rgw/auth: RemoteApplier respects implicit tenants

RemoteApplier::load_acct_info() and create_account() decide whether to
add the implicit tenant. store the resulting rgw_user for use in
get_aclowner() and get_tenant()

Fixes: https://tracker.ceph.com/issues/66937
Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit ddbe2c06fd7e8f7253a17a0e88f5ead0d7958148)

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index 57eded9eb6a8a5477e91861aa65cde45435c396f..ba34fe81c9487d3f2fe5040b66f9571d45d5c28c 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -773,7 +773,7 @@ ACLOwner rgw::auth::RemoteApplier::get_aclowner() const
     owner.id = account->id;
     owner.display_name = account->name;
   } else {
-    owner.id = info.acct_user;
+    owner.id = owner_acct_user;
     owner.display_name = info.acct_name;
   }
   return owner;
@@ -848,7 +848,7 @@ bool rgw::auth::RemoteApplier::is_identity(const Principal& p) const {
 
 void rgw::auth::RemoteApplier::to_str(std::ostream& out) const
 {
-  out << "rgw::auth::RemoteApplier(acct_user=" << info.acct_user
+  out << "rgw::auth::RemoteApplier(acct_user=" << owner_acct_user
       << ", acct_name=" << info.acct_name
       << ", perm_mask=" << info.perm_mask
       << ", is_admin=" << info.is_admin << ")";
@@ -898,15 +898,15 @@ void rgw::auth::RemoteApplier::create_account(const DoutPrefixProvider* dpp,
                                               bool implicit_tenant,
                                               RGWUserInfo& user_info) const      /* out */
 {
-  rgw_user new_acct_user = acct_user;
+  owner_acct_user = acct_user;
 
   /* An upper layer may enforce creating new accounts within their own
    * tenants. */
-  if (new_acct_user.tenant.empty() && implicit_tenant) {
-    new_acct_user.tenant = new_acct_user.id;
+  if (owner_acct_user.tenant.empty() && implicit_tenant) {
+    owner_acct_user.tenant = owner_acct_user.id;
   }
 
-  std::unique_ptr<rgw::sal::User> user = driver->get_user(new_acct_user);
+  std::unique_ptr<rgw::sal::User> user = driver->get_user(owner_acct_user);
   user->get_info().display_name = info.acct_name;
   if (info.acct_type) {
     //ldap/keystone for s3 users
@@ -967,7 +967,7 @@ void rgw::auth::RemoteApplier::load_acct_info(const DoutPrefixProvider* dpp, RGW
   if (split_mode && !implicit_tenant)
        ;       /* suppress lookup for id used by "other" protocol */
   else if (acct_user.tenant.empty()) {
-    const rgw_user tenanted_uid(acct_user.id, acct_user.id);
+    rgw_user tenanted_uid(acct_user.id, acct_user.id);
     user = driver->get_user(tenanted_uid);
 
     if (user->load_user(dpp, null_yield) >= 0) {
@@ -976,6 +976,7 @@ void rgw::auth::RemoteApplier::load_acct_info(const DoutPrefixProvider* dpp, RGW
                                        user->get_attrs(), account, policies);
 
       user_info = std::move(user->get_info());
+      owner_acct_user = std::move(tenanted_uid);
       return;
     }
   }
@@ -990,6 +991,7 @@ void rgw::auth::RemoteApplier::load_acct_info(const DoutPrefixProvider* dpp, RGW
                                      user->get_attrs(), account, policies);
 
     user_info = std::move(user->get_info());
+    owner_acct_user = acct_user;
     return;
   }
 

diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
index 2029bf6ce1e28522633cfaf82cd00826ebef52d4..f3edbbab845e5b49a132611710aa4bf2b3c2ce52 100644 (file)
--- a/src/rgw/rgw_auth.h
+++ b/src/rgw/rgw_auth.h
@@ -621,6 +621,9 @@ protected:
   const rgw::auth::ImplicitTenants& implicit_tenant_context;
   const rgw::auth::ImplicitTenants::implicit_tenant_flag_bits implicit_tenant_bit;
 
+  // AuthInfo::acct_user updated with implicit tenant if necessary
+  mutable rgw_user owner_acct_user;
+
   // account and policies are loaded by load_acct_info()
   mutable std::optional<RGWAccountInfo> account;
   mutable std::vector<IAM::Policy> policies;
@@ -660,7 +663,7 @@ public:
   std::string get_acct_name() const override { return info.acct_name; }
   std::string get_subuser() const override { return {}; }
   const std::string& get_tenant() const override {
-    return info.acct_user.tenant;
+    return owner_acct_user.tenant;
   }
   const std::optional<RGWAccountInfo>& get_account() const override {
     return account;