rgw: Add subuser to OPA request

author Seena Fallah <seenafallah@gmail.com>

Wed, 8 Apr 2020 19:45:20 +0000 (00:15 +0430)

committer Nathan Cutler <ncutler@suse.com>

Sat, 18 Jul 2020 20:24:52 +0000 (22:24 +0200)
author Seena Fallah <seenafallah@gmail.com>
Wed, 8 Apr 2020 19:45:20 +0000 (00:15 +0430)
committer Nathan Cutler <ncutler@suse.com>
Sat, 18 Jul 2020 20:24:52 +0000 (22:24 +0200)
diff --git a/doc/radosgw/opa.rst b/doc/radosgw/opa.rst

index 89f9300b94e9d3ab68144918da2ffcd49ea50e62..74eeb918b9587538ae3c799640e8093c29c8fdf7 100644 (file)
--- a/doc/radosgw/opa.rst
+++ b/doc/radosgw/opa.rst
@@ -46,6 +46,7 @@ Example request::
     {
         "input": {
             "method": "GET",
+           "subuser": "subuser",
             "user_info": {
                 "used_id": "john",
                 "display_name": "John"  
diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc

index b03d5b280106b6577d00546f8e948b50b92dc22c..078c16e6f67e0f026bf7b63996f990f417632ba7 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -87,6 +87,10 @@ transform_old_authinfo(const req_state* const s)
        return {};
      }
  
+    string get_subuser() const override {
+      return {};
+    }
+
      void to_str(std::ostream& out) const override {
        out << "RGWDummyIdentityApplier(auth_id=" << id
            << ", perm_mask=" << perm_mask
diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h

index 2aaa1a5ac1f877c57b137fda3a49380dd8cc1358..dad0897697f00c2e541a03d64823012be312c36d 100644 (file)
--- a/src/rgw/rgw_auth.h
+++ b/src/rgw/rgw_auth.h
@@ -75,6 +75,9 @@ public:
  
    /* Name of Account */
    virtual string get_acct_name() const = 0;
+
+  /* Subuser of Account */
+  virtual string get_subuser() const = 0;
  };
  
  inline std::ostream& operator<<(std::ostream& out,
@@ -403,6 +406,10 @@ public:
      return token_claims.user_name;
    }
  
+  string get_subuser() const override {
+    return {};
+  }
+
    struct Factory {
      virtual ~Factory() {}
  
@@ -535,6 +542,7 @@ public:
    void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
    uint32_t get_identity_type() const override { return info.acct_type; }
    string get_acct_name() const override { return info.acct_name; }
+  string get_subuser() const override { return {}; }
  
    struct Factory {
      virtual ~Factory() {}
@@ -596,6 +604,7 @@ public:
    void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
    uint32_t get_identity_type() const override { return TYPE_RGW; }
    string get_acct_name() const override { return {}; }
+  string get_subuser() const override { return subuser; }
  
    struct Factory {
      virtual ~Factory() {}
@@ -640,6 +649,7 @@ public:
    void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
    uint32_t get_identity_type() const override { return TYPE_ROLE; }
    string get_acct_name() const override { return {}; }
+  string get_subuser() const override { return {}; }
    void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override;
  
    struct Factory {
diff --git a/src/rgw/rgw_auth_filters.h b/src/rgw/rgw_auth_filters.h

index ff0a33eaae6a179ef7175cd4eefb8187c907be7d..a2b62e2cff58e74db40db16199c5290b7301fea3 100644 (file)
--- a/src/rgw/rgw_auth_filters.h
+++ b/src/rgw/rgw_auth_filters.h
@@ -88,6 +88,10 @@ public:
      return get_decoratee().get_acct_name();
    }
  
+  string get_subuser() const override {
+    return get_decoratee().get_subuser();
+  }
+
    bool is_identity(
      const boost::container::flat_set<Principal>& ids) const override {
      return get_decoratee().is_identity(ids);
diff --git a/src/rgw/rgw_opa.cc b/src/rgw/rgw_opa.cc

index 08abf5a174fc493716058705e64f3f24d90e04d8..2331beb69a412ae31b52f1f0e2fc8de035944afd 100644 (file)
--- a/src/rgw/rgw_opa.cc
+++ b/src/rgw/rgw_opa.cc
@@ -44,6 +44,7 @@ int rgw_opa_authorize(RGWOp *& op,
    jf.dump_string("params", s->info.request_params.c_str());
    jf.dump_string("request_uri_aws4", s->info.request_uri_aws4.c_str());
    jf.dump_string("object_name", s->object.name.c_str());
+  jf.dump_string("subuser", s->auth.identity->get_subuser().c_str());
    jf.dump_object("user_info", *s->user);
    jf.dump_object("bucket_info", s->bucket_info);
    jf.close_section();
diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc

index a0a6ac4fdd1b8eb74be8d74d9ba275382f9036e8..b12ab7fd978c84e2c073063dbb0c5e3f41a8b847 100644 (file)
--- a/src/test/rgw/test_rgw_iam_policy.cc
+++ b/src/test/rgw/test_rgw_iam_policy.cc
@@ -124,6 +124,11 @@ public:
      return 0;
    }
  
+  string get_subuser() const override {
+    abort();
+    return 0;
+  }
+
    void to_str(std::ostream& out) const override {
      out << id;
    }
author	Seena Fallah <seenafallah@gmail.com>
	Wed, 8 Apr 2020 19:45:20 +0000 (00:15 +0430)
committer	Nathan Cutler <ncutler@suse.com>
	Sat, 18 Jul 2020 20:24:52 +0000 (22:24 +0200)
doc/radosgw/opa.rst		patch \| blob \| history
src/rgw/rgw_auth.cc		patch \| blob \| history
src/rgw/rgw_auth.h		patch \| blob \| history
src/rgw/rgw_auth_filters.h		patch \| blob \| history
src/rgw/rgw_opa.cc		patch \| blob \| history
src/test/rgw/test_rgw_iam_policy.cc		patch \| blob \| history