return -EPERM;
}
+ /* if the supplied signature is wrong, we will get 401 from Keystone */
+ if (get_http_status() == HTTP_STATUS_UNAUTHORIZED) {
+ return -ERR_SIGNATURE_NO_MATCH;
+ }
+
/* now parse response */
if (response.parse(cct, rx_buffer) < 0) {
dout(2) << "s3 keystone: token parsing failed" << dendl;
ldout(cct, 5) << "s3 keystone: user does not hold a matching role;"
" required roles: "
<< cct->_conf->rgw_keystone_accepted_roles << dendl;
- return -EPERM;
+ return -ERR_INVALID_ACCESS_KEY;
}
/* everything seems fine, continue with this user */
}
/* try keystone auth first */
- int keystone_result = -EINVAL;
+ int keystone_result = -ERR_INVALID_ACCESS_KEY;;
if (store->ctx()->_conf->rgw_s3_auth_use_keystone
&& !store->ctx()->_conf->rgw_keystone_url.empty()) {
dout(20) << "s3 keystone: trying keystone auth" << dendl;
string token;
if (!rgw_create_s3_canonical_header(s->info,
- &s->header_time, token, qsr)) {
+ &s->header_time, token, qsr)) {
dout(10) << "failed to create auth header\n" << token << dendl;
+ keystone_result = -EPERM;
} else {
keystone_result = keystone_validator.validate_s3token(auth_id, token,
auth_sign);
}
}
- /* keystone failed (or not enabled); check if we want to use rados backend */
- if (!store->ctx()->_conf->rgw_s3_auth_use_rados
- && keystone_result < 0)
- return keystone_result;
-
- /* now try rados backend, but only if keystone did not succeed */
if (keystone_result < 0) {
+ if (!store->ctx()->_conf->rgw_s3_auth_use_rados) {
+ /* No other auth option possible. Terminate request. */
+ return keystone_result;
+ }
+
/* get the user info */
if (rgw_get_user_info_by_access_key(store, auth_id, *(s->user)) < 0) {
dout(5) << "error reading user info, uid=" << auth_id
<< " can't authenticate" << dendl;
- return -ERR_INVALID_ACCESS_KEY;
+ return keystone_result;
}
/* now verify signature */
projects / ceph.git / commitdiff