]> git-server-git.apps.pok.os.sepia.ceph.com Git - ceph.git/commitdiff
projects / ceph.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 75a33c0)
rgw/sts: code to add role tags as aws:PrincipalTags and
authorPritha Srivastava <prsrivas@redhat.com>
Thu, 3 Jun 2021 10:03:03 +0000 (15:33 +0530)
committerPritha Srivastava <prsrivas@redhat.com>
Mon, 22 Aug 2022 09:15:20 +0000 (14:45 +0530)
iam:ResourceTags.

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
(cherry picked from commit 58f1bb65bec5c7af2769732ca8748f2943242fb2)

src/rgw/rgw_auth.cc patch | blob | history
src/rgw/rgw_auth.h patch | blob | history
src/rgw/rgw_rest_sts.cc patch | blob | history
src/rgw/rgw_rest_sts.h patch | blob | history

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index 29254cf15c226c0e01fb55b990be8163ba9f8b85..1a1f5b113ead381cc84d7f0eb5527b545a27eaa6 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -479,6 +479,20 @@ void rgw::auth::WebIdentityApplier::modify_request_state(const DoutPrefixProvide
       }
     }
   }
+
+  if (role_tags) {
+    for (auto& it : role_tags.get()) {
+      std::string p_key = "aws:PrincipalTag/";
+      p_key.append(it.first);
+      s->principal_tags.emplace_back(std::make_pair(p_key, it.second));
+      ldpp_dout(dpp, 10) << "Principal Tag Key: " << p_key << " Value: " << it.second << dendl;
+
+      std::string e_key = "iam:ResourceTag/";
+      e_key.append(it.first);
+      s->env.emplace(e_key, it.second);
+      ldpp_dout(dpp, 10) << "RGW Env Tag Key: " << e_key << " Value: " << it.second << dendl;
+    }
+  }
 }
 
 bool rgw::auth::WebIdentityApplier::is_identity(const idset_t& ids) const
diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
index c0df09818f7af95c3b7a8592f051eec583135df0..dab41256c69b25a83224ed098a6396174db24fd5 100644 (file)
--- a/src/rgw/rgw_auth.h
+++ b/src/rgw/rgw_auth.h
@@ -379,6 +379,7 @@ protected:
   std::string role_session;
   std::string role_tenant;
   std::unordered_multimap<std::string, std::string> token_claims;
+  boost::optional<std::multimap<std::string,std::string>> role_tags;
   boost::optional<std::set<std::pair<std::string, std::string>>> principal_tags;
 
   string get_idp_url() const;
@@ -393,12 +394,14 @@ public:
                       const std::string& role_session,
                       const std::string& role_tenant,
                       const std::unordered_multimap<std::string, std::string>& token_claims,
+                      boost::optional<std::multimap<std::string,std::string>> role_tags,
                       boost::optional<std::set<std::pair<std::string, std::string>>> principal_tags)
       : cct(cct),
       ctl(ctl),
       role_session(role_session),
       role_tenant(role_tenant),
       token_claims(token_claims),
+      role_tags(role_tags),
       principal_tags(principal_tags) {
       const auto& sub = token_claims.find("sub");
       if(sub != token_claims.end()) {
@@ -483,6 +486,7 @@ public:
                                               const std::string& role_session,
                                               const std::string& role_tenant,
                                               const std::unordered_multimap<std::string, std::string>& token,
+                                              boost::optional<std::multimap<std::string, std::string>>,
                                               boost::optional<std::set<std::pair<std::string, std::string>>> principal_tags) const = 0;
   };
 };
@@ -738,7 +742,7 @@ public:
   }
   bool is_identity(const idset_t& ids) const override;
   uint32_t get_perm_mask() const override {
-    return RGW_PERM_NONE;
+    return RGW_PERM_NONE; 
   }
   void to_str(std::ostream& out) const override;
   void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc
index 0d8532e973f908c9c4197725f7ff1bd9635cb162..10695b369b069a58bac52188112f66c60c78f7b5 100644 (file)
--- a/src/rgw/rgw_rest_sts.cc
+++ b/src/rgw/rgw_rest_sts.cc
@@ -60,6 +60,23 @@ WebTokenEngine::get_role_tenant(const string& role_arn) const
   return tenant;
 }
 
+std::string
+WebTokenEngine::get_role_name(const string& role_arn) const
+{
+  string role_name;
+  auto r_arn = rgw::ARN::parse(role_arn);
+  if (r_arn) {
+    role_name = r_arn->resource;
+  }
+  if (!role_name.empty()) {
+    auto pos = role_name.find_last_of('/');
+    if(pos != string::npos) {
+      role_name = role_name.substr(pos + 1);
+    }
+  }
+  return role_name;
+}
+
 boost::optional<RGWOIDCProvider>
 WebTokenEngine::get_provider(const DoutPrefixProvider *dpp, const string& role_arn, const string& iss) const
 {
@@ -430,7 +447,15 @@ WebTokenEngine::authenticate( const DoutPrefixProvider* dpp,
       }
       string role_arn = s->info.args.get("RoleArn");
       string role_tenant = get_role_tenant(role_arn);
-      auto apl = apl_factory->create_apl_web_identity(cct, s, role_session, role_tenant, *t, princ_tags);
+      string role_name = get_role_name(role_arn);
+      RGWRole role(cct, ctl, role_name, role_tenant);
+      int ret = role.get(dpp, y);
+      if (ret < 0) {
+        ldpp_dout(dpp, 0) << "Role not found: name:" << role_name << " tenant: " << role_tenant << dendl;
+        return result_t::deny(-EACCES);
+      }
+      boost::optional<multimap<string,string>> role_tags = role.get_tags();
+      auto apl = apl_factory->create_apl_web_identity(cct, s, role_session, role_tenant, *t, role_tags, princ_tags);
       return result_t::grant(std::move(apl));
     }
     return result_t::deny(-EACCES);
diff --git a/src/rgw/rgw_rest_sts.h b/src/rgw/rgw_rest_sts.h
index dc057c8616390a6003b4961011145d97d20a9069..6bcad31db6f9a7c4f4d8915206671efc383f41a7 100644 (file)
--- a/src/rgw/rgw_rest_sts.h
+++ b/src/rgw/rgw_rest_sts.h
@@ -34,8 +34,12 @@ class WebTokenEngine : public rgw::auth::Engine {
 
   boost::optional<RGWOIDCProvider> get_provider(const DoutPrefixProvider *dpp, const string& role_arn, const string& iss) const;
 
-  std::string get_role_tenant(const string& role_arn) const;
+  std::string get_role_tenant(const std::string& role_arn) const;
 
+  std::string get_role_name(const string& role_arn) const;
+
+  std::string get_cert_url(const std::string& iss, const DoutPrefixProvider *dpp,optional_yield y) const;
+  
   std::tuple<boost::optional<WebTokenEngine::token_t>, boost::optional<WebTokenEngine::principal_tags_t>>
   get_from_jwt(const DoutPrefixProvider* dpp, const std::string& token, const req_state* const s, optional_yield y) const;
 
@@ -89,10 +93,11 @@ class DefaultStrategy : public rgw::auth::Strategy,
                                     const req_state* s,
                                     const std::string& role_session,
                                     const std::string& role_tenant,
-                                    const std::unordered_multimap<string, string>& token,
+                                    const std::unordered_multimap<std::string, std::string>& token,
+                                    boost::optional<std::multimap<std::string, std::string>> role_tags,
                                     boost::optional<std::set<std::pair<std::string, std::string>>> principal_tags) const override {
     auto apl = rgw::auth::add_sysreq(cct, ctl, s,
-      rgw::auth::WebIdentityApplier(cct, ctl, role_session, role_tenant, token, principal_tags));
+      rgw::auth::WebIdentityApplier(cct, ctl, role_session, role_tenant, token, role_tags, principal_tags));
     return aplptr_t(new decltype(apl)(std::move(apl)));
   }
 
Unnamed repository; edit this file 'description' to name the repository.