rgw/auth: expose Identity::get_account()

now that all identities store an optional account, expose that to the
rest of rgw with get_account(). this cleans up lots of code that
otherwise has to deal with the rgw_owner variant

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 405f93305f0d630a784b2de18a5f263b37362434)

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index 75464d3b63931301787679d78360934f0b225f9d..57eded9eb6a8a5477e91861aa65cde45435c396f 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -279,6 +279,9 @@ static auto transform_old_authinfo(const RGWUserInfo& user,
     const std::string& get_tenant() const override {
       return id.tenant;
     }
+    const std::optional<RGWAccountInfo>& get_account() const override {
+      return account;
+    }
 
     void write_ops_log_entry(rgw_log_entry& entry) const override {
       if (account) {

diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
index 9fc92277dbb884639753f2ce5590577491ddb110..2029bf6ce1e28522633cfaf82cd00826ebef52d4 100644 (file)
--- a/src/rgw/rgw_auth.h
+++ b/src/rgw/rgw_auth.h
@@ -87,6 +87,9 @@ public:
   /* Identity's tenant namespace */
   virtual const std::string& get_tenant() const = 0;
 
+  /* Return the identity's account info if present */
+  virtual const std::optional<RGWAccountInfo>& get_account() const = 0;
+
   /* write any auth-specific fields that are safe to expose in the ops log */
   virtual void write_ops_log_entry(rgw_log_entry& entry) const {};
 };
@@ -497,6 +500,9 @@ public:
   const std::string& get_tenant() const override {
     return role_tenant;
   }
+  const std::optional<RGWAccountInfo>& get_account() const override {
+    return account;
+  }
   void write_ops_log_entry(rgw_log_entry& entry) const override;
 
   struct Factory {
@@ -656,6 +662,9 @@ public:
   const std::string& get_tenant() const override {
     return info.acct_user.tenant;
   }
+  const std::optional<RGWAccountInfo>& get_account() const override {
+    return account;
+  }
 
   struct Factory {
     virtual ~Factory() {}
@@ -728,6 +737,9 @@ public:
   const std::string& get_tenant() const override {
     return user_info.user_id.tenant;
   }
+  const std::optional<RGWAccountInfo>& get_account() const override {
+    return account;
+  }
 
   void write_ops_log_entry(rgw_log_entry& entry) const override;
 
@@ -793,6 +805,9 @@ public:
   std::string get_acct_name() const override { return {}; }
   std::string get_subuser() const override { return {}; }
   const std::string& get_tenant() const override { return role.tenant; }
+  const std::optional<RGWAccountInfo>& get_account() const override {
+    return role.account;
+  }
   void write_ops_log_entry(rgw_log_entry& entry) const override;
 
   void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override;

diff --git a/src/rgw/rgw_auth_filters.h b/src/rgw/rgw_auth_filters.h
index 3725b17514eda8fe6830688c3677a5cec2101e9a..a93641e8b8eddc30c4ad0cbb2819183ef3b08f55 100644 (file)
--- a/src/rgw/rgw_auth_filters.h
+++ b/src/rgw/rgw_auth_filters.h
@@ -113,6 +113,10 @@ public:
     return get_decoratee().get_tenant();
   }
 
+  const std::optional<RGWAccountInfo>& get_account() const override {
+    return get_decoratee().get_account();
+  }
+
   void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override {  /* out */
     return get_decoratee().load_acct_info(dpp, user_info);
   }

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 7c878eea25442f7fd7b5e57a7c8f4d82ab6e0212..21df28045849b338c11d28f4aff2c28b2313becd 100644 (file)
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -1286,7 +1286,7 @@ bool verify_user_permission(const DoutPrefixProvider* dpp,
 {
   perm_state_from_req_state ps(s);
 
-  if (std::holds_alternative<rgw_account_id>(s->owner.id)) {
+  if (s->auth.identity->get_account()) {
     // account users always require an Allow from identity-based policy
     mandatory_policy = true;
   }
@@ -1365,7 +1365,7 @@ bool verify_bucket_permission(const DoutPrefixProvider* dpp,
 {
   perm_state_from_req_state ps(s);
 
-  if (std::holds_alternative<rgw_account_id>(s->owner.id)) {
+  if (ps.identity->get_account()) {
     const bool account_root = (ps.identity->get_identity_type() == TYPE_ROOT);
     if (!ps.identity->is_owner_of(s->bucket_owner.id)) {
       ldpp_dout(dpp, 4) << "cross-account request for bucket owner "
@@ -1509,7 +1509,7 @@ bool verify_object_permission(const DoutPrefixProvider* dpp, req_state * const s
 {
   perm_state_from_req_state ps(s);
 
-  if (std::holds_alternative<rgw_account_id>(s->owner.id)) {
+  if (ps.identity->get_account()) {
     const bool account_root = (ps.identity->get_identity_type() == TYPE_ROOT);
 
     const rgw_owner& object_owner = !object_acl.get_owner().empty() ?

diff --git a/src/rgw/rgw_rest_iam_group.cc b/src/rgw/rgw_rest_iam_group.cc
index 1880111395fe0d2cb3182ba877c85c87abb29beb..0fbe469ee07d4ae7dc140710c112f43aedbe0dc2 100644 (file)
--- a/src/rgw/rgw_rest_iam_group.cc
+++ b/src/rgw/rgw_rest_iam_group.cc
@@ -76,8 +76,8 @@ int RGWCreateGroup_IAM::init_processing(optional_yield y)
 {
   // use account id from authenticated user/role. with AssumeRole, this may not
   // match the account of s->user
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    info.account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    info.account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -254,8 +254,8 @@ class RGWGetGroup_IAM : public RGWOp {
 
 int RGWGetGroup_IAM::init_processing(optional_yield y)
 {
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -365,8 +365,8 @@ class RGWUpdateGroup_IAM : public RGWOp {
 int RGWUpdateGroup_IAM::init_processing(optional_yield y)
 {
   rgw_account_id account_id;
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -512,8 +512,8 @@ class RGWDeleteGroup_IAM : public RGWOp {
 int RGWDeleteGroup_IAM::init_processing(optional_yield y)
 {
   rgw_account_id account_id;
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -688,8 +688,8 @@ class RGWListGroups_IAM : public RGWOp {
 
 int RGWListGroups_IAM::init_processing(optional_yield y)
 {
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -820,8 +820,8 @@ class RGWAddUserToGroup_IAM : public RGWOp {
 
 int RGWAddUserToGroup_IAM::init_processing(optional_yield y)
 {
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    group.account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    group.account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -957,8 +957,8 @@ class RGWRemoveUserFromGroup_IAM : public RGWOp {
 
 int RGWRemoveUserFromGroup_IAM::init_processing(optional_yield y)
 {
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    group.account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    group.account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -1093,8 +1093,8 @@ class RGWListGroupsForUser_IAM : public RGWOp {
 
 int RGWListGroupsForUser_IAM::init_processing(optional_yield y)
 {
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -1203,8 +1203,8 @@ class RGWPutGroupPolicy_IAM : public RGWOp {
 
 int RGWPutGroupPolicy_IAM::init_processing(optional_yield y)
 {
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    info.account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    info.account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -1354,8 +1354,8 @@ class RGWGetGroupPolicy_IAM : public RGWOp {
 
 int RGWGetGroupPolicy_IAM::init_processing(optional_yield y)
 {
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    info.account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    info.account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -1457,8 +1457,8 @@ class RGWDeleteGroupPolicy_IAM : public RGWOp {
 
 int RGWDeleteGroupPolicy_IAM::init_processing(optional_yield y)
 {
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    info.account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    info.account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -1592,8 +1592,8 @@ class RGWListGroupPolicies_IAM : public RGWOp {
 
 int RGWListGroupPolicies_IAM::init_processing(optional_yield y)
 {
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    info.account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    info.account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -1698,8 +1698,8 @@ class RGWAttachGroupPolicy_IAM : public RGWOp {
 
 int RGWAttachGroupPolicy_IAM::init_processing(optional_yield y)
 {
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    info.account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    info.account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -1847,8 +1847,8 @@ class RGWDetachGroupPolicy_IAM : public RGWOp {
 
 int RGWDetachGroupPolicy_IAM::init_processing(optional_yield y)
 {
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    info.account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    info.account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -1982,8 +1982,8 @@ class RGWListAttachedGroupPolicies_IAM : public RGWOp {
 
 int RGWListAttachedGroupPolicies_IAM::init_processing(optional_yield y)
 {
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    info.account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    info.account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }

diff --git a/src/rgw/rgw_rest_iam_user.cc b/src/rgw/rgw_rest_iam_user.cc
index 90a50e3949e5ae30bd250661fad80d65021ccd94..06c0d5bde0834d3700fea769293b5b36ffce0a5e 100644 (file)
--- a/src/rgw/rgw_rest_iam_user.cc
+++ b/src/rgw/rgw_rest_iam_user.cc
@@ -69,8 +69,8 @@ int RGWCreateUser_IAM::init_processing(optional_yield y)
 {
   // use account id from authenticated user/role. with AssumeRole, this may not
   // match the account of s->user
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    info.account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    info.account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -254,8 +254,8 @@ int RGWGetUser_IAM::init_processing(optional_yield y)
 {
   // use account id from authenticated user/role. with AssumeRole, this may not
   // match the account of s->user
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -348,8 +348,8 @@ int RGWUpdateUser_IAM::init_processing(optional_yield y)
   // use account id from authenticated user/role. with AssumeRole, this may not
   // match the account of s->user
   rgw_account_id account_id;
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -498,8 +498,8 @@ int RGWDeleteUser_IAM::init_processing(optional_yield y)
   // use account id from authenticated user/role. with AssumeRole, this may not
   // match the account of s->user
   rgw_account_id account_id;
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -669,8 +669,8 @@ int RGWListUsers_IAM::init_processing(optional_yield y)
 {
   // use account id from authenticated user/role. with AssumeRole, this may not
   // match the account of s->user
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -814,8 +814,8 @@ int RGWCreateAccessKey_IAM::init_processing(optional_yield y)
   // use account id from authenticated user/role. with AssumeRole, this may not
   // match the account of s->user
   rgw_account_id account_id;
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -1015,8 +1015,8 @@ int RGWUpdateAccessKey_IAM::init_processing(optional_yield y)
   // use account id from authenticated user/role. with AssumeRole, this may not
   // match the account of s->user
   rgw_account_id account_id;
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -1175,8 +1175,8 @@ int RGWDeleteAccessKey_IAM::init_processing(optional_yield y)
   // use account id from authenticated user/role. with AssumeRole, this may not
   // match the account of s->user
   rgw_account_id account_id;
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -1318,8 +1318,8 @@ int RGWListAccessKeys_IAM::init_processing(optional_yield y)
   // use account id from authenticated user/role. with AssumeRole, this may not
   // match the account of s->user
   rgw_account_id account_id;
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    account_id = *id;
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }

diff --git a/src/rgw/rgw_rest_oidc_provider.cc b/src/rgw/rgw_rest_oidc_provider.cc
index c8ad9da9dc7e4046ad37fa7fc068fa14fd727b74..70191879ad1fac404e11205f4735d86a927651c0 100644 (file)
--- a/src/rgw/rgw_rest_oidc_provider.cc
+++ b/src/rgw/rgw_rest_oidc_provider.cc
@@ -120,8 +120,8 @@ int RGWCreateOIDCProvider::init_processing(optional_yield y)
     return -EINVAL;
   }
 
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    info.tenant = *id;
+  if (const auto& acc = s->auth.identity->get_account(); acc) {
+    info.tenant = acc->id;
   } else {
     info.tenant = s->user->get_tenant();
   }
@@ -217,8 +217,8 @@ RGWDeleteOIDCProvider::RGWDeleteOIDCProvider()
 int RGWDeleteOIDCProvider::init_processing(optional_yield y)
 {
   std::string_view account;
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    account = *id;
+  if (const auto& acc = s->auth.identity->get_account(); acc) {
+    account = acc->id;
   } else {
     account = s->user->get_tenant();
   }
@@ -252,8 +252,8 @@ RGWGetOIDCProvider::RGWGetOIDCProvider()
 int RGWGetOIDCProvider::init_processing(optional_yield y)
 {
   std::string_view account;
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    account = *id;
+  if (const auto& acc = s->auth.identity->get_account(); acc) {
+    account = acc->id;
   } else {
     account = s->user->get_tenant();
   }
@@ -308,8 +308,8 @@ RGWListOIDCProviders::RGWListOIDCProviders()
 void RGWListOIDCProviders::execute(optional_yield y)
 {
   std::string_view account;
-  if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) {
-    account = *id;
+  if (const auto& acc = s->auth.identity->get_account(); acc) {
+    account = acc->id;
   } else {
     account = s->user->get_tenant();
   }

diff --git a/src/rgw/rgw_rest_role.cc b/src/rgw/rgw_rest_role.cc
index 1b8e83b20e2c76ba7e7a7e17b2c903c0298dd407..2d6a96cfe62aa29342d0d81b85073dd551a080ed 100644 (file)
--- a/src/rgw/rgw_rest_role.cc
+++ b/src/rgw/rgw_rest_role.cc
@@ -108,18 +108,11 @@ static rgw::ARN make_role_arn(const std::string& path,
 }
 
 static int load_role(const DoutPrefixProvider* dpp, optional_yield y,
-                     rgw::sal::Driver* driver, const rgw_owner& owner,
-                     rgw_account_id& account_id, const std::string& tenant,
-                     const std::string& name,
+                     rgw::sal::Driver* driver, const rgw_account_id& account_id,
+                     const std::string& tenant, const std::string& name,
                      std::unique_ptr<rgw::sal::RGWRole>& role,
                      rgw::ARN& resource, std::string& message)
 {
-  auto arn_account = std::ref(tenant);
-  if (const auto* id = std::get_if<rgw_account_id>(&owner); id) {
-    account_id = *id;
-    arn_account = std::ref(account_id);
-  }
-
   role = driver->get_role(name, tenant, account_id);
   const int r = role->get(dpp, y);
   if (r == -ENOENT) {
@@ -128,6 +121,7 @@ static int load_role(const DoutPrefixProvider* dpp, optional_yield y,
   }
   if (r >= 0) {
     // construct the ARN once we know the path
+    const auto& arn_account = !account_id.empty() ? account_id : tenant;
     resource = make_role_arn(role->get_path(),
                              role->get_name(),
                              arn_account);
@@ -345,9 +339,11 @@ int RGWDeleteRole::init_processing(optional_yield y)
     return -EINVAL;
   }
 
-  return load_role(this, y, driver, s->owner.id, account_id,
-                   s->user->get_tenant(), role_name, role, resource,
-                   s->err.message);
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
+  }
+  return load_role(this, y, driver, account_id, s->user->get_tenant(),
+                   role_name, role, resource, s->err.message);
 }
 
 void RGWDeleteRole::execute(optional_yield y)
@@ -412,9 +408,11 @@ int RGWGetRole::init_processing(optional_yield y)
     return -EINVAL;
   }
 
-  return load_role(this, y, driver, s->owner.id, account_id,
-                   s->user->get_tenant(), role_name, role, resource,
-                   s->err.message);
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
+  }
+  return load_role(this, y, driver, account_id, s->user->get_tenant(),
+                   role_name, role, resource, s->err.message);
 }
 
 void RGWGetRole::execute(optional_yield y)
@@ -450,9 +448,11 @@ int RGWModifyRoleTrustPolicy::init_processing(optional_yield y)
     return -ERR_MALFORMED_DOC;
   }
 
-  return load_role(this, y, driver, s->owner.id, account_id,
-                   s->user->get_tenant(), role_name, role, resource,
-                   s->err.message);
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
+  }
+  return load_role(this, y, driver, account_id, s->user->get_tenant(),
+                   role_name, role, resource, s->err.message);
 }
 
 void RGWModifyRoleTrustPolicy::execute(optional_yield y)
@@ -565,9 +565,11 @@ int RGWPutRolePolicy::init_processing(optional_yield y)
     return -EINVAL;
   }
 
-  int r = load_role(this, y, driver, s->owner.id, account_id,
-                    s->user->get_tenant(), role_name, role, resource,
-                    s->err.message);
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
+  }
+  int r = load_role(this, y, driver, account_id, s->user->get_tenant(),
+                    role_name, role, resource, s->err.message);
   if (r < 0) {
     return r;
   }
@@ -642,9 +644,11 @@ int RGWGetRolePolicy::init_processing(optional_yield y)
     return -EINVAL;
   }
 
-  return load_role(this, y, driver, s->owner.id, account_id,
-                   s->user->get_tenant(), role_name, role, resource,
-                   s->err.message);
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
+  }
+  return load_role(this, y, driver, account_id, s->user->get_tenant(),
+                   role_name, role, resource, s->err.message);
 }
 
 void RGWGetRolePolicy::execute(optional_yield y)
@@ -676,9 +680,11 @@ int RGWListRolePolicies::init_processing(optional_yield y)
     return -EINVAL;
   }
 
-  return load_role(this, y, driver, s->owner.id, account_id,
-                   s->user->get_tenant(), role_name, role, resource,
-                   s->err.message);
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
+  }
+  return load_role(this, y, driver, account_id, s->user->get_tenant(),
+                   role_name, role, resource, s->err.message);
 }
 
 void RGWListRolePolicies::execute(optional_yield y)
@@ -711,9 +717,11 @@ int RGWDeleteRolePolicy::init_processing(optional_yield y)
     return -EINVAL;
   }
 
-  return load_role(this, y, driver, s->owner.id, account_id,
-                   s->user->get_tenant(), role_name, role, resource,
-                   s->err.message);
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
+  }
+  return load_role(this, y, driver, account_id, s->user->get_tenant(),
+                   role_name, role, resource, s->err.message);
 }
 
 void RGWDeleteRolePolicy::execute(optional_yield y)
@@ -778,9 +786,11 @@ int RGWTagRole::init_processing(optional_yield y)
     return r;
   }
 
-  return load_role(this, y, driver, s->owner.id, account_id,
-                   s->user->get_tenant(), role_name, role, resource,
-                   s->err.message);
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
+  }
+  return load_role(this, y, driver, account_id, s->user->get_tenant(),
+                   role_name, role, resource, s->err.message);
 }
 
 void RGWTagRole::execute(optional_yield y)
@@ -838,9 +848,11 @@ int RGWListRoleTags::init_processing(optional_yield y)
     return -EINVAL;
   }
 
-  return load_role(this, y, driver, s->owner.id, account_id,
-                   s->user->get_tenant(), role_name, role, resource,
-                   s->err.message);
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
+  }
+  return load_role(this, y, driver, account_id, s->user->get_tenant(),
+                   role_name, role, resource, s->err.message);
 }
 
 void RGWListRoleTags::execute(optional_yield y)
@@ -884,9 +896,11 @@ int RGWUntagRole::init_processing(optional_yield y)
         });
   }
 
-  return load_role(this, y, driver, s->owner.id, account_id,
-                   s->user->get_tenant(), role_name, role, resource,
-                   s->err.message);
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
+  }
+  return load_role(this, y, driver, account_id, s->user->get_tenant(),
+                   role_name, role, resource, s->err.message);
 }
 
 void RGWUntagRole::execute(optional_yield y)
@@ -947,9 +961,11 @@ int RGWUpdateRole::init_processing(optional_yield y)
 
   max_session_duration = s->info.args.get("MaxSessionDuration");
 
-  return load_role(this, y, driver, s->owner.id, account_id,
-                   s->user->get_tenant(), role_name, role, resource,
-                   s->err.message);
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
+  }
+  return load_role(this, y, driver, account_id, s->user->get_tenant(),
+                   role_name, role, resource, s->err.message);
 }
 
 void RGWUpdateRole::execute(optional_yield y)
@@ -1037,7 +1053,7 @@ int RGWAttachRolePolicy_IAM::init_processing(optional_yield y)
 {
   // managed policy is only supported for account users. adding them to
   // non-account users would give blanket permissions to all buckets
-  if (!std::holds_alternative<rgw_account_id>(s->owner.id)) {
+  if (!s->auth.identity->get_account()) {
     s->err.message = "Managed policies are only supported for account users";
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -1052,9 +1068,11 @@ int RGWAttachRolePolicy_IAM::init_processing(optional_yield y)
     return -EINVAL;
   }
 
-  return load_role(this, y, driver, s->owner.id, account_id,
-                   s->user->get_tenant(), role_name, role, resource,
-                   s->err.message);
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
+  }
+  return load_role(this, y, driver, account_id, s->user->get_tenant(),
+                   role_name, role, resource, s->err.message);
 }
 
 void RGWAttachRolePolicy_IAM::execute(optional_yield y)
@@ -1134,7 +1152,7 @@ int RGWDetachRolePolicy_IAM::init_processing(optional_yield y)
 {
   // managed policy is only supported for account users. adding them to
   // non-account users would give blanket permissions to all buckets
-  if (!std::holds_alternative<rgw_account_id>(s->owner.id)) {
+  if (!s->auth.identity->get_account()) {
     s->err.message = "Managed policies are only supported for account users";
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -1149,9 +1167,11 @@ int RGWDetachRolePolicy_IAM::init_processing(optional_yield y)
     return -EINVAL;
   }
 
-  return load_role(this, y, driver, s->owner.id, account_id,
-                   s->user->get_tenant(), role_name, role, resource,
-                   s->err.message);
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
+  }
+  return load_role(this, y, driver, account_id, s->user->get_tenant(),
+                   role_name, role, resource, s->err.message);
 }
 
 void RGWDetachRolePolicy_IAM::execute(optional_yield y)
@@ -1220,7 +1240,7 @@ int RGWListAttachedRolePolicies_IAM::init_processing(optional_yield y)
 {
   // managed policy is only supported for account roles. adding them to
   // non-account roles would give blanket permissions to all buckets
-  if (!std::holds_alternative<rgw_account_id>(s->owner.id)) {
+  if (!s->auth.identity->get_account()) {
     s->err.message = "Managed policies are only supported for account roles";
     return -ERR_METHOD_NOT_ALLOWED;
   }
@@ -1230,9 +1250,11 @@ int RGWListAttachedRolePolicies_IAM::init_processing(optional_yield y)
     return -EINVAL;
   }
 
-  return load_role(this, y, driver, s->owner.id, account_id,
-                   s->user->get_tenant(), role_name, role, resource,
-                   s->err.message);
+  if (const auto& account = s->auth.identity->get_account(); account) {
+    account_id = account->id;
+  }
+  return load_role(this, y, driver, account_id, s->user->get_tenant(),
+                   role_name, role, resource, s->err.message);
 }
 
 void RGWListAttachedRolePolicies_IAM::execute(optional_yield y)

diff --git a/src/rgw/rgw_rest_user_policy.cc b/src/rgw/rgw_rest_user_policy.cc
index 0081bd828b90fe523ca15c551f32f013457b0a75..3832b9a49937085f1483bf470ccc70180565cc00 100644 (file)
--- a/src/rgw/rgw_rest_user_policy.cc
+++ b/src/rgw/rgw_rest_user_policy.cc
@@ -525,7 +525,7 @@ int RGWRestAttachedUserPolicy::init_processing(optional_yield y)
 {
   // managed policy is only supported for account users. adding them to
   // non-account roles would give blanket permissions to all buckets
-  if (!std::holds_alternative<rgw_account_id>(s->owner.id)) {
+  if (!s->auth.identity->get_account()) {
     s->err.message = "Managed policies are only supported for account users";
     return -ERR_METHOD_NOT_ALLOWED;
   }

diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc
index d0a18c221e334a68368c158d9e9d646bcd7277c8..3160cf6887ad29521dbd28f8beefaa467a10ddbf 100644 (file)
--- a/src/test/rgw/test_rgw_iam_policy.cc
+++ b/src/test/rgw/test_rgw_iam_policy.cc
@@ -187,6 +187,12 @@ public:
     return empty;
   }
 
+  const std::optional<RGWAccountInfo>& get_account() const override {
+    ceph_abort();
+    static std::optional<RGWAccountInfo> empty;
+    return empty;
+  }
+
   void to_str(std::ostream& out) const override {
     out << id;
   }

diff --git a/src/test/rgw/test_rgw_lua.cc b/src/test/rgw/test_rgw_lua.cc
index 68f2e6ab0666d9048e02c2ef515c3fea9b9cab17..b2e11e442a28f924a227eaf824fe42a5b1fe68a7 100644 (file)
--- a/src/test/rgw/test_rgw_lua.cc
+++ b/src/test/rgw/test_rgw_lua.cc
@@ -70,6 +70,11 @@ public:
     return empty;
   }
 
+  const std::optional<RGWAccountInfo>& get_account() const override {
+    static const std::optional<RGWAccountInfo> empty;
+    return empty;
+  }
+
   void to_str(std::ostream& out) const override {
     return;
   }