rgw: update swift subuser perm masks when authenticating

author Yehuda Sadeh <yehuda@redhat.com>

Wed, 5 Nov 2014 22:38:46 +0000 (14:38 -0800)

committer Yehuda Sadeh <yehuda@redhat.com>

Tue, 13 Jan 2015 01:09:07 +0000 (17:09 -0800)
author Yehuda Sadeh <yehuda@redhat.com>
Wed, 5 Nov 2014 22:38:46 +0000 (14:38 -0800)
committer Yehuda Sadeh <yehuda@redhat.com>
Tue, 13 Jan 2015 01:09:07 +0000 (17:09 -0800)
diff --git a/src/rgw/rgw_rest_swift.cc b/src/rgw/rgw_rest_swift.cc

index 9bdb811cd6ac60fff31b8ac47835c0d3d1443d07..98f3c2c202418170256cc76cb923d09bb1edbcc2 100644 (file)
--- a/src/rgw/rgw_rest_swift.cc
+++ b/src/rgw/rgw_rest_swift.cc
@@ -788,8 +788,6 @@ int RGWHandler_ObjStore_SWIFT::authorize()
    if (!authorized)
      return -EPERM;
  
-  s->perm_mask = RGW_PERM_FULL_CONTROL;
-
    return 0;
  }
  
diff --git a/src/rgw/rgw_swift.cc b/src/rgw/rgw_swift.cc

index 2445e174b9d1540c502be1b300946910c6d6683c..46c45bd9dfe76c4db3a0993794d1c5092ba5f90c 100644 (file)
--- a/src/rgw/rgw_swift.cc
+++ b/src/rgw/rgw_swift.cc
@@ -610,6 +610,34 @@ int authenticate_temp_url(RGWRados *store, req_state *s)
  }
  
  bool RGWSwift::verify_swift_token(RGWRados *store, req_state *s)
+{
+  if (!do_verify_swift_token(store, s)) {
+    return false;
+  }
+
+  if (!s->swift_user.empty()) {
+    string subuser;
+    ssize_t pos = s->swift_user.find(':');
+    if (pos < 0) {
+      subuser = s->swift_user;
+    } else {
+      subuser = s->swift_user.substr(pos + 1);
+    }
+    s->perm_mask = 0;
+    map<string, RGWSubUser>::iterator iter = s->user.subusers.find(subuser);
+    if (iter != s->user.subusers.end()) {
+      RGWSubUser& subuser = iter->second;
+      s->perm_mask = subuser.perm_mask;
+    }
+  } else {
+    s->perm_mask = RGW_PERM_FULL_CONTROL;
+  }
+
+  return true;
+
+}
+
+bool RGWSwift::do_verify_swift_token(RGWRados *store, req_state *s)
  {
    if (!s->os_auth_token) {
      int ret = authenticate_temp_url(store, s);
@@ -617,7 +645,7 @@ bool RGWSwift::verify_swift_token(RGWRados *store, req_state *s)
    }
  
    if (strncmp(s->os_auth_token, "AUTH_rgwtk", 10) == 0) {
-    int ret = rgw_swift_verify_signed_token(s->cct, store, s->os_auth_token, s->user);
+    int ret = rgw_swift_verify_signed_token(s->cct, store, s->os_auth_token, s->user, &s->swift_user);
      if (ret < 0)
        return false;
  
diff --git a/src/rgw/rgw_swift.h b/src/rgw/rgw_swift.h

index 97347e8069180b81cddbc3ad8997260bdd731f38..300b5eb7d019eafc7835a4da039f6d6730e7032b 100644 (file)
--- a/src/rgw/rgw_swift.h
+++ b/src/rgw/rgw_swift.h
@@ -53,6 +53,7 @@ class RGWSwift {
    bool supports_keystone() {
      return !cct->_conf->rgw_keystone_url.empty();
    }
+  bool do_verify_swift_token(RGWRados *store, req_state *s);
  protected:
    int check_revoked();
  public:
diff --git a/src/rgw/rgw_swift_auth.cc b/src/rgw/rgw_swift_auth.cc

index 9c800c4c2c71d3edcb6076d5680dbe803eeac23a..553f629d6ef3aba47559e0cf4eed8a4af39f506f 100644 (file)
--- a/src/rgw/rgw_swift_auth.cc
+++ b/src/rgw/rgw_swift_auth.cc
@@ -56,7 +56,7 @@ static int encode_token(CephContext *cct, string& swift_user, string& key, buffe
    return ret;
  }
  
-int rgw_swift_verify_signed_token(CephContext *cct, RGWRados *store, const char *token, RGWUserInfo& info)
+int rgw_swift_verify_signed_token(CephContext *cct, RGWRados *store, const char *token, RGWUserInfo& info, string *pswift_user)
  {
    if (strncmp(token, "AUTH_rgwtk", 10) != 0)
      return -EINVAL;
@@ -123,6 +123,7 @@ int rgw_swift_verify_signed_token(CephContext *cct, RGWRados *store, const char
      dout(0) << "NOTICE: tokens mismatch tok=" << buf << dendl;
      return -EPERM;
    }
+  *pswift_user = swift_user;
  
    return 0;
  }
diff --git a/src/rgw/rgw_swift_auth.h b/src/rgw/rgw_swift_auth.h

index 6d50d945641fd63f28b8828d5bb1c0900881cce2..61050d8a628c625207088fecd1ec57df75ebbd18 100644 (file)
--- a/src/rgw/rgw_swift_auth.h
+++ b/src/rgw/rgw_swift_auth.h
@@ -6,7 +6,7 @@
  
  #define RGW_SWIFT_TOKEN_EXPIRATION (15 * 60)
  
-extern int rgw_swift_verify_signed_token(CephContext *cct, RGWRados *store, const char *token, RGWUserInfo& info);
+extern int rgw_swift_verify_signed_token(CephContext *cct, RGWRados *store, const char *token, RGWUserInfo& info, string *pswift_user);
  
  class RGW_SWIFT_Auth_Get : public RGWOp {
  public:
author	Yehuda Sadeh <yehuda@redhat.com>
	Wed, 5 Nov 2014 22:38:46 +0000 (14:38 -0800)
committer	Yehuda Sadeh <yehuda@redhat.com>
	Tue, 13 Jan 2015 01:09:07 +0000 (17:09 -0800)
src/rgw/rgw_rest_swift.cc		patch \| blob \| history
src/rgw/rgw_swift.cc		patch \| blob \| history
src/rgw/rgw_swift.h		patch \| blob \| history
src/rgw/rgw_swift_auth.cc		patch \| blob \| history
src/rgw/rgw_swift_auth.h		patch \| blob \| history