* with the reason. */
virtual uint32_t get_perm_mask() const = 0;
- virtual bool is_anonymous() const final {
+ virtual bool is_anonymous() const {
/* If the identity owns the anonymous account (rgw_user), it's considered
* the anonymous identity. On error throws rgw::auth::Exception storing
* the reason. */
is_admin(acct_privilege_t::IS_ADMIN_ACCT == level),
acct_type(acct_type) {
}
- bool is_anon() const {return (acct_name.compare(RGW_USER_ANON_ID) == 0);}
};
using aclspec_t = rgw::auth::Identity::aclspec_t;
return get_decoratee().is_owner_of(uid);
}
+ bool is_anonymous() const override {
+ return get_decoratee().is_anonymous();
+ }
+
uint32_t get_perm_mask() const override {
return get_decoratee().get_perm_mask();
}
/* The override has been specified but the account belongs to the authenticated
* identity. We may safely forward the call to a next stage. */
DecoratedApplier<T>::load_acct_info(dpp, user_info);
+ } else if (this->is_anonymous()) {
+ /* If the user was authed by the anonymous engine then scope the ANON user
+ * to the correct tenant */
+ if (acct_user_override.tenant.empty())
+ user_info.user_id = rgw_user(acct_user_override.id, RGW_USER_ANON_ID);
+ else
+ user_info.user_id = rgw_user(acct_user_override.tenant, RGW_USER_ANON_ID);
} else {
/* Compatibility mechanism for multi-tenancy. For more details refer to
* load_acct_info method of rgw::auth::RemoteApplier. */
: LocalApplier(cct, user_info, LocalApplier::NO_SUBUSER, boost::none) {
};
bool is_admin_of(const rgw_user& uid) const {return false;}
- bool is_owner_of(const rgw_user& uid) const {return false;}
+ bool is_owner_of(const rgw_user& uid) const {return uid.id.compare(RGW_USER_ANON_ID) == 0;}
};
class SwiftAnonymousEngine : public rgw::auth::AnonymousEngine {
const req_state* const s,
acl_strategy_t&& extra_acl_strategy,
const rgw::auth::RemoteApplier::AuthInfo &info) const override {
- rgw_user user(s->account_name);
- if (info.is_anon())
- user = rgw_user(RGW_USER_ANON_ID);
auto apl = \
- rgw::auth::add_3rdparty(ctl, user,
+ rgw::auth::add_3rdparty(ctl, rgw_user(s->account_name),
rgw::auth::add_sysreq(cct, ctl, s,
rgw::auth::RemoteApplier(cct, ctl, std::move(extra_acl_strategy), info,
implicit_tenant_context,
const RGWUserInfo& user_info,
const std::string& subuser,
const boost::optional<uint32_t>& perm_mask) const override {
- rgw_user user(s->account_name);
- if (user_info.user_id.compare(RGW_USER_ANON_ID) == 0)
- user = rgw_user(user_info.user_id);
auto apl = \
- rgw::auth::add_3rdparty(ctl, user,
+ rgw::auth::add_3rdparty(ctl, rgw_user(s->account_name),
rgw::auth::add_sysreq(cct, ctl, s,
rgw::auth::LocalApplier(cct, user_info, subuser, perm_mask)));
/* TODO(rzarzynski): replace with static_ptr. */
static_cast<rgw::auth::TokenExtractor*>(this),
static_cast<rgw::auth::LocalApplier::Factory*>(this)),
anon_engine(cct,
- static_cast<rgw::auth::LocalApplier::Factory*>(this),
+ static_cast<SwiftAnonymousApplier::Factory*>(this),
static_cast<rgw::auth::TokenExtractor*>(this)) {
/* When the constructor's body is being executed, all member engines
* should be initialized. Thus, we can safely add them. */