rgw: update swift subuser perm masks when authenticating

author Yehuda Sadeh <yehuda@redhat.com>

Wed, 5 Nov 2014 22:38:46 +0000 (14:38 -0800)

committer Yehuda Sadeh <yehuda@redhat.com>

Wed, 5 Nov 2014 22:41:47 +0000 (14:41 -0800)
author Yehuda Sadeh <yehuda@redhat.com>
Wed, 5 Nov 2014 22:38:46 +0000 (14:38 -0800)
committer Yehuda Sadeh <yehuda@redhat.com>
Wed, 5 Nov 2014 22:41:47 +0000 (14:41 -0800)
diff --git a/src/rgw/rgw_rest_swift.cc b/src/rgw/rgw_rest_swift.cc

index 49a18bab5fbc7401fab1ba70cce5c5e59bf1cad4..16b3b89670e17fc3ae69b64afccb4a222a6b7a16 100644 (file)
--- a/src/rgw/rgw_rest_swift.cc
+++ b/src/rgw/rgw_rest_swift.cc
@@ -790,8 +790,6 @@ int RGWHandler_ObjStore_SWIFT::authorize()
    if (!authorized)
      return -EPERM;
  
-  s->perm_mask = RGW_PERM_FULL_CONTROL;
-
    return 0;
  }
  
diff --git a/src/rgw/rgw_swift.cc b/src/rgw/rgw_swift.cc

index bdfaea1cee61554037e82d8c5bc412f25cae7fb3..d2c2898ae5619207350af6b72b28441ca9d50927 100644 (file)
--- a/src/rgw/rgw_swift.cc
+++ b/src/rgw/rgw_swift.cc
@@ -613,6 +613,34 @@ int authenticate_temp_url(RGWRados *store, req_state *s)
  }
  
  bool RGWSwift::verify_swift_token(RGWRados *store, req_state *s)
+{
+  if (!do_verify_swift_token(store, s)) {
+    return false;
+  }
+
+  if (!s->swift_user.empty()) {
+    string subuser;
+    ssize_t pos = s->swift_user.find(':');
+    if (pos < 0) {
+      subuser = s->swift_user;
+    } else {
+      subuser = s->swift_user.substr(pos + 1);
+    }
+    s->perm_mask = 0;
+    map<string, RGWSubUser>::iterator iter = s->user.subusers.find(subuser);
+    if (iter != s->user.subusers.end()) {
+      RGWSubUser& subuser = iter->second;
+      s->perm_mask = subuser.perm_mask;
+    }
+  } else {
+    s->perm_mask = RGW_PERM_FULL_CONTROL;
+  }
+
+  return true;
+
+}
+
+bool RGWSwift::do_verify_swift_token(RGWRados *store, req_state *s)
  {
    if (!s->os_auth_token) {
      int ret = authenticate_temp_url(store, s);
@@ -620,7 +648,7 @@ bool RGWSwift::verify_swift_token(RGWRados *store, req_state *s)
    }
  
    if (strncmp(s->os_auth_token, "AUTH_rgwtk", 10) == 0) {
-    int ret = rgw_swift_verify_signed_token(s->cct, store, s->os_auth_token, s->user);
+    int ret = rgw_swift_verify_signed_token(s->cct, store, s->os_auth_token, s->user, &s->swift_user);
      if (ret < 0)
        return false;
  
diff --git a/src/rgw/rgw_swift.h b/src/rgw/rgw_swift.h

index 6959bb09207e28c1497a66ac24a97785edd6d345..efc8d71e71112ece1a87c8cfccce62ebdcacd7c7 100644 (file)
--- a/src/rgw/rgw_swift.h
+++ b/src/rgw/rgw_swift.h
@@ -56,6 +56,7 @@ class RGWSwift {
    bool supports_keystone() {
      return !cct->_conf->rgw_keystone_url.empty();
    }
+  bool do_verify_swift_token(RGWRados *store, req_state *s);
  protected:
    int check_revoked();
  public:
diff --git a/src/rgw/rgw_swift_auth.cc b/src/rgw/rgw_swift_auth.cc

index ccbe3db3b5fa2cb8e16c39f28a455d86e88974f0..9e275e4147e7ffe7d71b106c2f9b3ede72f90a4b 100644 (file)
--- a/src/rgw/rgw_swift_auth.cc
+++ b/src/rgw/rgw_swift_auth.cc
@@ -59,7 +59,7 @@ static int encode_token(CephContext *cct, string& swift_user, string& key, buffe
    return ret;
  }
  
-int rgw_swift_verify_signed_token(CephContext *cct, RGWRados *store, const char *token, RGWUserInfo& info)
+int rgw_swift_verify_signed_token(CephContext *cct, RGWRados *store, const char *token, RGWUserInfo& info, string *pswift_user)
  {
    if (strncmp(token, "AUTH_rgwtk", 10) != 0)
      return -EINVAL;
@@ -126,6 +126,7 @@ int rgw_swift_verify_signed_token(CephContext *cct, RGWRados *store, const char
      dout(0) << "NOTICE: tokens mismatch tok=" << buf << dendl;
      return -EPERM;
    }
+  *pswift_user = swift_user;
  
    return 0;
  }
diff --git a/src/rgw/rgw_swift_auth.h b/src/rgw/rgw_swift_auth.h

index 1202e78f091c02915b99ef09cabe7b7c012f6c42..2fe5d344f1fe863b762ee8e5a310eb396ab6c13b 100644 (file)
--- a/src/rgw/rgw_swift_auth.h
+++ b/src/rgw/rgw_swift_auth.h
@@ -9,7 +9,7 @@
  
  #define RGW_SWIFT_TOKEN_EXPIRATION (15 * 60)
  
-extern int rgw_swift_verify_signed_token(CephContext *cct, RGWRados *store, const char *token, RGWUserInfo& info);
+extern int rgw_swift_verify_signed_token(CephContext *cct, RGWRados *store, const char *token, RGWUserInfo& info, string *pswift_user);
  
  class RGW_SWIFT_Auth_Get : public RGWOp {
  public:
author	Yehuda Sadeh <yehuda@redhat.com>
	Wed, 5 Nov 2014 22:38:46 +0000 (14:38 -0800)
committer	Yehuda Sadeh <yehuda@redhat.com>
	Wed, 5 Nov 2014 22:41:47 +0000 (14:41 -0800)
src/rgw/rgw_rest_swift.cc		patch \| blob \| history
src/rgw/rgw_swift.cc		patch \| blob \| history
src/rgw/rgw_swift.h		patch \| blob \| history
src/rgw/rgw_swift_auth.cc		patch \| blob \| history
src/rgw/rgw_swift_auth.h		patch \| blob \| history