{ "s3:RestoreObject", s3RestoreObject },
{ "iam:PutUserPolicy", iamPutUserPolicy },
{ "iam:GetUserPolicy", iamGetUserPolicy },
- { "iam:DeleteUserPolicy", iamDeleteUserPolicy }};
+ { "iam:DeleteUserPolicy", iamDeleteUserPolicy },
+ { "iam:ListUserPolicies", iamListUserPolicies },
+ { "iam:CreateRole", iamCreateRole},
+ { "iam:DeleteRole", iamDeleteRole},
+ { "iam:GetRole", iamGetRole},
+ { "iam:ModifyRole", iamModifyRole},
+ { "iam:ListRoles", iamListRoles},
+ { "iam:PutRolePolicy", iamPutRolePolicy},
+ { "iam:GetRolePolicy", iamGetRolePolicy},
+ { "iam:ListRolePolicies", iamListRolePolicies},
+ { "iam:DeleteRolePolicy", iamDeleteRolePolicy},
+};
struct PolicyParser;
#define dout_subsys ceph_subsys_rgw
+int RGWRestRole::verify_permission()
+{
+ if (s->auth.identity->is_anonymous()) {
+ return -EACCES;
+ }
+
+ string role_name = s->info.args.get("RoleName");
+ RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
+ if (op_ret = role.get(); op_ret < 0) {
+ if (op_ret == -ENOENT) {
+ op_ret = -ERR_NO_ROLE_FOUND;
+ }
+ return op_ret;
+ }
+
+ if (int ret = check_caps(s->user->caps); ret == 0) {
+ _role = std::move(role);
+ return ret;
+ }
+
+ string resource_name = role.get_path() + role_name;
+ uint64_t op = get_op();
+ if (!verify_user_permission(s,
+ rgw::IAM::ARN(resource_name,
+ "role",
+ s->user->user_id.tenant),
+ op)) {
+ return -EACCES;
+ }
+
+ _role = std::move(role);
+
+ return 0;
+}
+
void RGWRestRole::send_response()
{
if (op_ret) {
end_header(s);
}
-int RGWRestRole::verify_permission()
-{
- int ret = check_caps(s->user->caps);
- ldout(s->cct, 0) << "INFO: verify_permissions ret" << ret << dendl;
- return ret;
-}
-
int RGWRoleRead::check_caps(RGWUserCaps& caps)
{
return caps.check_cap("roles", RGW_CAP_READ);
return caps.check_cap("roles", RGW_CAP_WRITE);
}
+int RGWCreateRole::verify_permission()
+{
+ if (s->auth.identity->is_anonymous()) {
+ return -EACCES;
+ }
+
+ if (int ret = check_caps(s->user->caps); ret == 0) {
+ return ret;
+ }
+
+ string role_name = s->info.args.get("RoleName");
+ string role_path = s->info.args.get("Path");
+
+ string resource_name = role_path + role_name;
+ if (!verify_user_permission(s,
+ rgw::IAM::ARN(resource_name,
+ "role",
+ s->user->user_id.tenant),
+ get_op())) {
+ return -EACCES;
+ }
+ return 0;
+}
+
int RGWCreateRole::get_params()
{
role_name = s->info.args.get("RoleName");
if (op_ret < 0) {
return;
}
- RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
- op_ret = role.delete_obj();
+
+ op_ret = _role.delete_obj();
if (op_ret == -ENOENT) {
op_ret = -ERR_NO_ROLE_FOUND;
}
}
+int RGWGetRole::verify_permission()
+{
+ return 0;
+}
+
+int RGWGetRole::_verify_permission(const RGWRole& role)
+{
+ if (s->auth.identity->is_anonymous()) {
+ return -EACCES;
+ }
+
+ if (int ret = check_caps(s->user->caps); ret == 0) {
+ return ret;
+ }
+
+ string resource_name = role.get_path() + role.get_name();
+ if (!verify_user_permission(s,
+ rgw::IAM::ARN(resource_name,
+ "role",
+ s->user->user_id.tenant),
+ get_op())) {
+ return -EACCES;
+ }
+ return 0;
+}
+
int RGWGetRole::get_params()
{
role_name = s->info.args.get("RoleName");
if (op_ret == -ENOENT) {
op_ret = -ERR_NO_ROLE_FOUND;
+ return;
}
+ op_ret = _verify_permission(role);
+
if (op_ret == 0) {
s->formatter->open_object_section("role");
role.dump(s->formatter);
if (op_ret < 0) {
return;
}
- RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
- op_ret = role.get();
- if (op_ret == -ENOENT) {
- op_ret = -ERR_NO_ROLE_FOUND;
+
+ _role.update_trust_policy(trust_policy);
+ op_ret = _role.update();
+
+}
+
+int RGWListRoles::verify_permission()
+{
+ if (s->auth.identity->is_anonymous()) {
+ return -EACCES;
}
- if (op_ret == 0) {
- role.update_trust_policy(trust_policy);
- op_ret = role.update();
+ if (int ret = check_caps(s->user->caps); ret == 0) {
+ return ret;
+ }
+
+ if (!verify_user_permission(s,
+ rgw::IAM::ARN(),
+ get_op())) {
+ return -EACCES;
}
+
+ return 0;
}
int RGWListRoles::get_params()
return;
}
- RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
- op_ret = role.get();
- if (op_ret == 0) {
- role.set_perm_policy(policy_name, perm_policy);
- op_ret = role.update();
- }
+ _role.set_perm_policy(policy_name, perm_policy);
+ op_ret = _role.update();
}
int RGWGetRolePolicy::get_params()
return;
}
- RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant);
- op_ret = role.get();
-
- if (op_ret == -ENOENT) {
- op_ret = -ERR_NO_ROLE_FOUND;
- }
-
+ string perm_policy;
+ op_ret = _role.get_role_policy(policy_name, perm_policy);
if (op_ret == 0) {
- string perm_policy;
- op_ret = role.get_role_policy(policy_name, perm_policy);
-
- if (op_ret == 0) {
- s->formatter->open_object_section("GetRolePolicyResult");
- s->formatter->dump_string("PolicyName", policy_name);
- s->formatter->dump_string("RoleName", role_name);
- s->formatter->dump_string("Permission policy", perm_policy);
- s->formatter->close_section();
- }
+ s->formatter->open_object_section("GetRolePolicyResult");
+ s->formatter->dump_string("PolicyName", policy_name);
+ s->formatter->dump_string("RoleName", role_name);
+ s->formatter->dump_string("Permission policy", perm_policy);
+ s->formatter->close_section();
}
}
return;
}
- RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant);
- op_ret = role.get();
-
- if (op_ret == -ENOENT) {
- op_ret = -ERR_NO_ROLE_FOUND;
- }
-
- if (op_ret == 0) {
- std::vector<string> policy_names = role.get_role_policy_names();
- s->formatter->open_array_section("PolicyNames");
- for (const auto& it : policy_names) {
- s->formatter->dump_string("member", it);
- }
- s->formatter->close_section();
+ std::vector<string> policy_names = _role.get_role_policy_names();
+ s->formatter->open_array_section("PolicyNames");
+ for (const auto& it : policy_names) {
+ s->formatter->dump_string("member", it);
}
+ s->formatter->close_section();
}
int RGWDeleteRolePolicy::get_params()
return;
}
- RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant);
- op_ret = role.get();
-
+ op_ret = _role.delete_policy(policy_name);
if (op_ret == -ENOENT) {
op_ret = -ERR_NO_ROLE_FOUND;
}
if (op_ret == 0) {
- op_ret = role.delete_policy(policy_name);
- if (op_ret == -ENOENT) {
- op_ret = -ERR_NO_ROLE_FOUND;
- }
-
- if (op_ret == 0) {
- op_ret = role.update();
- }
+ op_ret = _role.update();
}
}
#ifndef CEPH_RGW_REST_ROLE_H
#define CEPH_RGW_REST_ROLE_H
+#include "rgw_role.h"
+
class RGWRestRole : public RGWRESTOp {
protected:
string role_name;
string policy_name;
string perm_policy;
string path_prefix;
-
+ RGWRole _role;
public:
int verify_permission() override;
void send_response() override;
+ virtual uint64_t get_op() = 0;
};
class RGWRoleRead : public RGWRestRole {
class RGWCreateRole : public RGWRoleWrite {
public:
RGWCreateRole() = default;
+ int verify_permission() override;
void execute() override;
int get_params();
const char* name() const override { return "create_role"; }
RGWOpType get_type() override { return RGW_OP_CREATE_ROLE; }
+ uint64_t get_op() { return rgw::IAM::iamCreateRole; }
};
class RGWDeleteRole : public RGWRoleWrite {
int get_params();
const char* name() const override { return "delete_role"; }
RGWOpType get_type() override { return RGW_OP_DELETE_ROLE; }
+ uint64_t get_op() { return rgw::IAM::iamDeleteRole; }
};
class RGWGetRole : public RGWRoleRead {
+ int _verify_permission(const RGWRole& role);
public:
RGWGetRole() = default;
+ int verify_permission() override;
void execute() override;
int get_params();
const char* name() const override { return "get_role"; }
RGWOpType get_type() override { return RGW_OP_GET_ROLE; }
+ uint64_t get_op() { return rgw::IAM::iamGetRole; }
};
class RGWModifyRole : public RGWRoleWrite {
int get_params();
const char* name() const override { return "modify_role"; }
RGWOpType get_type() override { return RGW_OP_MODIFY_ROLE; }
+ uint64_t get_op() { return rgw::IAM::iamModifyRole; }
};
class RGWListRoles : public RGWRoleRead {
public:
RGWListRoles() = default;
+ int verify_permission() override;
void execute() override;
int get_params();
const char* name() const override { return "list_roles"; }
RGWOpType get_type() override { return RGW_OP_LIST_ROLES; }
+ uint64_t get_op() { return rgw::IAM::iamListRoles; }
};
class RGWPutRolePolicy : public RGWRoleWrite {
int get_params();
const char* name() const override { return "put_role_policy"; }
RGWOpType get_type() override { return RGW_OP_PUT_ROLE_POLICY; }
+ uint64_t get_op() { return rgw::IAM::iamPutRolePolicy; }
};
class RGWGetRolePolicy : public RGWRoleRead {
int get_params();
const char* name() const override { return "get_role_policy"; }
RGWOpType get_type() override { return RGW_OP_GET_ROLE_POLICY; }
+ uint64_t get_op() { return rgw::IAM::iamGetRolePolicy; }
};
class RGWListRolePolicies : public RGWRoleRead {
int get_params();
const char* name() const override { return "list_role_policies"; }
RGWOpType get_type() override { return RGW_OP_LIST_ROLE_POLICIES; }
+ uint64_t get_op() { return rgw::IAM::iamListRolePolicies; }
};
class RGWDeleteRolePolicy : public RGWRoleWrite {
int get_params();
const char* name() const override { return "delete_role_policy"; }
RGWOpType get_type() override { return RGW_OP_DELETE_ROLE_POLICY; }
+ uint64_t get_op() { return rgw::IAM::iamDeleteRolePolicy; }
};
#endif /* CEPH_RGW_REST_ROLE_H */
projects / ceph-ci.git / commitdiff