};
};
+class ServiceIdentity : public Identity {
+ const std::string service_id;
+public:
+ ServiceIdentity(const std::string& s) : service_id(s) {}
+ virtual ~ServiceIdentity() = default;
+
+ ACLOwner get_aclowner() const override {
+ return {};
+ }
+
+ uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
+ return RGW_PERM_NONE;
+ }
+
+ bool is_admin_of(const rgw_owner& o) const override {
+ return false;
+ }
+
+ bool is_owner_of(const rgw_owner& o) const override {
+ return false;
+ }
+
+ uint32_t get_perm_mask() const override {
+ return RGW_PERM_NONE;
+ }
+
+ virtual void to_str(std::ostream& out) const override {
+ out << "rgw::auth::ServiceIdentity(id=" << service_id << ")";
+ }
+
+ bool is_identity(const Principal& p) const override {
+ return p.is_service() && p.get_service() == service_id;
+ }
+
+ uint32_t get_identity_type() const override {
+ return TYPE_RGW;
+ }
+
+ std::string get_acct_name() const override {
+ return {};
+ }
+
+ std::string get_subuser() const override {
+ return {};
+ }
+
+ const std::string& get_tenant() const override {
+ static const std::string no_tenant;
+ return no_tenant;
+ }
+
+ const std::optional<RGWAccountInfo>& get_account() const override {
+ static constexpr std::optional<RGWAccountInfo> no_account;
+ return no_account;
+ }
+
+ bool is_root() const override {
+ return false;
+ }
+};
+
/* The anonymous abstract engine. */
class AnonymousEngine : public Engine {
CephContext* const cct;
if (p.is_wildcard()) {
return m << "*";
}
+ if (p.is_service()) {
+ return m << p.get_service();
+ }
m << "arn:aws:iam:" << p.get_account() << ":";
if (p.is_account()) {
namespace rgw {
namespace auth {
class Principal {
- enum types { User, Role, Account, Wildcard, OidcProvider, AssumedRole };
+ enum types { User, Role, Account, Wildcard, OidcProvider, AssumedRole, Service };
types t;
rgw_user u;
std::string idp_url;
+ std::string service_id;
explicit Principal(types t)
: t(t) {}
return Principal(AssumedRole, std::move(t), std::move(u));
}
+ static Principal service(std::string&& s) {
+ auto p = Principal(Service);
+ p.service_id = std::move(s);
+ return p;
+ }
+
bool is_wildcard() const {
return t == Wildcard;
}
return t == AssumedRole;
}
+ bool is_service() const {
+ return t == Service;
+ }
+
const std::string& get_account() const {
return u.tenant;
}
return u.id;
}
+ const std::string& get_service() const {
+ return service_id;
+ }
+
bool operator ==(const Principal& o) const {
return (t == o.t) && (u == o.u);
}
};
WRITE_CLASS_ENCODER(configuration)
+static const std::string service_principal = "logging.s3.amazonaws.com";
+
using source_buckets = std::set<rgw_bucket>;
constexpr unsigned MAX_BUCKET_LOGGING_BUFFER = 1000;
"for an assumed role, "
"`arn:aws:iam::tenant:user/user-name` for a user, "
"`arn:aws:iam::tenant:oidc-provider/idp-url` for OIDC.", s);
+ } else if (w->id == TokenID::Service) {
+ return Principal::service(std::move(s));
}
if (errmsg)
projects / ceph-ci.git / commitdiff