.set_description("Should S3 authentication use Keystone."),
Option("rgw_s3_auth_order", Option::TYPE_STR, Option::LEVEL_ADVANCED)
- .set_default("external, local, sts")
+ .set_default("sts, external, local")
.set_description("Authentication strategy order to use for s3 authentication")
.set_long_description(
"Order of authentication strategies to try for s3 authentication, the allowed "
TokenEngine::authenticate(const std::string& token,
const req_state* const s) const
{
- //If Keystone is enabled and the request has a session token, then keystone shouldn't authenticate it.
- if (s->info.args.exists("X-Amz-Security-Token") ||
- s->info.env->exists("HTTP_X_AMZ_SECURITY_TOKEN")) {
- return result_t::deny();
- }
-
boost::optional<TokenEngine::token_envelope_t> t;
/* This will be initialized on the first call to this method. In C++11 it's
/* Passthorugh only! */
const req_state* s) const
{
- //If Keystone is enabled and the request has a session token, then Keystone shouldn't authenticate it.
- if (s->info.args.exists("X-Amz-Security-Token") ||
- s->info.env->exists("HTTP_X_AMZ_SECURITY_TOKEN")) {
- return result_t::deny();
- }
-
/* This will be initialized on the first call to this method. In C++11 it's
* also thread-safe. */
static const struct RolesCacher {
auto auth_order = parse_auth_order(cct);
engine_map_t engine_map;
+
+ /* STS Auth*/
+ if (! sts_engine.is_empty()) {
+ engine_map.insert(std::make_pair("sts", std::cref(sts_engine)));
+ }
+
/* The external auth. */
if (! external_engines.is_empty()) {
engine_map.insert(std::make_pair("external", std::cref(external_engines)));
engine_map.insert(std::make_pair("local", std::cref(local_engine)));
}
- /* STS Auth*/
- if (! sts_engine.is_empty()) {
- engine_map.insert(std::make_pair("sts", std::cref(sts_engine)));
- }
-
add_engines(auth_order, engine_map);
}
const completer_factory_t& completer_factory,
const req_state* const s) const
{
- //If LDAP is enabled and the request has a session token, then LDAP shouldn't authenticate it.
- if (s->info.args.exists("X-Amz-Security-Token") ||
- s->info.env->exists("HTTP_X_AMZ_SECURITY_TOKEN")) {
- return result_t::deny();
- }
-
/* boost filters and/or string_ref may throw on invalid input */
rgw::RGWToken base64_token;
try {
const completer_factory_t& completer_factory,
const req_state* const s) const
{
- //If LocalAuth is enabled and the request has a session token, then LocalEngine shouldn't authenticate it.
- if (s->info.args.exists("X-Amz-Security-Token") ||
- s->info.env->exists("HTTP_X_AMZ_SECURITY_TOKEN")) {
- return result_t::deny();
- }
-
/* get the user info */
RGWUserInfo user_info;
/* TODO(rzarzynski): we need to have string-view taking variant. */
const completer_factory_t& completer_factory,
const req_state* const s) const
{
+ if (! s->info.args.exists("X-Amz-Security-Token") &&
+ ! s->info.env->exists("HTTP_X_AMZ_SECURITY_TOKEN")) {
+ return result_t::deny();
+ }
+
STS::SessionToken token;
if (int ret = get_session_token(session_token, token); ret < 0) {
return result_t::deny(ret);
projects / ceph.git / commitdiff