info->identity = rgw::auth::transform_old_authinfo(sync_env->cct, uid,
info->user_info.display_name,
+ info->user_info.account_id,
RGW_PERM_FULL_CONTROL,
false, /* system_request? */
TYPE_RGW);
#include <array>
#include <string>
+#include <variant>
#include "rgw_common.h"
#include "rgw_auth.h"
#include "rgw_sal.h"
#include "rgw_log.h"
+#include "include/function2.hpp"
#include "include/str_list.h"
#define dout_context g_ceph_context
namespace rgw {
namespace auth {
+static bool match_owner(const rgw_owner& owner, const rgw_user& uid,
+ std::string_view account_id)
+{
+ return std::visit(fu2::overload(
+ [&uid] (const rgw_user& u) { return u == uid; },
+ [&account_id] (const rgw_account_id& a) { return a == account_id; }
+ ), owner);
+}
+
std::unique_ptr<rgw::auth::Identity>
transform_old_authinfo(CephContext* const cct,
const rgw_user& auth_id,
const std::string& display_name,
+ const rgw_account_id& account_id,
const int perm_mask,
const bool is_admin,
const uint32_t type)
* new auth. */
const rgw_user id;
const std::string display_name;
+ const rgw_account_id account_id;
const int perm_mask;
const bool is_admin;
const uint32_t type;
DummyIdentityApplier(CephContext* const cct,
const rgw_user& auth_id,
const std::string display_name,
+ const rgw_account_id& account_id,
const int perm_mask,
const bool is_admin,
const uint32_t type)
: cct(cct),
id(auth_id),
display_name(display_name),
+ account_id(account_id),
perm_mask(perm_mask),
is_admin(is_admin),
type(type) {
return rgw_perms_from_aclspec_default_strategy(id.to_str(), aclspec, dpp);
}
- bool is_admin_of(const rgw_user& acct_id) const override {
+ bool is_admin_of(const rgw_owner& o) const override {
return is_admin;
}
- bool is_owner_of(const rgw_user& acct_id) const override {
- return id == acct_id;
+ bool is_owner_of(const rgw_owner& o) const override {
+ return match_owner(o, id, account_id);
}
bool is_identity(const idset_t& ids) const override {
}
};
- return std::unique_ptr<rgw::auth::Identity>(
- new DummyIdentityApplier(cct,
- auth_id,
- display_name,
- perm_mask,
- is_admin,
- type));
+ return std::make_unique<DummyIdentityApplier>(
+ cct, auth_id, display_name, account_id,
+ perm_mask, is_admin, type);
}
std::unique_ptr<rgw::auth::Identity>
transform_old_authinfo(const req_state* const s)
{
+ const RGWUserInfo& info = s->user->get_info();
return transform_old_authinfo(s->cct,
- s->user->get_id(),
- s->user->get_display_name(),
+ info.user_id,
+ info.display_name,
+ info.account_id,
s->perm_mask,
/* System user has admin permissions by default - it's supposed to pass
* through any security check. */
s->system_request,
- s->user->get_type());
+ info.type);
}
} /* namespace auth */
return perm;
}
-bool rgw::auth::RemoteApplier::is_admin_of(const rgw_user& uid) const
+bool rgw::auth::RemoteApplier::is_admin_of(const rgw_owner& o) const
{
return info.is_admin;
}
-bool rgw::auth::RemoteApplier::is_owner_of(const rgw_user& uid) const
+bool rgw::auth::RemoteApplier::is_owner_of(const rgw_owner& o) const
{
+ auto* uid = std::get_if<rgw_user>(&o);
+ if (!uid) {
+ return false;
+ }
+
if (info.acct_user.tenant.empty()) {
const rgw_user tenanted_acct_user(info.acct_user.id, info.acct_user.id);
- if (tenanted_acct_user == uid) {
+ if (tenanted_acct_user == *uid) {
return true;
}
}
- return info.acct_user == uid;
+ return info.acct_user == *uid;
}
bool rgw::auth::RemoteApplier::is_identity(const idset_t& ids) const {
return mask;
}
-bool rgw::auth::LocalApplier::is_admin_of(const rgw_user& uid) const
+bool rgw::auth::LocalApplier::is_admin_of(const rgw_owner& o) const
{
return user_info.admin || user_info.system;
}
-bool rgw::auth::LocalApplier::is_owner_of(const rgw_user& uid) const
+bool rgw::auth::LocalApplier::is_owner_of(const rgw_owner& o) const
{
- return uid == user_info.user_id;
+ return match_owner(o, user_info.user_id, user_info.account_id);
}
bool rgw::auth::LocalApplier::is_identity(const idset_t& ids) const {
* applier that is being used. */
virtual uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const = 0;
- /* Verify whether a given identity *can be treated as* an admin of rgw_user
- * (account in Swift's terminology) specified in @uid. On error throws
- * rgw::auth::Exception storing the reason. */
- virtual bool is_admin_of(const rgw_user& uid) const = 0;
+ /* Verify whether a given identity *can be treated as* an admin of rgw_owner
+ * specified in @o. On error throws rgw::auth::Exception storing the reason. */
+ virtual bool is_admin_of(const rgw_owner& o) const = 0;
- /* Verify whether a given identity *is* the owner of the rgw_user (account
- * in the Swift's terminology) specified in @uid. On internal error throws
- * rgw::auth::Exception storing the reason. */
- virtual bool is_owner_of(const rgw_user& uid) const = 0;
+ /* Verify whether a given identity is the rgw_owner specified in @o.
+ * On internal error throws rgw::auth::Exception storing the reason. */
+ virtual bool is_owner_of(const rgw_owner& o) const = 0;
/* Return the permission mask that is used to narrow down the set of
* operations allowed for a given identity. This method reflects the idea
transform_old_authinfo(CephContext* const cct,
const rgw_user& auth_id,
const std::string& display_name,
+ const rgw_account_id& account_id,
const int perm_mask,
const bool is_admin,
const uint32_t type);
return RGW_PERM_NONE;
}
- bool is_admin_of(const rgw_user& uid) const override {
+ bool is_admin_of(const rgw_owner& o) const override {
return false;
}
- bool is_owner_of(const rgw_user& uid) const override {
- if (uid.id == this->sub && uid.tenant == role_tenant && uid.ns == "oidc") {
- return true;
- }
- return false;
+ bool is_owner_of(const rgw_owner& o) const override {
+ auto* uid = std::get_if<rgw_user>(&o);
+ return uid && uid->id == sub && uid->tenant == role_tenant && uid->ns == "oidc";
}
uint32_t get_perm_mask() const override {
ACLOwner get_aclowner() const override;
uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override;
- bool is_admin_of(const rgw_user& uid) const override;
- bool is_owner_of(const rgw_user& uid) const override;
+ bool is_admin_of(const rgw_owner& o) const override;
+ bool is_owner_of(const rgw_owner& o) const override;
bool is_identity(const idset_t& ids) const override;
uint32_t get_perm_mask() const override { return info.perm_mask; }
ACLOwner get_aclowner() const override;
uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override;
- bool is_admin_of(const rgw_user& uid) const override;
- bool is_owner_of(const rgw_user& uid) const override;
+ bool is_admin_of(const rgw_owner& o) const override;
+ bool is_owner_of(const rgw_owner& o) const override;
bool is_identity(const idset_t& ids) const override;
uint32_t get_perm_mask() const override {
if (this->perm_mask == RGW_PERM_INVALID) {
uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
return 0;
}
- bool is_admin_of(const rgw_user& uid) const override {
+ bool is_admin_of(const rgw_owner& o) const override {
return false;
}
- bool is_owner_of(const rgw_user& uid) const override {
- return (this->token_attrs.user_id.id == uid.id && this->token_attrs.user_id.tenant == uid.tenant && this->token_attrs.user_id.ns == uid.ns);
+ bool is_owner_of(const rgw_owner& o) const override {
+ auto* uid = std::get_if<rgw_user>(&o);
+ // TODO: handle account roles
+ return uid && *uid == token_attrs.user_id;
}
bool is_identity(const idset_t& ids) const override;
uint32_t get_perm_mask() const override {
return get_decoratee().get_perms_from_aclspec(dpp, aclspec);
}
- bool is_admin_of(const rgw_user& uid) const override {
- return get_decoratee().is_admin_of(uid);
+ bool is_admin_of(const rgw_owner& o) const override {
+ return get_decoratee().is_admin_of(o);
}
- bool is_owner_of(const rgw_user& uid) const override {
- return get_decoratee().is_owner_of(uid);
+ bool is_owner_of(const rgw_owner& o) const override {
+ return get_decoratee().is_owner_of(o);
}
bool is_anonymous() const override {
const RGWUserInfo& user_info)
: LocalApplier(cct, user_info, LocalApplier::NO_SUBUSER, std::nullopt, LocalApplier::NO_ACCESS_KEY) {
}
- bool is_admin_of(const rgw_user& uid) const {return false;}
- bool is_owner_of(const rgw_user& uid) const {return uid.id.compare(RGW_USER_ANON_ID) == 0;}
+ bool is_admin_of(const rgw_owner& o) const {return false;}
+ bool is_owner_of(const rgw_owner& o) const {
+ auto* uid = std::get_if<rgw_user>(&o);
+ return uid && uid->id == RGW_USER_ANON_ID;
+ }
};
class SwiftAnonymousEngine : public rgw::auth::AnonymousEngine {
return 0;
};
- bool is_admin_of(const rgw_user& uid) const override {
+ bool is_admin_of(const rgw_owner& o) const override {
ceph_abort();
return false;
}
- bool is_owner_of(const rgw_user& uid) const override {
+ bool is_owner_of(const rgw_owner& owner) const override {
ceph_abort();
return false;
}
return 0;
};
- bool is_admin_of(const rgw_user& uid) const override {
+ bool is_admin_of(const rgw_owner& o) const override {
return false;
}
- bool is_owner_of(const rgw_user& uid) const override {
+ bool is_owner_of(const rgw_owner& uid) const override {
return false;
}
projects / ceph.git / commitdiff