With the introduction of is_impersonating in SysReqApplier,
RoleApplier can now use the same mechanism to mark when a request
has been forwarded by a system user on behalf of another role (e.g.,
through STS) to mark it as a system request (s->system_request).
Signed-off-by: Seena Fallah <seenafallah@gmail.com>
(cherry picked from commit
995dc6284ea32fb2c87fb8e1cf2001b0fe9f5f45)
for (auto& it : token_attrs.token_claims) {
s->token_claims.emplace_back(it);
}
- if (is_system_request) {
- s->system_request = true;
- }
}
rgw::auth::Engine::result_t
rgw::sal::Driver* driver;
Role role;
TokenAttrs token_attrs;
- bool is_system_request;
public:
RoleApplier(CephContext* const cct,
rgw::sal::Driver* driver,
const Role& role,
- const TokenAttrs& token_attrs,
- bool is_system_request)
+ const TokenAttrs& token_attrs)
: cct(cct),
driver(driver),
role(role),
- token_attrs(token_attrs),
- is_system_request(is_system_request) {}
+ token_attrs(token_attrs) {}
ACLOwner get_aclowner() const override;
uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
const req_state* s,
Role role,
TokenAttrs token_attrs,
- bool is_system_request) const = 0;
+ bool is_impersonating) const = 0;
};
};
const req_state* const s,
RoleApplier::Role role,
RoleApplier::TokenAttrs token_attrs,
- bool is_system_request) const override {
+ bool is_impersonating) const override {
auto apl = rgw::auth::add_sysreq(cct, driver, s,
- rgw::auth::RoleApplier(cct, driver, std::move(role), std::move(token_attrs), is_system_request));
+ rgw::auth::RoleApplier(cct, driver, std::move(role), std::move(token_attrs)), is_impersonating);
return aplptr_t(new decltype(apl)(std::move(apl)));
}
const req_state* const s,
optional_yield y) const
{
- bool is_system_request{false};
if (! s->info.args.exists("x-amz-security-token") &&
! s->info.env->exists("HTTP_X_AMZ_SECURITY_TOKEN") &&
s->auth.s3_postobj_creds.x_amz_security_token.empty()) {
return result_t::reject(ret);
}
//Authentication
+ bool is_impersonating = false;
std::string secret_access_key;
//Check if access key is not the same passed in by client
if (token.access_key_id != _access_key_id) {
}
const RGWAccessKey& k = iter->second;
secret_access_key = k.key;
- is_system_request = true;
+ is_impersonating = true;
} else {
ldpp_dout(dpp, 0) << "Invalid access key" << dendl;
return result_t::reject(-EPERM);
t_attrs.token_issued_at = std::move(token.issued_at);
t_attrs.principal_tags = std::move(token.principal_tags);
auto apl = role_apl_factory->create_apl_role(cct, s, std::move(r),
- std::move(t_attrs), is_system_request);
+ std::move(t_attrs), is_impersonating);
return result_t::grant(std::move(apl), completer_factory(token.secret_access_key));
} else { // This is for all local users of type TYPE_RGW|ROOT|NONE
if (token.user.empty()) {
projects / ceph.git / commitdiff