rgw: Extending Policy Engine for STS Auth Condition Key.

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>

diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc
index 6084122e5a6e3ef282edcdc8052f0eedb429dfe3..655d79ee4a3d6b5e5649aecbc9c2bd68a61ccaa7 100644 (file)
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -470,6 +470,7 @@ static const actpair actpairs[] =
  { "iam:DeleteRolePolicy", iamDeleteRolePolicy},
  { "sts:AssumeRole", stsAssumeRole},
  { "sts:AssumeRoleWithWebIdentity", stsAssumeRoleWithWebIdentity},
+ { "sts:GetSessionToken", stsGetSessionToken},
 };
 
 struct PolicyParser;
@@ -1561,6 +1562,9 @@ const char* action_bit_string(uint64_t action) {
 
   case stsAssumeRoleWithWebIdentity:
     return "sts:AssumeRoleWithWebIdentity";
+
+  case stsGetSessionToken:
+    return "sts:GetSessionToken";
   }
   return "s3Invalid";
 }

diff --git a/src/rgw/rgw_iam_policy.h b/src/rgw/rgw_iam_policy.h
index 7911a97de800188768597fbe538f342f7b1d08e3..f89ef0392717149ccc9916f621f7648c3564761d 100644 (file)
--- a/src/rgw/rgw_iam_policy.h
+++ b/src/rgw/rgw_iam_policy.h
@@ -114,7 +114,8 @@ static constexpr std::uint64_t iamDeleteRolePolicy = 67;
 static constexpr std::uint64_t iamAll = 68;
 static constexpr std::uint64_t stsAssumeRole = 69;
 static constexpr std::uint64_t stsAssumeRoleWithWebIdentity = 70;
-static constexpr std::uint64_t stsAll = 71;
+static constexpr std::uint64_t stsGetSessionToken = 71;
+static constexpr std::uint64_t stsAll = 72;
 
 static constexpr std::uint64_t s3Count = s3DeleteObjectVersionTagging + 1;
 static constexpr std::uint64_t allCount = stsAll + 1;
@@ -125,9 +126,9 @@ using NotAction_t = Action_t;
 static const Action_t None(0);
 static const Action_t s3AllValue("111111111111111111111111111111111111111111111111111111");
 static const Action_t iamAllValue("11111111111110000000000000000000000000000000000000000000000000000000");
-static const Action_t stsAllValue("11000000000000000000000000000000000000000000000000000000000000000000000");
+static const Action_t stsAllValue("111000000000000000000000000000000000000000000000000000000000000000000000");
 //Modify allValue if more Actions are added
-static const Action_t allValue("111111111111111111111111111111111111111111111111111111111111111111111111");
+static const Action_t allValue("1111111111111111111111111111111111111111111111111111111111111111111111111");
 
 namespace {
 inline int op_to_perm(std::uint64_t op) {

diff --git a/src/rgw/rgw_iam_policy_keywords.gperf b/src/rgw/rgw_iam_policy_keywords.gperf
index 57a732c02fb37c184c8997239e9cb0a3eb35d4ff..4f6f22a9b73a7ffd01a71b68da7ed31668ee9151 100644 (file)
--- a/src/rgw/rgw_iam_policy_keywords.gperf
+++ b/src/rgw/rgw_iam_policy_keywords.gperf
@@ -109,6 +109,8 @@ Null, TokenKind::cond_op, TokenID::Null, (uint64_t) Type::null, true, true
 #s3:authType, TokenKind::cond_key, TokenID::s3authType, (uint64_t) Type::string, true, false
 #s3:signatureAge, TokenKind::cond_key, TokenID::s3signatureAge, (uint64_t) Type::number, true, false
 #s3:x-amz-content-sha256, TokenKind::cond_key, TokenID::s3x_amz_content_sha256, (uint64_t) Type::string, true, false
+# STS
+#sts:authentication, TokenKind::cond_key, TokenID::stsauthentication, (uint64_t) Type::boolean, true, false
 #
 # Version Keywords
 #

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 3b12fffa8b6b2d659ab9114a48cfe2b445efd724..75701a8190e51b72a1fb4a8fcc79d0822ae0a383 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -887,6 +887,13 @@ void rgw_build_iam_environment(RGWRados* store,
     // identifier that can persist through name changes?
     s->env.emplace("aws:username", s->user->user_id.id);
   }
+
+  i = m.find("HTTP_X_AMZ_SECURITY_TOKEN");
+  if (i != m.end()) {
+    s->env.emplace("sts:authentication", "true");
+  } else {
+    s->env.emplace("sts:authentication", "false");
+  }
 }
 
 void rgw_bucket_object_pre_exec(struct req_state *s)