Merge pull request #8657 from rzarzynski/wip-rgw-swift-auth

rgw: authentication subsystem rework

Passed teuthology rgw suite.

diff --cc src/CMakeLists.txt
Simple merge

diff --cc src/common/config_opts.h
Simple merge

diff --cc src/rgw/librgw.cc
Simple merge

diff --cc src/rgw/rgw_admin.cc
index a69eaa1cc2c1a75da22880079e3badd112e487f2,3abfbdd6a3382ede5aad331df43f1918caac256e..f37474daadea13c70e69985369dc8132c49bae93
--- 1/src/rgw/rgw_admin.cc
--- 2/src/rgw/rgw_admin.cc
+++ b/src/rgw/rgw_admin.cc
@@@ -3638,9 -3641,12 +3643,12 @@@ int main(int argc, char **argv
    if (gen_secret_key)
      user_op.set_gen_secret(); // assume that a key pair should be created
  
 -  if (max_buckets >= 0)
 +  if (max_buckets_specified)
      user_op.set_max_buckets(max_buckets);
  
+   if (admin_specified)
+      user_op.set_admin(admin);
+ 
    if (system_specified)
      user_op.set_system(system);
  

diff --cc src/rgw/rgw_common.h
index 5841962aae4ee7bc915415384adb2513bacd5814,c4a95fc4d2b5513433128f6229d314ab94d53f43..acd512660647266476d7be325a9dfc088ac8baea
--- 1/src/rgw/rgw_common.h
--- 2/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@@ -539,9 -537,10 +537,10 @@@ struct RGWUserInf
    map<string, RGWAccessKey> swift_keys;
    map<string, RGWSubUser> subusers;
    __u8 suspended;
 -  uint32_t max_buckets;
 +  int32_t max_buckets;
    uint32_t op_mask;
    RGWUserCaps caps;
+   __u8 admin;
    __u8 system;
    string default_placement;
    list<string> placement_tags;

diff --cc src/rgw/rgw_op.cc
index 5bc7cb43fa051a3fd9a152a74d14202b13fafaf5,8a9683dfc9badc6c0e3894699999d29f17ef1f39..a8add0ea48d51eabadc25d26bc9e3fbe01c5bf77
--- 1/src/rgw/rgw_op.cc
--- 2/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@@ -1783,19 -1888,24 +1888,27 @@@ int RGWGetBucketLocation::verify_permis
  
  int RGWCreateBucket::verify_permission()
  {
-   if (!rgw_user_is_authenticated(*(s->user)))
+   /* This check is mostly needed for S3 that doesn't support account ACL.
+    * Swift doesn't allow to delegate any permission to an anonymous user,
+    * so it will become an early exit in such case. */
+   if (s->auth_identity->is_anonymous()) {
      return -EACCES;
+   }
+ 
+   if (!verify_user_permission(s, RGW_PERM_WRITE)) {
+     return -EACCES;
+   }
  
    if (s->user->user_id.tenant != s->bucket_tenant) {
-     ldout(s->cct, 10)
-       << "user cannot create a bucket in a different tenant (user_id.tenant="
-       << s->user->user_id.tenant << " requested=" << s->bucket_tenant << ")"
-       << dendl;
+     ldout(s->cct, 10) << "user cannot create a bucket in a different tenant"
+                       << " (user_id.tenant=" << s->user->user_id.tenant
+                       << " requested=" << s->bucket_tenant << ")"
+                       << dendl;
      return -EACCES;
    }
 +  if (s->user->max_buckets < 0) {
 +    return -EPERM;
 +  }
  
    if (s->user->max_buckets) {
      RGWUserBuckets buckets;
@@@ -1804,10 -1914,11 +1917,11 @@@
      op_ret = rgw_read_user_buckets(store, s->user->user_id, buckets,
                                   marker, string(), s->user->max_buckets,
                                   false, &is_truncated);
-     if (op_ret < 0)
+     if (op_ret < 0) {
        return op_ret;
+     }
  
 -    if (buckets.count() >= s->user->max_buckets) {
 +    if ((int)buckets.count() >= s->user->max_buckets) {
        return -ERR_TOO_MANY_BUCKETS;
      }
    }

diff --cc src/rgw/rgw_rest_s3.cc
Simple merge

diff --cc src/rgw/rgw_user.h
index 269ae90dc30fadc8ff575bcc93c3e87580ca5eee,e13aee4894ff730e51c3600622c5217bb606bab8..832b66553017401fb9fe4437ad36e1c292400da4
--- 1/src/rgw/rgw_user.h
--- 2/src/rgw/rgw_user.h
+++ b/src/rgw/rgw_user.h
@@@ -157,8 -156,9 +156,9 @@@ struct RGWUserAdminOpState 
    rgw_user user_id;
    std::string user_email;
    std::string display_name;
 -  uint32_t max_buckets;
 +  int32_t max_buckets;
    __u8 suspended;
+   __u8 admin;
    __u8 system;
    __u8 exclusive;
    __u8 fetch_stats;

diff --cc src/test/cli/radosgw-admin/help.t
Simple merge