rgw/iam: enable Role apis against account users

Signed-off-by: Casey Bodley <cbodley@redhat.com>

diff --git a/src/rgw/rgw_rest_role.cc b/src/rgw/rgw_rest_role.cc
index b44634e83b615ae4ebe2e3e9fecd0e24a84fe069..4ee5707e0b05a5714c1f63b5d0ae9ffc3fb96a94 100644 (file)
--- a/src/rgw/rgw_rest_role.cc
+++ b/src/rgw/rgw_rest_role.cc
@@ -96,13 +96,27 @@ static rgw::ARN make_role_arn(const std::string& path,
 }
 
 static int load_role(const DoutPrefixProvider* dpp, optional_yield y,
-                     rgw::sal::Driver* driver,
-                     const std::string& tenant,
+                     rgw::sal::Driver* driver, const rgw_owner& owner,
+                     rgw_account_id& account_id, const std::string& tenant,
                      const std::string& name,
                      std::unique_ptr<rgw::sal::RGWRole>& role,
-                     rgw::ARN& resource,
-                     std::string& message)
+                     rgw::ARN& resource, std::string& message)
 {
+  if (const auto* id = std::get_if<rgw_account_id>(&owner); id) {
+    account_id = *id;
+
+    // look up account role by RoleName
+    int r = driver->load_account_role_by_name(dpp, y, account_id, name, &role);
+    if (r == -ENOENT) {
+      message = "No such RoleName in the account";
+      return -ERR_NO_ROLE_FOUND;
+    }
+    if (r >= 0) {
+      resource = make_role_arn(role->get_path(), role->get_name(), account_id);
+    }
+    return r;
+  }
+
   role = driver->get_role(name, tenant);
   const int r = role->get(dpp, y);
   if (r == -ENOENT) {
@@ -161,7 +175,12 @@ int RGWCreateRole::init_processing(optional_yield y)
     return -ERR_LIMIT_EXCEEDED;
   }
 
-  resource = make_role_arn(role_path, role_name, s->user->get_tenant());
+
+  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
+    resource = make_role_arn(role_path, role_name, *id);
+  } else {
+    resource = make_role_arn(role_path, role_name, s->user->get_tenant());
+  }
   return 0;
 }
 
@@ -276,8 +295,9 @@ int RGWDeleteRole::init_processing(optional_yield y)
     return -EINVAL;
   }
 
-  return load_role(this, y, driver, s->user->get_tenant(), role_name,
-                   role, resource, s->err.message);
+  return load_role(this, y, driver, s->owner.id, account_id,
+                   s->user->get_tenant(), role_name, role, resource,
+                   s->err.message);
 }
 
 void RGWDeleteRole::execute(optional_yield y)
@@ -333,8 +353,9 @@ int RGWGetRole::init_processing(optional_yield y)
     return -EINVAL;
   }
 
-  return load_role(this, y, driver, s->user->get_tenant(), role_name,
-                   role, resource, s->err.message);
+  return load_role(this, y, driver, s->owner.id, account_id,
+                   s->user->get_tenant(), role_name, role, resource,
+                   s->err.message);
 }
 
 void RGWGetRole::execute(optional_yield y)
@@ -370,8 +391,9 @@ int RGWModifyRoleTrustPolicy::init_processing(optional_yield y)
     return -ERR_MALFORMED_DOC;
   }
 
-  return load_role(this, y, driver, s->user->get_tenant(), role_name,
-                   role, resource, s->err.message);
+  return load_role(this, y, driver, s->owner.id, account_id,
+                   s->user->get_tenant(), role_name, role, resource,
+                   s->err.message);
 }
 
 void RGWModifyRoleTrustPolicy::execute(optional_yield y)
@@ -418,6 +440,7 @@ int RGWListRoles::init_processing(optional_yield y)
 
 void RGWListRoles::execute(optional_yield y)
 {
+  // TODO: list_account_roles() for account owner
   vector<std::unique_ptr<rgw::sal::RGWRole>> result;
   op_ret = driver->get_roles(s, y, path_prefix, s->user->get_tenant(), result);
 
@@ -469,8 +492,9 @@ int RGWPutRolePolicy::init_processing(optional_yield y)
     return -ERR_MALFORMED_DOC;
   }
 
-  return load_role(this, y, driver, s->user->get_tenant(), role_name,
-                   role, resource, s->err.message);
+  return load_role(this, y, driver, s->owner.id, account_id,
+                   s->user->get_tenant(), role_name, role, resource,
+                   s->err.message);
 }
 
 void RGWPutRolePolicy::execute(optional_yield y)
@@ -524,8 +548,9 @@ int RGWGetRolePolicy::init_processing(optional_yield y)
     return -EINVAL;
   }
 
-  return load_role(this, y, driver, s->user->get_tenant(), role_name,
-                   role, resource, s->err.message);
+  return load_role(this, y, driver, s->owner.id, account_id,
+                   s->user->get_tenant(), role_name, role, resource,
+                   s->err.message);
 }
 
 void RGWGetRolePolicy::execute(optional_yield y)
@@ -557,8 +582,9 @@ int RGWListRolePolicies::init_processing(optional_yield y)
     return -EINVAL;
   }
 
-  return load_role(this, y, driver, s->user->get_tenant(), role_name,
-                   role, resource, s->err.message);
+  return load_role(this, y, driver, s->owner.id, account_id,
+                   s->user->get_tenant(), role_name, role, resource,
+                   s->err.message);
 }
 
 void RGWListRolePolicies::execute(optional_yield y)
@@ -591,8 +617,9 @@ int RGWDeleteRolePolicy::init_processing(optional_yield y)
     return -EINVAL;
   }
 
-  return load_role(this, y, driver, s->user->get_tenant(), role_name,
-                   role, resource, s->err.message);
+  return load_role(this, y, driver, s->owner.id, account_id,
+                   s->user->get_tenant(), role_name, role, resource,
+                   s->err.message);
 }
 
 void RGWDeleteRolePolicy::execute(optional_yield y)
@@ -649,8 +676,9 @@ int RGWTagRole::init_processing(optional_yield y)
     return r;
   }
 
-  return load_role(this, y, driver, s->user->get_tenant(), role_name,
-                   role, resource, s->err.message);
+  return load_role(this, y, driver, s->owner.id, account_id,
+                   s->user->get_tenant(), role_name, role, resource,
+                   s->err.message);
 }
 
 void RGWTagRole::execute(optional_yield y)
@@ -704,8 +732,9 @@ int RGWListRoleTags::init_processing(optional_yield y)
     return -EINVAL;
   }
 
-  return load_role(this, y, driver, s->user->get_tenant(), role_name,
-                   role, resource, s->err.message);
+  return load_role(this, y, driver, s->owner.id, account_id,
+                   s->user->get_tenant(), role_name, role, resource,
+                   s->err.message);
 }
 
 void RGWListRoleTags::execute(optional_yield y)
@@ -749,8 +778,9 @@ int RGWUntagRole::init_processing(optional_yield y)
         });
   }
 
-  return load_role(this, y, driver, s->user->get_tenant(), role_name,
-                   role, resource, s->err.message);
+  return load_role(this, y, driver, s->owner.id, account_id,
+                   s->user->get_tenant(), role_name, role, resource,
+                   s->err.message);
 }
 
 void RGWUntagRole::execute(optional_yield y)
@@ -802,8 +832,9 @@ int RGWUpdateRole::init_processing(optional_yield y)
 
   max_session_duration = s->info.args.get("MaxSessionDuration");
 
-  return load_role(this, y, driver, s->user->get_tenant(), role_name,
-                   role, resource, s->err.message);
+  return load_role(this, y, driver, s->owner.id, account_id,
+                   s->user->get_tenant(), role_name, role, resource,
+                   s->err.message);
 }
 
 void RGWUpdateRole::execute(optional_yield y)

diff --git a/src/rgw/rgw_rest_role.h b/src/rgw/rgw_rest_role.h
index d26fbe125753ad498cdfd1f174a5027f012dd72c..fff9406227b3226fdc2cab0426d233130682e562 100644 (file)
--- a/src/rgw/rgw_rest_role.h
+++ b/src/rgw/rgw_rest_role.h
@@ -13,6 +13,7 @@ class RGWRestRole : public RGWRESTOp {
   const uint64_t action;
   const uint32_t perm;
  protected:
+  rgw_account_id account_id;
   rgw::ARN resource; // must be initialized before verify_permission()
   int check_caps(const RGWUserCaps& caps) override;