rgw: Add subuser to OPA request

author Seena Fallah <seenafallah@gmail.com>

Wed, 8 Apr 2020 19:45:20 +0000 (00:15 +0430)

committer Seena Fallah <seenafallah@gmail.com>

Wed, 8 Apr 2020 19:45:20 +0000 (00:15 +0430)
author Seena Fallah <seenafallah@gmail.com>
Wed, 8 Apr 2020 19:45:20 +0000 (00:15 +0430)
committer Seena Fallah <seenafallah@gmail.com>
Wed, 8 Apr 2020 19:45:20 +0000 (00:15 +0430)
diff --git a/doc/radosgw/opa.rst b/doc/radosgw/opa.rst

index ef26a74ad8fcb81c9350f26215d861ad6abc4aad..f1b76b5ef78b2b3906b714f7d47fcb3e61ff0707 100644 (file)
--- a/doc/radosgw/opa.rst
+++ b/doc/radosgw/opa.rst
@@ -46,6 +46,7 @@ Example request::
     {
         "input": {
             "method": "GET",
+           "subuser": "subuser",
             "user_info": {
                 "user_id": "john",
                 "display_name": "John"  
diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc

index 38d5c9091889c7a96ca04a04380eac981c192e36..f1351c06346a274963922c028cf761978040cb6e 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -92,6 +92,10 @@ transform_old_authinfo(CephContext* const cct,
        return {};
      }
  
+    string get_subuser() const override {
+      return {};
+    }
+
      void to_str(std::ostream& out) const override {
        out << "RGWDummyIdentityApplier(auth_id=" << id
            << ", perm_mask=" << perm_mask
diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h

index 38f51b790a8f88c0cb388732d86b4e4a4718704d..6add45ca23d79dbd94cb8d79a76d6bdf87579cf8 100644 (file)
--- a/src/rgw/rgw_auth.h
+++ b/src/rgw/rgw_auth.h
@@ -76,6 +76,9 @@ public:
  
    /* Name of Account */
    virtual string get_acct_name() const = 0;
+
+  /* Subuser of Account */
+  virtual string get_subuser() const = 0;
  };
  
  inline std::ostream& operator<<(std::ostream& out,
@@ -410,6 +413,10 @@ public:
      return token_claims.user_name;
    }
  
+  string get_subuser() const override {
+    return {};
+  }
+
    struct Factory {
      virtual ~Factory() {}
  
@@ -541,6 +548,7 @@ public:
    void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
    uint32_t get_identity_type() const override { return info.acct_type; }
    string get_acct_name() const override { return info.acct_name; }
+  string get_subuser() const override { return {}; }
  
    struct Factory {
      virtual ~Factory() {}
@@ -602,6 +610,7 @@ public:
    void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
    uint32_t get_identity_type() const override { return TYPE_RGW; }
    string get_acct_name() const override { return {}; }
+  string get_subuser() const override { return subuser; }
  
    struct Factory {
      virtual ~Factory() {}
@@ -646,6 +655,7 @@ public:
    void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
    uint32_t get_identity_type() const override { return TYPE_ROLE; }
    string get_acct_name() const override { return {}; }
+  string get_subuser() const override { return {}; }
    void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override;
  
    struct Factory {
diff --git a/src/rgw/rgw_auth_filters.h b/src/rgw/rgw_auth_filters.h

index 228d2cde697c9a8ef6815ac6a926ca4eb543a6ed..8a5bf80644a729d9659e8bb444b5fd2b3eec873c 100644 (file)
--- a/src/rgw/rgw_auth_filters.h
+++ b/src/rgw/rgw_auth_filters.h
@@ -88,6 +88,10 @@ public:
      return get_decoratee().get_acct_name();
    }
  
+  string get_subuser() const override {
+    return get_decoratee().get_subuser();
+  }
+
    bool is_identity(
      const boost::container::flat_set<Principal>& ids) const override {
      return get_decoratee().is_identity(ids);
diff --git a/src/rgw/rgw_opa.cc b/src/rgw/rgw_opa.cc

index 79ba8784d04ce1c49a702d0405ced151d24c4e84..96cc5841c1d01bf63f16e0cc9e0dcd91efd060e5 100644 (file)
--- a/src/rgw/rgw_opa.cc
+++ b/src/rgw/rgw_opa.cc
@@ -45,6 +45,7 @@ int rgw_opa_authorize(RGWOp *& op,
    jf.dump_string("params", s->info.request_params.c_str());
    jf.dump_string("request_uri_aws4", s->info.request_uri_aws4.c_str());
    jf.dump_string("object_name", s->object.name.c_str());
+  jf.dump_string("subuser", s->auth.identity->get_subuser().c_str());
    jf.dump_object("user_info", s->user->get_info());
    jf.dump_object("bucket_info", s->bucket_info);
    jf.close_section();
diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc

index 335daa6980bab869e93e490aa0e0ece10cd8cdc6..9f8e585cdf1bbceb5db4719cf122ce8451d1e935 100644 (file)
--- a/src/test/rgw/test_rgw_iam_policy.cc
+++ b/src/test/rgw/test_rgw_iam_policy.cc
@@ -128,6 +128,11 @@ public:
      return 0;
    }
  
+  string get_subuser() const override {
+    abort();
+    return 0;
+  }
+
    void to_str(std::ostream& out) const override {
      out << id;
    }
author	Seena Fallah <seenafallah@gmail.com>
	Wed, 8 Apr 2020 19:45:20 +0000 (00:15 +0430)
committer	Seena Fallah <seenafallah@gmail.com>
	Wed, 8 Apr 2020 19:45:20 +0000 (00:15 +0430)
doc/radosgw/opa.rst		patch \| blob \| history
src/rgw/rgw_auth.cc		patch \| blob \| history
src/rgw/rgw_auth.h		patch \| blob \| history
src/rgw/rgw_auth_filters.h		patch \| blob \| history
src/rgw/rgw_opa.cc		patch \| blob \| history
src/test/rgw/test_rgw_iam_policy.cc		patch \| blob \| history