rgw/sts: code to add role tags as aws:PrincipalTags and

author Pritha Srivastava <prsrivas@redhat.com>

Thu, 3 Jun 2021 10:03:03 +0000 (15:33 +0530)

committer Pritha Srivastava <prsrivas@redhat.com>

Wed, 1 Sep 2021 11:39:54 +0000 (17:09 +0530)
author Pritha Srivastava <prsrivas@redhat.com>
Thu, 3 Jun 2021 10:03:03 +0000 (15:33 +0530)
committer Pritha Srivastava <prsrivas@redhat.com>
Wed, 1 Sep 2021 11:39:54 +0000 (17:09 +0530)
diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc

index ea4f9ffd2e7723bb258b402fb839e8990a83b1a2..78d9ee5272b8fb59343be4fe9e9f5a81b2fcb6ae 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -482,6 +482,20 @@ void rgw::auth::WebIdentityApplier::modify_request_state(const DoutPrefixProvide
        }
      }
    }
+
+  if (role_tags) {
+    for (auto& it : role_tags.get()) {
+      std::string p_key = "aws:PrincipalTag/";
+      p_key.append(it.first);
+      s->principal_tags.emplace_back(std::make_pair(p_key, it.second));
+      ldpp_dout(dpp, 10) << "Principal Tag Key: " << p_key << " Value: " << it.second << dendl;
+
+      std::string e_key = "iam:ResourceTag/";
+      e_key.append(it.first);
+      s->env.emplace(e_key, it.second);
+      ldpp_dout(dpp, 10) << "RGW Env Tag Key: " << e_key << " Value: " << it.second << dendl;
+    }
+  }
  }
  
  bool rgw::auth::WebIdentityApplier::is_identity(const idset_t& ids) const
diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h

index 82403fad8d4ab1e1d9b9ea592719c6d05b4aca70..c31e734a17bb3cecc53c3c7f57f2a5a4bb081a62 100644 (file)
--- a/src/rgw/rgw_auth.h
+++ b/src/rgw/rgw_auth.h
@@ -375,6 +375,7 @@ protected:
    std::string role_session;
    std::string role_tenant;
    std::unordered_multimap<std::string, std::string> token_claims;
+  boost::optional<std::multimap<std::string,std::string>> role_tags;
    boost::optional<std::set<std::pair<std::string, std::string>>> principal_tags;
  
    std::string get_idp_url() const;
@@ -389,12 +390,14 @@ public:
                        const std::string& role_session,
                        const std::string& role_tenant,
                        const std::unordered_multimap<std::string, std::string>& token_claims,
+                      boost::optional<std::multimap<std::string,std::string>> role_tags,
                        boost::optional<std::set<std::pair<std::string, std::string>>> principal_tags)
        : cct(cct),
        store(store),
        role_session(role_session),
        role_tenant(role_tenant),
        token_claims(token_claims),
+      role_tags(role_tags),
        principal_tags(principal_tags) {
        const auto& sub = token_claims.find("sub");
        if(sub != token_claims.end()) {
@@ -479,6 +482,7 @@ public:
                                                const std::string& role_session,
                                                const std::string& role_tenant,
                                                const std::unordered_multimap<std::string, std::string>& token,
+                                              boost::optional<std::multimap<std::string, std::string>>,
                                                boost::optional<std::set<std::pair<std::string, std::string>>> principal_tags) const = 0;
    };
  };
@@ -718,7 +722,7 @@ public:
    }
    bool is_identity(const idset_t& ids) const override;
    uint32_t get_perm_mask() const override {
-    return RGW_PERM_NONE;
+    return RGW_PERM_NONE; 
    }
    void to_str(std::ostream& out) const override;
    void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc

index 388fffd6ab4cdcbdbfee673c93d3df6e56a3feda..3e623e299d00f92393294026933dfca4d930aca8 100644 (file)
--- a/src/rgw/rgw_rest_sts.cc
+++ b/src/rgw/rgw_rest_sts.cc
@@ -62,6 +62,23 @@ WebTokenEngine::get_role_tenant(const string& role_arn) const
    return tenant;
  }
  
+std::string
+WebTokenEngine::get_role_name(const string& role_arn) const
+{
+  string role_name;
+  auto r_arn = rgw::ARN::parse(role_arn);
+  if (r_arn) {
+    role_name = r_arn->resource;
+  }
+  if (!role_name.empty()) {
+    auto pos = role_name.find_last_of('/');
+    if(pos != string::npos) {
+      role_name = role_name.substr(pos + 1);
+    }
+  }
+  return role_name;
+}
+
  std::unique_ptr<rgw::sal::RGWOIDCProvider>
  WebTokenEngine::get_provider(const DoutPrefixProvider *dpp, const string& role_arn, const string& iss) const
  {
@@ -472,7 +489,15 @@ WebTokenEngine::authenticate( const DoutPrefixProvider* dpp,
        }
        string role_arn = s->info.args.get("RoleArn");
        string role_tenant = get_role_tenant(role_arn);
-      auto apl = apl_factory->create_apl_web_identity(cct, s, role_session, role_tenant, *t, princ_tags);
+      string role_name = get_role_name(role_arn);
+      std::unique_ptr<rgw::sal::RGWRole> role = store->get_role(role_name, role_tenant);
+      int ret = role->get(dpp, y);
+      if (ret < 0) {
+        ldpp_dout(dpp, 0) << "Role not found: name:" << role_name << " tenant: " << role_tenant << dendl;
+        return result_t::deny(-EACCES);
+      }
+      boost::optional<multimap<string,string>> role_tags = role->get_tags();
+      auto apl = apl_factory->create_apl_web_identity(cct, s, role_session, role_tenant, *t, role_tags, princ_tags);
        return result_t::grant(std::move(apl));
      }
      return result_t::deny(-EACCES);
diff --git a/src/rgw/rgw_rest_sts.h b/src/rgw/rgw_rest_sts.h

index 576e1f859669e225baf2cb40a5446850b7112c0d..754b292616ed955d3c1b7067d9ab13578053856a 100644 (file)
--- a/src/rgw/rgw_rest_sts.h
+++ b/src/rgw/rgw_rest_sts.h
@@ -36,8 +36,10 @@ class WebTokenEngine : public rgw::auth::Engine {
  
    std::string get_role_tenant(const std::string& role_arn) const;
  
-  std::string get_cert_url(const std::string& iss, const DoutPrefixProvider *dpp,optional_yield y) const;
+  std::string get_role_name(const string& role_arn) const;
  
+  std::string get_cert_url(const std::string& iss, const DoutPrefixProvider *dpp,optional_yield y) const;
+  
    std::tuple<boost::optional<WebTokenEngine::token_t>, boost::optional<WebTokenEngine::principal_tags_t>>
    get_from_jwt(const DoutPrefixProvider* dpp, const std::string& token, const req_state* const s, optional_yield y) const;
  
@@ -91,10 +93,11 @@ class DefaultStrategy : public rgw::auth::Strategy,
                                      const req_state* s,
                                      const std::string& role_session,
                                      const std::string& role_tenant,
-                                    const std::unordered_multimap<string, string>& token,
+                                    const std::unordered_multimap<std::string, std::string>& token,
+                                    boost::optional<std::multimap<std::string, std::string>> role_tags,
                                      boost::optional<std::set<std::pair<std::string, std::string>>> principal_tags) const override {
      auto apl = rgw::auth::add_sysreq(cct, store, s,
-      rgw::auth::WebIdentityApplier(cct, store, role_session, role_tenant, token, principal_tags));
+      rgw::auth::WebIdentityApplier(cct, store, role_session, role_tenant, token, role_tags, principal_tags));
      return aplptr_t(new decltype(apl)(std::move(apl)));
    }
author	Pritha Srivastava <prsrivas@redhat.com>
	Thu, 3 Jun 2021 10:03:03 +0000 (15:33 +0530)
committer	Pritha Srivastava <prsrivas@redhat.com>
	Wed, 1 Sep 2021 11:39:54 +0000 (17:09 +0530)
src/rgw/rgw_auth.cc		patch \| blob \| history
src/rgw/rgw_auth.h		patch \| blob \| history
src/rgw/rgw_rest_sts.cc		patch \| blob \| history
src/rgw/rgw_rest_sts.h		patch \| blob \| history