get_caller_identity utility

Tracker: https://tracker.ceph.com/issues/72157
Resolves: rhbz#2381577

Signed-off-by: Raja Sharma <raja@ibm.com>
(cherry picked from commit 9965d326b0234cc597a46451d0a5413db5ee9e39)

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index d234f14f08fee20a4285a419e00f20322828ed76..2bb4d8a89fa40464d37e6090f54caec0646dcad0 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -280,6 +280,10 @@ static auto transform_old_authinfo(const RGWUserInfo& user,
       return type;
     }
 
+    std::optional<rgw::ARN> get_caller_identity() const override {
+      return std::nullopt;
+    }
+
     string get_acct_name() const override {
       return {};
     }

diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
index f391e50a589bef575c8d60cd048aa082038bec89..a795da50f8921f1d83d359c08c9164441bb722dd 100644 (file)
--- a/src/rgw/rgw_auth.h
+++ b/src/rgw/rgw_auth.h
@@ -87,6 +87,9 @@ public:
   /* Identity Type: RGW/ LDAP/ Keystone */
   virtual uint32_t get_identity_type() const = 0;
 
+  /* Identity ARN */
+  virtual std::optional<rgw::ARN> get_caller_identity() const = 0;
+
   /* Name of Account */
   virtual std::string get_acct_name() const = 0;
 
@@ -504,6 +507,10 @@ public:
     return TYPE_WEB;
   }
 
+  std::optional<rgw::ARN> get_caller_identity() const override {
+    return std::nullopt;
+  }
+
   std::string get_acct_name() const override {
     return this->user_name;
   }
@@ -675,6 +682,11 @@ public:
   void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override;
   void write_ops_log_entry(rgw_log_entry& entry) const override;
   uint32_t get_identity_type() const override { return info.acct_type; }
+
+  std::optional<rgw::ARN> get_caller_identity() const override {
+    return std::nullopt;
+  }
+
   std::string get_acct_name() const override { return info.acct_name; }
   std::string get_subuser() const override { return {}; }
   const std::string& get_tenant() const override {
@@ -745,6 +757,19 @@ public:
   auto load_acct_info(const DoutPrefixProvider* dpp) const -> std::unique_ptr<rgw::sal::User> override; /* out */
   void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override;
   uint32_t get_identity_type() const override { return user_info.type; }
+
+  std::optional<rgw::ARN> get_caller_identity() const override {
+    bool has_account_id = !user_info.account_id.empty();
+    std::string acct = has_account_id ? user_info.account_id : user_info.user_id.tenant;
+    if(user_info.type == TYPE_ROOT) {
+      return rgw::ARN("", "root", acct, true);
+    }
+
+    std::string username = has_account_id ? user_info.display_name : user_info.user_id.id;
+    std::string path = user_info.path.empty() ? "/" : user_info.path;
+    return rgw::ARN(string_cat_reserve(path, username), "user", acct, true);
+  }
+
   std::string get_acct_name() const override { return {}; }
   std::string get_subuser() const override { return subuser; }
   const std::string& get_tenant() const override {
@@ -824,6 +849,16 @@ public:
   void to_str(std::ostream& out) const override;
   auto load_acct_info(const DoutPrefixProvider* dpp) const -> std::unique_ptr<rgw::sal::User> override; /* out */
   uint32_t get_identity_type() const override { return TYPE_ROLE; }
+
+  std::optional<rgw::ARN> get_caller_identity() const override {
+    rgw::Partition partition = rgw::Partition::aws;
+    rgw::Service service = rgw::Service::sts;
+    std::string acct = role.account->id.empty() ? role.tenant : role.account->id;
+    std::string resource = "assumed-role/" + role.name + "/" + token_attrs.role_session_name;
+
+    return rgw::ARN(partition, service, "", acct, resource);
+  }
+
   std::string get_acct_name() const override { return {}; }
   std::string get_subuser() const override { return {}; }
   const std::string& get_tenant() const override { return role.tenant; }
@@ -882,6 +917,10 @@ public:
     return TYPE_RGW;
   }
 
+  std::optional<rgw::ARN> get_caller_identity() const override {
+    return std::nullopt;
+  }
+
   std::string get_acct_name() const override {
     return {};
   }

diff --git a/src/rgw/rgw_auth_filters.h b/src/rgw/rgw_auth_filters.h
index aed3449f13b11407e7bd3e750050a6d8f7932bf5..09d9e07b0795d1fcfc19048742221263479b3f86 100644 (file)
--- a/src/rgw/rgw_auth_filters.h
+++ b/src/rgw/rgw_auth_filters.h
@@ -97,6 +97,10 @@ public:
     return get_decoratee().get_identity_type();
   }
 
+  std::optional<rgw::ARN> get_caller_identity() const override {
+    return get_decoratee().get_caller_identity();
+  }
+
   std::string get_acct_name() const override {
     return get_decoratee().get_acct_name();
   }

diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc
index d3ebb7e26a3a18bdbf150c0b39eb8cf93d294d1e..4e94bbddad8d10174fb47ce97b331462278db4d1 100644 (file)
--- a/src/test/rgw/test_rgw_iam_policy.cc
+++ b/src/test/rgw/test_rgw_iam_policy.cc
@@ -209,6 +209,10 @@ public:
   uint32_t get_identity_type() const override {
     return TYPE_RGW;
   }
+
+  std::optional<rgw::ARN> get_caller_identity() const override {
+    return std::nullopt;
+  }
 };
 
 class PolicyTest : public ::testing::Test {

diff --git a/src/test/rgw/test_rgw_lua.cc b/src/test/rgw/test_rgw_lua.cc
index 81b7833358a29880c6e793d00426532cbb3c0e14..d897a9b16a4750af050b50f1024eb70a72d52355 100644 (file)
--- a/src/test/rgw/test_rgw_lua.cc
+++ b/src/test/rgw/test_rgw_lua.cc
@@ -59,6 +59,10 @@ public:
     return TYPE_RGW;
   }
 
+  std::optional<rgw::ARN> get_caller_identity() const override {
+    return std::nullopt;
+  }
+
   string get_acct_name() const override {
     return "";
   }