver {
   std::unique_ptr<LuaManager> get_lua_manager(const DoutPrefixProvider *dpp = nullptr, const std::string& luarocks_path = "") override;
   virtual std::unique_ptr<RGWRole> get_role(
       std::string name, std::string tenant, rgw_account_id account_id, std::string path = "",
-      std::string trust_policy = "", std::string max_session_duration_str = "",
+      std::string trust_policy = "", std::string description = "", std::string max_session_duration_str = "",
       std::multimap<std::string, std::string> tags = {}) override;
   virtual std::unique_ptr<RGWRole> get_role(const RGWRoleInfo& info) override;
   virtual std::unique_ptr<RGWRole> get_role(std::string id) override;

diff --git a/src/rgw/driver/motr/rgw_sal_motr.cc b/src/rgw/driver/motr/rgw_sal_motr.cc
index 7160cf01aa8ad735eb3575668fa71ebc0d3d2ac5..455151e0e7b07c37252e3acf2ba5e4912dbee3a1 100644 (file)
--- a/src/rgw/driver/motr/rgw_sal_motr.cc
+++ b/src/rgw/driver/motr/rgw_sal_motr.cc
@@ -3032,6 +3032,7 @@ std::unique_ptr<RGWRole> MotrStore::get_role(std::string name,
     rgw_account_id account_id,
     std::string path,
     std::string trust_policy,
+    std::string description,
     std::string max_session_duration_str,
     std::multimap<std::string,std::string> tags)
 {

diff --git a/src/rgw/driver/motr/rgw_sal_motr.h b/src/rgw/driver/motr/rgw_sal_motr.h
index 64d16824471dad4ef810dccc9abc0b19cfd86c8d..852becf521b9cceee2f6822a34bdf39930275523 100644 (file)
--- a/src/rgw/driver/motr/rgw_sal_motr.h
+++ b/src/rgw/driver/motr/rgw_sal_motr.h
@@ -1061,6 +1061,7 @@ class MotrStore : public StoreDriver {
         rgw_account_id account_id,
         std::string path="",
         std::string trust_policy="",
+        std::string description="",
         std::string max_session_duration_str="",
         std::multimap<std::string, std::string> tags={}) override;
     virtual std::unique_ptr<RGWRole> get_role(const RGWRoleInfo& info) override;

diff --git a/src/rgw/driver/rados/rgw_sal_rados.cc b/src/rgw/driver/rados/rgw_sal_rados.cc
index 4aeb4b797740acb7964eea9509394253aeb1725f..51bdaa2a91a5ab2182b8cb3875116ca3501857cc 100644 (file)
--- a/src/rgw/driver/rados/rgw_sal_rados.cc
+++ b/src/rgw/driver/rados/rgw_sal_rados.cc
@@ -1761,10 +1761,11 @@ std::unique_ptr<RGWRole> RadosStore::get_role(std::string name,
                                              rgw_account_id account_id,
                                              std::string path,
                                              std::string trust_policy,
+                                             std::string description,
                                              std::string max_session_duration_str,
                 std::multimap<std::string,std::string> tags)
 {
-  return std::make_unique<RadosRole>(this, name, tenant, std::move(account_id), path, trust_policy, max_session_duration_str, tags);
+  return std::make_unique<RadosRole>(this, name, tenant, std::move(account_id), path, trust_policy, std::move(description), max_session_duration_str, tags);
 }
 
 std::unique_ptr<RGWRole> RadosStore::get_role(std::string id)

diff --git a/src/rgw/driver/rados/rgw_sal_rados.h b/src/rgw/driver/rados/rgw_sal_rados.h
index edd977fcb3384640d1c4b9a8daf8ad2cc0889669..7ba21ead5a18227586ce581d63e23aeb0fbbfd1e 100644 (file)
--- a/src/rgw/driver/rados/rgw_sal_rados.h
+++ b/src/rgw/driver/rados/rgw_sal_rados.h
@@ -329,6 +329,7 @@ class RadosStore : public StoreDriver {
                                              rgw_account_id account_id,
                                              std::string path="",
                                              std::string trust_policy="",
+                                             std::string description="",
                                              std::string max_session_duration_str="",
                 std::multimap<std::string,std::string> tags={}) override;
     virtual std::unique_ptr<RGWRole> get_role(std::string id) override;
@@ -1078,9 +1079,10 @@ public:
           rgw_account_id account_id,
           std::string path,
           std::string trust_policy,
+          std::string description,
           std::string max_session_duration,
           std::multimap<std::string,std::string> tags)
-    : RGWRole(name, tenant, std::move(account_id), path, trust_policy, max_session_duration, tags), store(_store) {}
+    : RGWRole(name, tenant, std::move(account_id), path, trust_policy, std::move(description), max_session_duration, tags), store(_store) {}
   RadosRole(RadosStore* _store, std::string id) : RGWRole(id), store(_store) {}
   RadosRole(RadosStore* _store, const RGWRoleInfo& info) : RGWRole(info), store(_store) {}
   RadosRole(RadosStore* _store) : store(_store) {}

diff --git a/src/rgw/rgw_admin.cc b/src/rgw/rgw_admin.cc
index dabd5ec34ffb9c883a855f7ddc7d60aee3378199..18a486567e27f842c61c3de64abd10ac1491074d 100644 (file)
--- a/src/rgw/rgw_admin.cc
+++ b/src/rgw/rgw_admin.cc
@@ -484,6 +484,7 @@ void usage()
   cout << "   --policy-name                 name of the policy document\n";
   cout << "   --policy-doc                  permission policy document\n";
   cout << "   --path-prefix                 path prefix for filtering roles\n";
+  cout << "   --description                 Role description\n";
   cout << "\nMFA options:\n";
   cout << "   --totp-serial                 a string that represents the ID of a TOTP token\n";
   cout << "   --totp-seed                   the secret seed that is used to calculate the TOTP\n";
@@ -3350,6 +3351,7 @@ int main(int argc, const char **argv)
   std::optional<string> opt_zonegroup_name, opt_zonegroup_id;
   std::string api_name;
   std::string role_name, path, assume_role_doc, policy_name, perm_policy_doc, path_prefix, max_session_duration;
+  std::string description;
   std::string redirect_zone;
   bool redirect_zone_set = false;
   list<string> endpoints;
@@ -4005,6 +4007,8 @@ int main(int argc, const char **argv)
       path_prefix = val;
     } else if (ceph_argparse_witharg(args, i, &val, "--max-session-duration", (char*)NULL)) {
       max_session_duration = val;
+    } else if (ceph_argparse_witharg(args, i, &val, "--description", (char*)NULL)) {
+      description = val;
     } else if (ceph_argparse_witharg(args, i, &val, "--totp-serial", (char*)NULL)) {
       totp_serial = val;
     } else if (ceph_argparse_witharg(args, i, &val, "--totp-pin", (char*)NULL)) {
@@ -6784,7 +6788,7 @@ int main(int argc, const char **argv)
         return -EINVAL;
       }
       std::unique_ptr<rgw::sal::RGWRole> role = driver->get_role(role_name, tenant, account_id, path,
-                                                                 assume_role_doc, max_session_duration);
+                                                                 assume_role_doc, description, max_session_duration);
       ret = role->create(dpp(), true, "", null_yield);
       if (ret < 0) {
         return -ret;

diff --git a/src/rgw/rgw_rest_role.cc b/src/rgw/rgw_rest_role.cc
index f8cf22d00a7d5190266322a918d822aea7e5123f..0e338bc63a019ff38f61e31309ca1fa90684597f 100644 (file)
--- a/src/rgw/rgw_rest_role.cc
+++ b/src/rgw/rgw_rest_role.cc
@@ -47,6 +47,7 @@ static void dump_iam_role(const rgw::sal::RGWRoleInfo& role, Formatter *f)
   encode_json("Path", role.path, f);
   encode_json("Arn", role.arn, f);
   encode_json("CreateDate", role.creation_date, f);
+  encode_json("Description", role.description, f);
   encode_json("MaxSessionDuration", role.max_session_duration, f);
   encode_json("AssumeRolePolicyDocument", role.trust_policy, f);
 }
@@ -183,6 +184,7 @@ int RGWCreateRole::init_processing(optional_yield y)
   }
 
   trust_policy = s->info.args.get("AssumeRolePolicyDocument");
+  description = s->info.args.get("Description");
   max_session_duration = s->info.args.get("MaxSessionDuration");
 
   if (trust_policy.empty()) {
@@ -196,10 +198,14 @@ int RGWCreateRole::init_processing(optional_yield y)
       s->cct->_conf.get_val<bool>("rgw_policy_reject_invalid_principals"));
   }
   catch (rgw::IAM::PolicyParseException& e) {
-    ldpp_dout(this, 5) << "failed to parse policy: " << e.what() << dendl;
+    ldpp_dout(this, 5) << "failed to parse policy '" << trust_policy << "' with: " << e.what() << dendl;
     s->err.message = e.what();
     return -ERR_MALFORMED_DOC;
   }
+  if (description.size() > 1000) {
+    s->err.message = "Description exceeds maximum length of 1000 characters.";
+    return -EINVAL;
+  }
 
   int ret = parse_tags(this, s->info.args.get_params(), tags, s->err.message);
   if (ret < 0) {
@@ -234,6 +240,7 @@ void RGWCreateRole::execute(optional_yield y)
                                                            account_id,
                                                            role_path,
                                                            trust_policy,
+                                                           description,
                                                            max_session_duration,
                        tags);
   if (!user_tenant.empty() && role->get_tenant() != user_tenant) {
@@ -895,6 +902,12 @@ int RGWUpdateRole::init_processing(optional_yield y)
     return -EINVAL;
   }
 
+  description = s->info.args.get_optional("Description");
+  if (description && description->size() > 1000) {
+    s->err.message = "Description exceeds maximum length of 1000 characters.";
+    return -EINVAL;
+  }
+
   max_session_duration = s->info.args.get("MaxSessionDuration");
 
   return load_role(this, y, driver, s->owner.id, account_id,
@@ -927,6 +940,9 @@ void RGWUpdateRole::execute(optional_yield y)
     }
   }
 
+  if (description) {
+    role->get_info().description = std::move(*description);
+  }
   role->update_max_session_duration(max_session_duration);
   if (!role->validate_max_session_duration(this)) {
     op_ret = -EINVAL;

diff --git a/src/rgw/rgw_rest_role.h b/src/rgw/rgw_rest_role.h
index be8f80b53ae43898efa1b2dabc474a6785fe1f85..bc3897acfcd317b371a0c123fa4bb9fa1bc725d4 100644 (file)
--- a/src/rgw/rgw_rest_role.h
+++ b/src/rgw/rgw_rest_role.h
@@ -3,6 +3,7 @@
 
 #pragma once
 
+#include <boost/optional.hpp>
 #include "common/async/yield_context.h"
 
 #include "rgw_arn.h"
@@ -27,6 +28,7 @@ class RGWCreateRole : public RGWRestRole {
   std::string role_name;
   std::string role_path;
   std::string trust_policy;
+  std::string description;
   std::string max_session_duration;
   std::multimap<std::string, std::string> tags;
 public:
@@ -192,6 +194,7 @@ public:
 class RGWUpdateRole : public RGWRestRole {
   bufferlist bl_post_body;
   std::string role_name;
+  boost::optional<std::string> description;
   std::string max_session_duration;
   std::unique_ptr<rgw::sal::RGWRole> role;
 public:

diff --git a/src/rgw/rgw_role.cc b/src/rgw/rgw_role.cc
index 1f7648e690ff9f8fd73b1fc8fcfa3b7d76a0b4b1..c5116398788c63e86f60dfb38840929b0e9a9893 100644 (file)
--- a/src/rgw/rgw_role.cc
+++ b/src/rgw/rgw_role.cc
@@ -50,6 +50,7 @@ void RGWRoleInfo::dump(Formatter *f) const
   encode_json("Path", path, f);
   encode_json("Arn", arn, f);
   encode_json("CreateDate", creation_date, f);
+  encode_json("Description", description, f);
   encode_json("MaxSessionDuration", max_session_duration, f);
   encode_json("AssumeRolePolicyDocument", trust_policy, f);
   encode_json("AccountId", account_id, f);
@@ -82,6 +83,7 @@ void RGWRoleInfo::decode_json(JSONObj *obj)
   JSONDecoder::decode_json("Path", path, obj);
   JSONDecoder::decode_json("Arn", arn, obj);
   JSONDecoder::decode_json("CreateDate", creation_date, obj);
+  JSONDecoder::decode_json("Description", description, obj);
   JSONDecoder::decode_json("MaxSessionDuration", max_session_duration, obj);
   JSONDecoder::decode_json("AssumeRolePolicyDocument", trust_policy, obj);
   JSONDecoder::decode_json("AccountId", account_id, obj);
@@ -123,6 +125,7 @@ RGWRole::RGWRole(std::string name,
               rgw_account_id account_id,
               std::string path,
               std::string trust_policy,
+              std::string description,
               std::string max_session_duration_str,
               std::multimap<std::string,std::string> tags)
 {
@@ -135,6 +138,7 @@ RGWRole::RGWRole(std::string name,
   if (this->info.path.empty())
     this->info.path = "/";
   extract_name_tenant(this->info.name);
+  info.description = std::move(description);
   if (max_session_duration_str.empty()) {
     info.max_session_duration = SESSION_DURATION_MIN;
   } else {

diff --git a/src/rgw/rgw_role.h b/src/rgw/rgw_role.h
index 90a4a6a31289112124eeac7a6e48443cda55fe0f..3b5fa039f529ab05881350b51a99635f663b022b 100644 (file)
--- a/src/rgw/rgw_role.h
+++ b/src/rgw/rgw_role.h
@@ -25,7 +25,8 @@ struct RGWRoleInfo
   std::string trust_policy;
   std::map<std::string, std::string> perm_policy_map;
   std::string tenant;
-  uint64_t max_session_duration;
+  std::string description;
+  uint64_t max_session_duration = 0;
   std::multimap<std::string,std::string> tags;
   std::map<std::string, bufferlist> attrs;
   RGWObjVersionTracker objv_tracker;
@@ -48,6 +49,7 @@ struct RGWRoleInfo
     encode(tenant, bl);
     encode(max_session_duration, bl);
     encode(account_id, bl);
+    encode(description, bl);
     ENCODE_FINISH(bl);
   }
 
@@ -68,6 +70,7 @@ struct RGWRoleInfo
     }
     if (struct_v >= 4) {
       decode(account_id, bl);
+      decode(description, bl);
     }
     DECODE_FINISH(bl);
   }
@@ -106,6 +109,7 @@ public:
               rgw_account_id account_id,
               std::string path="",
               std::string trust_policy="",
+              std::string description="",
               std::string max_session_duration_str="",
               std::multimap<std::string,std::string> tags={});
 

diff --git a/src/rgw/rgw_sal.h b/src/rgw/rgw_sal.h
index fd0bb5bdade91f1d4bd90f641056cf3dc661a08f..b453e9881fabe9b430a15dd1c4f63e346db4eab5 100644 (file)
--- a/src/rgw/rgw_sal.h
+++ b/src/rgw/rgw_sal.h
@@ -562,6 +562,7 @@ class Driver {
                                              rgw_account_id account_id,
                                              std::string path="",
                                              std::string trust_policy="",
+                                             std::string description="",
                                              std::string max_session_duration_str="",
                 std::multimap<std::string,std::string> tags={}) = 0;
     /** Get an IAM Role by ID */

diff --git a/src/rgw/rgw_sal_dbstore.cc b/src/rgw/rgw_sal_dbstore.cc
index d10b1652c4312c6cf4ad55d76a4780563afbf949..e1175c86a25639797813ec8ac2f28944eb66fded 100644 (file)
--- a/src/rgw/rgw_sal_dbstore.cc
+++ b/src/rgw/rgw_sal_dbstore.cc
@@ -1393,6 +1393,7 @@ namespace rgw::sal {
       rgw_account_id account_id,
       std::string path,
       std::string trust_policy,
+      std::string description,
       std::string max_session_duration_str,
       std::multimap<std::string,std::string> tags)
   {

diff --git a/src/rgw/rgw_sal_dbstore.h b/src/rgw/rgw_sal_dbstore.h
index 4df5a55b975d2ce7919486c1c0801457cffd672d..d645a1a84779d401a966c0f9ca5bba08534e1726 100644 (file)
--- a/src/rgw/rgw_sal_dbstore.h
+++ b/src/rgw/rgw_sal_dbstore.h
@@ -902,6 +902,7 @@ public:
           rgw_account_id account_id,
           std::string path="",
           std::string trust_policy="",
+          std::string description="",
           std::string max_session_duration_str="",
           std::multimap<std::string,std::string> tags={}) override;
       virtual std::unique_ptr<RGWRole> get_role(std::string id) override;

diff --git a/src/rgw/rgw_sal_filter.cc b/src/rgw/rgw_sal_filter.cc
index 0485ad96a12be8f09ce66320cd1ee2fd7395d317..039734ea589b4bff986a303dcd0d843c96e5c7ef 100644 (file)
--- a/src/rgw/rgw_sal_filter.cc
+++ b/src/rgw/rgw_sal_filter.cc
@@ -546,10 +546,11 @@ std::unique_ptr<RGWRole> FilterDriver::get_role(std::string name,
                                              rgw_account_id account_id,
                                              std::string path,
                                              std::string trust_policy,
+                                             std::string description,
                                              std::string max_session_duration_str,
                 std::multimap<std::string,std::string> tags)
 {
-  return next->get_role(name, tenant, std::move(account_id), path, trust_policy, max_session_duration_str, tags);
+  return next->get_role(name, tenant, std::move(account_id), path, trust_policy, std::move(description), max_session_duration_str, tags);
 }
 
 std::unique_ptr<RGWRole> FilterDriver::get_role(std::string id)

diff --git a/src/rgw/rgw_sal_filter.h b/src/rgw/rgw_sal_filter.h
index 39bb1af10f756464b395a861bdbbd482c2f4a60e..be04a7a0acbfdabfc18edd055d67a3e0b3a05806 100644 (file)
--- a/src/rgw/rgw_sal_filter.h
+++ b/src/rgw/rgw_sal_filter.h
@@ -387,8 +387,8 @@ public:
                                            rgw_account_id account_id,
                                            std::string path="",
                                            std::string trust_policy="",
-                                           std::string
-                                           max_session_duration_str="",
+                                           std::string description="",
+                                           std::string max_session_duration_str="",
                 std::multimap<std::string,std::string> tags={}) override;
   virtual std::unique_ptr<RGWRole> get_role(std::string id) override;
   virtual std::unique_ptr<RGWRole> get_role(const RGWRoleInfo& info) override;

diff --git a/src/test/cli/radosgw-admin/help.t b/src/test/cli/radosgw-admin/help.t
index 9110cf0329027f987e04643fa07f0a0f5ec31158..46fb15c8146f4a5a19e32768e8b0864aa0a3f49d 100644 (file)
--- a/src/test/cli/radosgw-admin/help.t
+++ b/src/test/cli/radosgw-admin/help.t
@@ -356,6 +356,7 @@
      --policy-name                 name of the policy document
      --policy-doc                  permission policy document
      --path-prefix                 path prefix for filtering roles
+     --description                 Role description
   
   MFA options:
      --totp-serial                 a string that represents the ID of a TOTP token