const rgw_user id;
const int perm_mask;
const bool is_admin;
+ const uint32_t type;
public:
DummyIdentityApplier(CephContext* const cct,
const rgw_user& auth_id,
const int perm_mask,
- const bool is_admin)
+ const bool is_admin,
+ const uint32_t type)
: cct(cct),
id(auth_id),
perm_mask(perm_mask),
- is_admin(is_admin) {
+ is_admin(is_admin),
+ type(type) {
}
uint32_t get_perms_from_aclspec(const aclspec_t& aclspec) const override {
return perm_mask;
}
+ uint32_t get_identity_type() const override {
+ return type;
+ }
+
+ string get_acct_name() const override {
+ return {};
+ }
+
void to_str(std::ostream& out) const override {
out << "RGWDummyIdentityApplier(auth_id=" << id
<< ", perm_mask=" << perm_mask
s->perm_mask,
/* System user has admin permissions by default - it's supposed to pass
* through any security check. */
- s->system_request));
+ s->system_request,
+ s->user->type));
}
} /* namespace auth */
/* Succeeded if we are here (create_account() hasn't throwed). */
}
-
/* rgw::auth::LocalApplier */
/* static declaration */
const std::string rgw::auth::LocalApplier::NO_SUBUSER;
user_info = this->user_info;
}
-
rgw::auth::Engine::result_t
rgw::auth::AnonymousEngine::authenticate(const req_state* const s) const
{
/* Verify whether a given identity corresponds to an identity in the
provided set */
virtual bool is_identity(const idset_t& ids) const = 0;
+
+ /* Identity Type: RGW/ LDAP/ Keystone */
+ virtual uint32_t get_identity_type() const = 0;
+
+ /* Name of Account */
+ virtual string get_acct_name() const = 0;
};
inline std::ostream& operator<<(std::ostream& out,
uint32_t get_perm_mask() const override { return info.perm_mask; }
void to_str(std::ostream& out) const override;
void load_acct_info(RGWUserInfo& user_info) const override; /* out */
+ uint32_t get_identity_type() const override { return info.acct_type; }
+ string get_acct_name() const override { return info.acct_name; }
struct Factory {
virtual ~Factory() {}
}
void to_str(std::ostream& out) const override;
void load_acct_info(RGWUserInfo& user_info) const override; /* out */
+ uint32_t get_identity_type() const override { return TYPE_RGW; }
+ string get_acct_name() const override { return {}; }
struct Factory {
virtual ~Factory() {}
return get_decoratee().get_perm_mask();
}
+ uint32_t get_identity_type() const override {
+ return get_decoratee().get_identity_type();
+ }
+
+ string get_acct_name() const override {
+ return get_decoratee().get_acct_name();
+ }
+
bool is_identity(
const boost::container::flat_set<Principal>& ids) const override {
return get_decoratee().is_identity(ids);
int RGWREST_STS::verify_permission()
{
- STS::STSService _sts(s->cct, store, s->user->user_id);
+ STS::STSService _sts(s->cct, store, s->user->user_id, s->auth.identity.get());
sts = std::move(_sts);
string rArn = s->info.args.get("RoleArn");
#include "include/types.h"
#include "rgw_string.h"
+#include "rgw_b64.h"
#include "rgw_common.h"
#include "rgw_tools.h"
#include "rgw_role.h"
int Credentials::generateCredentials(CephContext* cct,
const uint64_t& duration,
- const string& policy,
- const string& roleId)
+ const boost::optional<string>& policy,
+ const boost::optional<string>& roleId,
+ boost::optional<rgw_user> user,
+ rgw::auth::Identity* identity)
{
uuid_d accessKey, secretKey;
char accessKeyId_str[MAX_ACCESS_KEY_LEN], secretAccessKey_str[MAX_SECRET_KEY_LEN];
error.clear();
//Storing policy and roleId as part of token, so that they can be extracted
// from the token itself for policy evaluation.
- string encrypted_str, input_str = "acess_key_id=" + accessKeyId + "&" +
- "secret_access_key=" + secretAccessKey + "&" +
- "expiration=" + expiration + "&" + "policy=" + policy + "&"
- "roleId=" + roleId;
+ SessionToken token;
+ //authentication info
+ token.access_key_id = accessKeyId;
+ token.secret_access_key = secretAccessKey;
+ token.expiration = expiration;
+
+ //Authorization info
+ if (policy)
+ token.policy = *policy;
+ else
+ token.policy = {};
+
+ if (roleId)
+ token.roleId = *roleId;
+ else
+ token.roleId = {};
+
+ if (user)
+ token.user = *user;
+ else {
+ rgw_user u({}, {});
+ token.user = u;
+ }
+
+ if (identity) {
+ token.acct_name = identity->get_acct_name();
+ token.perm_mask = identity->get_perm_mask();
+ token.is_admin = identity->is_admin_of(token.user);
+ token.acct_type = identity->get_identity_type();
+ } else {
+ token.acct_name = {};
+ token.perm_mask = 0;
+ token.is_admin = 0;
+ token.acct_type = TYPE_NONE;
+ }
+
+ string encrypted_str;
buffer::list input, enc_output;
- input.append(input_str);
+ encode(token, input);
+
if (ret = keyhandler->encrypt(input, enc_output, &error); ret < 0) {
return ret;
}
}
//Generate Credentials
- if (ret = cred.generateCredentials(cct, req.getDuration(), req.getPolicy(), roleId); ret < 0) {
+ //Role and Policy provide the authorization info, user id and applier info are not needed
+ if (ret = cred.generateCredentials(cct, req.getDuration(),
+ req.getPolicy(), roleId,
+ boost::none, nullptr); ret < 0) {
return make_tuple(ret, user, cred, packedPolicySize);
}
#define CEPH_RGW_STS_H
#include "rgw_role.h"
+#include "rgw_auth.h"
namespace STS {
void dump(Formatter *f) const;
};
+struct SessionToken {
+ string access_key_id;
+ string secret_access_key;
+ string expiration;
+ string policy;
+ string roleId;
+ rgw_user user;
+ string acct_name;
+ uint32_t perm_mask;
+ bool is_admin;
+ uint32_t acct_type;
+
+ SessionToken() {}
+
+ void encode(bufferlist& bl) const {
+ ENCODE_START(1, 1, bl);
+ encode(access_key_id, bl);
+ encode(secret_access_key, bl);
+ encode(expiration, bl);
+ encode(policy, bl);
+ encode(roleId, bl);
+ encode(user, bl);
+ encode(acct_name, bl);
+ encode(perm_mask, bl);
+ encode(is_admin, bl);
+ encode(acct_type, bl);
+ ENCODE_FINISH(bl);
+ }
+
+ void decode(bufferlist::const_iterator& bl) {
+ DECODE_START(1, bl);
+ decode(access_key_id, bl);
+ decode(secret_access_key, bl);
+ decode(expiration, bl);
+ decode(policy, bl);
+ decode(roleId, bl);
+ decode(user, bl);
+ decode(acct_name, bl);
+ decode(perm_mask, bl);
+ decode(is_admin, bl);
+ decode(acct_type, bl);
+ DECODE_FINISH(bl);
+ }
+};
+WRITE_CLASS_ENCODER(SessionToken)
+
class Credentials {
static constexpr int MAX_ACCESS_KEY_LEN = 20;
static constexpr int MAX_SECRET_KEY_LEN = 40;
public:
int generateCredentials(CephContext* cct,
const uint64_t& duration,
- const string& policy,
- const string& roleId);
+ const boost::optional<string>& policy,
+ const boost::optional<string>& roleId,
+ boost::optional<rgw_user> user,
+ rgw::auth::Identity* identity);
const string& getAccessKeyId() const { return accessKeyId; }
const string& getExpiration() const { return expiration; }
const string& getSecretAccessKey() const { return secretAccessKey; }
RGWRados *store;
rgw_user user_id;
RGWRole role;
+ rgw::auth::Identity* identity;
int storeARN(string& arn);
public:
STSService() = default;
- STSService(CephContext* _cct, RGWRados *_store, rgw_user _user_id) : cct(_cct), store(_store), user_id(_user_id) {}
+ STSService(CephContext* cct, RGWRados *store, rgw_user user_id, rgw::auth::Identity* identity) : cct(cct), store(store), user_id(user_id), identity(identity) {}
std::tuple<int, RGWRole> getRoleInfo(const string& arn);
AssumeRoleResponse assumeRole(AssumeRoleRequest& req);
};
return 0;
}
+ uint32_t get_identity_type() const override {
+ abort();
+ return 0;
+ }
+
+ string get_acct_name() const override {
+ abort();
+ return 0;
+ }
+
void to_str(std::ostream& out) const override {
out << id;
}
projects / ceph-ci.git / commitdiff