s->env.emplace("aws:TokenIssueTime", token_issued_at);
s->token_claims.emplace_back("sts");
+ s->token_claims.emplace_back("role_name:" + role.tenant + "$" + role.name);
+ s->token_claims.emplace_back("role_session:" + role_session_name);
for (auto& it : token_claims) {
s->token_claims.emplace_back(it);
}
formatter->close_section();
}
formatter->dump_string("trans_id", entry.trans_id);
+ switch(entry.identity_type) {
+ case TYPE_RGW:
+ formatter->dump_string("authentication_type","Local");
+ break;
+ case TYPE_LDAP:
+ formatter->dump_string("authentication_type","LDAP");
+ break;
+ case TYPE_KEYSTONE:
+ formatter->dump_string("authentication_type","Keystone");
+ break;
+ case TYPE_WEB:
+ formatter->dump_string("authentication_type","OIDC Provider");
+ break;
+ case TYPE_ROLE:
+ formatter->dump_string("authentication_type","STS");
+ break;
+ default:
+ break;
+ }
if (entry.token_claims.size() > 0) {
if (entry.token_claims[0] == "sts") {
- formatter->open_object_section("sts_token_claims");
+ formatter->open_object_section("sts_info");
for (const auto& iter: entry.token_claims) {
auto pos = iter.find(":");
if (pos != string::npos) {
entry.op = op_name;
+ entry.identity_type = s->auth.identity->get_identity_type();
+
if (! s->token_claims.empty()) {
entry.token_claims = std::move(s->token_claims);
}
headers_map x_headers;
string trans_id;
std::vector<string> token_claims;
+ uint32_t identity_type;
void encode(bufferlist &bl) const {
- ENCODE_START(11, 5, bl);
+ ENCODE_START(12, 5, bl);
encode(object_owner.id, bl);
encode(bucket_owner.id, bl);
encode(bucket, bl);
encode(x_headers, bl);
encode(trans_id, bl);
encode(token_claims, bl);
+ encode(identity_type,bl);
ENCODE_FINISH(bl);
}
void decode(bufferlist::const_iterator &p) {
- DECODE_START_LEGACY_COMPAT_LEN(11, 5, 5, p);
+ DECODE_START_LEGACY_COMPAT_LEN(12, 5, 5, p);
decode(object_owner.id, p);
if (struct_v > 3)
decode(bucket_owner.id, p);
if (struct_v >= 11) {
decode(token_claims, p);
}
+ if (struct_v >= 12) {
+ decode(identity_type, p);
+ }
DECODE_FINISH(p);
}
void dump(ceph::Formatter *f) const;
#include <gtest/gtest.h>
#include "common/ceph_context.h"
#include "rgw/rgw_common.h"
+#include "rgw/rgw_auth.h"
#include "rgw/rgw_process.h"
#include "rgw/rgw_sal_rados.h"
#include "rgw/rgw_lua_request.h"
using namespace rgw;
+using boost::container::flat_set;
+using rgw::auth::Identity;
+using rgw::auth::Principal;
class CctCleaner {
CephContext* cct;
}
};
+class FakeIdentity : public Identity {
+public:
+ FakeIdentity() = default;
+
+ uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
+ return 0;
+ };
+
+ bool is_admin_of(const rgw_user& uid) const override {
+ return false;
+ }
+
+ bool is_owner_of(const rgw_user& uid) const override {
+ return false;
+ }
+
+ virtual uint32_t get_perm_mask() const override {
+ return 0;
+ }
+
+ uint32_t get_identity_type() const override {
+ return TYPE_RGW;
+ }
+
+ string get_acct_name() const override {
+ return "";
+ }
+
+ string get_subuser() const override {
+ return "";
+ }
+
+ void to_str(std::ostream& out) const override {
+ return;
+ }
+
+ bool is_identity(const flat_set<Principal>& ids) const override {
+ return false;
+ }
+};
+
class TestRGWUser : public sal::RGWUser {
public:
virtual int list_buckets(const DoutPrefixProvider *dpp, const string&, const string&, uint64_t, bool, sal::RGWBucketList&, optional_yield y) override {
s.cio = ∾
s.cct->_conf->rgw_ops_log_rados = false;
+ s.auth.identity = std::unique_ptr<rgw::auth::Identity>(
+ new FakeIdentity());
+
auto rc = lua::request::execute(store.get(), nullptr, olog.get(), &s, "put_obj", script);
EXPECT_EQ(rc, 0);
projects / ceph.git / commitdiff