rgw/auth: Deny request if service token does not have accepted roles

The default behavior should be that an invalid service token
makes the request invalid even though we have not checked the
X-Auth-Token yet.

This is not required but should reflect the same behavior as other
keystonemiddleware implemented services have.

Signed-off-by: Tobias Urdin <tobias.urdin@binero.com>

diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc
index 9976449f28b2d8e16b055f488f92b3948ec7defa..c42b0604cebb3bf6ede45d173214b7731658b667 100644 (file)
--- a/src/rgw/rgw_auth_keystone.cc
+++ b/src/rgw/rgw_auth_keystone.cc
@@ -300,6 +300,7 @@ TokenEngine::authenticate(const DoutPrefixProvider* dpp,
       if (!allow_expired) {
         ldpp_dout(dpp, 0) << "service token user does not hold a matching role; required roles: "
                   << g_conf()->rgw_keystone_service_token_accepted_roles << dendl;
+        return result_t::deny(-EPERM);
       }
     }
   }