This adds the rgw_keystone_service_token_enabled config
option that determines if service tokens is allowed or not.
The config option defaults to false.
Signed-off-by: Tobias Urdin <tobias.urdin@binero.com>
services:
- rgw
with_legacy: true
+- name: rgw_keystone_service_token_enabled
+ type: bool
+ level: advanced
+ desc: Service tokens allowing the usage of expired Keystone auth tokens
+ fmt_desc: The service token support allows the incoming request to contain
+ a X-Service-Token header with a Keystone token that if it has acceptable
+ roles allows using an expired token in the X-Auth-Token header.
+ default: false
+ services:
+ - rgw
+ with_legacy: true
- name: rgw_keystone_barbican_user
type: str
level: advanced
return result_t::grant(std::move(apl));
}
- /* TODO(tobias-urdin): Add config option for enabling service token support */
-
/* We have a service token and a token so we verify the service
* token and if it's invalid the request is invalid. If it's valid
* we allow an expired token to be used when doing lookup in Keystone.
* We never get to this if the token is in the cache. */
- if (! service_token.empty()) {
+ if (g_conf()->rgw_keystone_service_token_enabled && ! service_token.empty()) {
boost::optional<TokenEngine::token_envelope_t> st;
const auto& service_token_id = rgw_get_token_id(service_token);
projects / ceph.git / commitdiff