return ! cct->_conf->rgw_keystone_url.empty();
}
-KeystoneToken RGWKeystoneAuthEngine::decode_pki_token(const std::string& token) const
+rgw::keystone::TokenEnvelope
+RGWKeystoneAuthEngine::decode_pki_token(const std::string& token) const
{
bufferlist token_body_bl;
int ret = rgw_decode_b64_cms(cct, token, token_body_bl);
ldout(cct, 20) << "successfully decoded pki token" << dendl;
}
- KeystoneToken token_body;
+ rgw::keystone::TokenEnvelope token_body;
ret = token_body.parse(cct, token, token_body_bl);
if (ret < 0) {
throw ret;
return token_body;
}
-KeystoneToken RGWKeystoneAuthEngine::get_from_keystone(const std::string& token) const
+rgw::keystone::TokenEnvelope
+RGWKeystoneAuthEngine::get_from_keystone(const std::string& token) const
{
- using RGWValidateKeystoneToken = KeystoneService::RGWValidateKeystoneToken;
+ using RGWValidateKeystoneToken
+ = rgw::keystone::Service::RGWValidateKeystoneToken;
bufferlist token_body_bl;
RGWValidateKeystoneToken validate(cct, &token_body_bl);
std::string url;
- if (KeystoneService::get_keystone_url(cct, url) < 0) {
+ if (rgw::keystone::Service::get_keystone_url(cct, url) < 0) {
throw -EINVAL;
}
- const auto keystone_version = KeystoneService::get_api_version();
- if (keystone_version == KeystoneApiVersion::VER_2) {
+ const auto keystone_version = rgw::keystone::Service::get_api_version();
+ if (keystone_version == rgw::keystone::ApiVersion::VER_2) {
url.append("v2.0/tokens/" + token);
- } else if (keystone_version == KeystoneApiVersion::VER_3) {
+ } else if (keystone_version == rgw::keystone::ApiVersion::VER_3) {
url.append("v3/auth/tokens");
validate.append_header("X-Subject-Token", token);
}
std::string admin_token;
- if (KeystoneService::get_keystone_admin_token(cct, admin_token) < 0) {
+ if (rgw::keystone::Service::get_keystone_admin_token(cct, admin_token) < 0) {
throw -EINVAL;
}
throw -EACCES;
}
- KeystoneToken token_body;
+ rgw::keystone::TokenEnvelope token_body;
ret = token_body.parse(cct, token, token_body_bl);
if (ret < 0) {
throw ret;
}
RGWRemoteAuthApplier::AuthInfo
-RGWKeystoneAuthEngine::get_creds_info(const KeystoneToken& token,
+RGWKeystoneAuthEngine::get_creds_info(const rgw::keystone::TokenEnvelope& token,
const std::vector<std::string>& admin_roles
) const noexcept
{
}
RGWKeystoneAuthEngine::acl_strategy_t
-RGWKeystoneAuthEngine::get_acl_strategy(const KeystoneToken& token) const
+RGWKeystoneAuthEngine::get_acl_strategy(const rgw::keystone::TokenEnvelope& token) const
{
/* The primary identity is constructed upon UUIDs. */
const auto& tenant_uuid = token.get_project_id();
RGWAuthApplier::aplptr_t RGWKeystoneAuthEngine::authenticate() const
{
- KeystoneToken t;
+ rgw::keystone::TokenEnvelope t;
/* This will be initialized on the first call to this method. In C++11 it's
* also thread-safe. */
ldout(cct, 20) << "token_id=" << token_id << dendl;
/* Check cache first. */
- if (RGWKeystoneTokenCache::get_instance().find(token_id, t)) {
+ if (rgw::keystone::TokenCache::get_instance().find(token_id, t)) {
ldout(cct, 20) << "cached token.project.id=" << t.get_project_id()
<< dendl;
return apl_factory->create_apl_remote(cct,
ldout(cct, 0) << "validated token: " << t.get_project_name()
<< ":" << t.get_user_name()
<< " expires: " << t.get_expires() << dendl;
- RGWKeystoneTokenCache::get_instance().add(token_id, t);
+ rgw::keystone::TokenCache::get_instance().add(token_id, t);
return apl_factory->create_apl_remote(cct,
get_acl_strategy(t),
get_creds_info(t, roles.admin));
class RGWKeystoneAuthEngine : public RGWTokenBasedAuthEngine {
protected:
using acl_strategy_t = RGWRemoteAuthApplier::acl_strategy_t;
+ using token_envelope_t = rgw::keystone::TokenEnvelope;
+
const RGWRemoteAuthApplier::Factory * const apl_factory;
/* Helper methods. */
- KeystoneToken decode_pki_token(const std::string& token) const;
- KeystoneToken get_from_keystone(const std::string& token) const;
- acl_strategy_t get_acl_strategy(const KeystoneToken& token) const;
- RGWRemoteAuthApplier::AuthInfo get_creds_info(const KeystoneToken& token,
+ token_envelope_t decode_pki_token(const std::string& token) const;
+ token_envelope_t get_from_keystone(const std::string& token) const;
+ acl_strategy_t get_acl_strategy(const token_envelope_t& token) const;
+ RGWRemoteAuthApplier::AuthInfo get_creds_info(const token_envelope_t& token,
const std::vector<std::string>& admin_roles
) const noexcept;
public:
JSONDecoder::decode_json("epoch", epoch, obj);
}
-void KeystoneToken::Token::decode_json(JSONObj *obj)
+void rgw::keystone::TokenEnvelope::Token::decode_json(JSONObj *obj)
{
string expires_iso8601;
struct tm t;
}
}
-void KeystoneToken::Role::decode_json(JSONObj *obj)
+void rgw::keystone::TokenEnvelope::Role::decode_json(JSONObj *obj)
{
JSONDecoder::decode_json("id", id, obj);
JSONDecoder::decode_json("name", name, obj, true);
}
-void KeystoneToken::Domain::decode_json(JSONObj *obj)
+void rgw::keystone::TokenEnvelope::Domain::decode_json(JSONObj *obj)
{
JSONDecoder::decode_json("id", id, obj, true);
JSONDecoder::decode_json("name", name, obj, true);
}
-void KeystoneToken::Project::decode_json(JSONObj *obj)
+void rgw::keystone::TokenEnvelope::Project::decode_json(JSONObj *obj)
{
JSONDecoder::decode_json("id", id, obj, true);
JSONDecoder::decode_json("name", name, obj, true);
JSONDecoder::decode_json("domain", domain, obj);
}
-void KeystoneToken::User::decode_json(JSONObj *obj)
+void rgw::keystone::TokenEnvelope::User::decode_json(JSONObj *obj)
{
JSONDecoder::decode_json("id", id, obj, true);
JSONDecoder::decode_json("name", name, obj, true);
JSONDecoder::decode_json("roles", roles_v2, obj);
}
-void KeystoneToken::decode_json(JSONObj *root_obj)
+void rgw::keystone::TokenEnvelope::decode_json(JSONObj *root_obj)
{
JSONDecoder::decode_json("user", user, root_obj, true);
- const auto version = KeystoneService::get_api_version();
+ const auto version = rgw::keystone::Service::get_api_version();
- if (version == KeystoneApiVersion::VER_3) {
+ if (version == rgw::keystone::ApiVersion::VER_3) {
string expires_iso8601;
if (JSONDecoder::decode_json("expires_at", expires_iso8601, root_obj)) {
/* VER_3 */
roles = user.roles_v2;
project = token.tenant_v2;
}
- } else if (version == KeystoneApiVersion::VER_2) {
+ } else if (version == rgw::keystone::ApiVersion::VER_2) {
if (JSONDecoder::decode_json("token", token, root_obj)) {
/* VER_2 */
roles = user.roles_v2;
encode_json("message", message, f);
}
-void KeystoneAdminTokenRequestVer2::dump(Formatter * const f) const
+void rgw::keystone::AdminTokenRequestVer2::dump(Formatter* const f) const
{
f->open_object_section("token_request");
f->open_object_section("auth");
f->close_section();
}
-void KeystoneAdminTokenRequestVer3::dump(Formatter * const f) const
+void rgw::keystone::AdminTokenRequestVer3::dump(Formatter* const f) const
{
f->open_object_section("token_request");
f->open_object_section("auth");
}
-KeystoneApiVersion KeystoneService::get_api_version()
+namespace rgw {
+namespace keystone {
+
+ApiVersion Service::get_api_version()
{
const int keystone_version = g_ceph_context->_conf->rgw_keystone_api_version;
if (keystone_version == 3) {
- return KeystoneApiVersion::VER_3;
+ return ApiVersion::VER_3;
} else if (keystone_version == 2) {
- return KeystoneApiVersion::VER_2;
+ return ApiVersion::VER_2;
} else {
dout(0) << "ERROR: wrong Keystone API version: " << keystone_version
<< "; falling back to v2" << dendl;
- return KeystoneApiVersion::VER_2;
+ return ApiVersion::VER_2;
}
}
-int KeystoneService::get_keystone_url(CephContext * const cct,
+int Service::get_keystone_url(CephContext* const cct,
std::string& url)
{
url = cct->_conf->rgw_keystone_url;
return 0;
}
-int KeystoneService::get_keystone_admin_token(CephContext * const cct,
- std::string& token)
+int Service::get_keystone_admin_token(CephContext* const cct,
+ std::string& token)
{
std::string token_url;
return 0;
}
- KeystoneToken t;
+ TokenEnvelope t;
/* Try cache first. */
- if (RGWKeystoneTokenCache::get_instance().find_admin(t)) {
+ if (TokenCache::get_instance<rgw::keystone::LegacyConfig>().find_admin(t)) {
ldout(cct, 20) << "found cached admin token" << dendl;
token = t.token.id;
return 0;
token_req.append_header("Content-Type", "application/json");
JSONFormatter jf;
- const auto keystone_version = KeystoneService::get_api_version();
- if (keystone_version == KeystoneApiVersion::VER_2) {
- KeystoneAdminTokenRequestVer2 req_serializer(cct);
+ const auto keystone_version = Service::get_api_version();
+ if (keystone_version == ApiVersion::VER_2) {
+ AdminTokenRequestVer2 req_serializer(cct);
req_serializer.dump(&jf);
std::stringstream ss;
token_req.set_send_length(ss.str().length());
token_url.append("v2.0/tokens");
- } else if (keystone_version == KeystoneApiVersion::VER_3) {
- KeystoneAdminTokenRequestVer3 req_serializer(cct);
+ } else if (keystone_version == ApiVersion::VER_3) {
+ AdminTokenRequestVer3 req_serializer(cct);
req_serializer.dump(&jf);
std::stringstream ss;
return -EINVAL;
}
- RGWKeystoneTokenCache::get_instance().add_admin(t);
+ TokenCache::get_instance().add_admin(t);
token = t.token.id;
return 0;
}
-bool KeystoneToken::has_role(const string& r) const
+
+bool TokenEnvelope::has_role(const std::string& r) const
{
list<Role>::const_iterator iter;
for (iter = roles.cbegin(); iter != roles.cend(); ++iter) {
return false;
}
-int KeystoneToken::parse(CephContext * const cct,
- const string& token_str,
- bufferlist& bl)
+int TokenEnvelope::parse(CephContext* const cct,
+ const std::string& token_str,
+ ceph::bufferlist& bl)
{
JSONParser parser;
if (!parser.parse(bl.c_str(), bl.length())) {
}
try {
- const auto version = KeystoneService::get_api_version();
+ const auto version = rgw::keystone::Service::get_api_version();
- if (version == KeystoneApiVersion::VER_2) {
+ if (version == rgw::keystone::ApiVersion::VER_2) {
if (!JSONDecoder::decode_json("access", *this, &parser)) {
- /* Token structure doesn't follow Identity API v2, so the token
+ /* TokenEnvelope structure doesn't follow Identity API v2, so the token
* must be in v3. Otherwise we can assume it's wrongly formatted. */
JSONDecoder::decode_json("token", *this, &parser, true);
token.id = token_str;
}
- } else if (version == KeystoneApiVersion::VER_3) {
+ } else if (version == rgw::keystone::ApiVersion::VER_3) {
if (!JSONDecoder::decode_json("token", *this, &parser)) {
/* If the token cannot be parsed according to V3, try V2. */
JSONDecoder::decode_json("access", *this, &parser, true);
return 0;
}
-RGWKeystoneTokenCache& RGWKeystoneTokenCache::get_instance()
+TokenCache& TokenCache::get_instance()
{
/* In C++11 this is thread safe. */
- static RGWKeystoneTokenCache instance;
+ static TokenCache instance;
return instance;
}
-bool RGWKeystoneTokenCache::find(const string& token_id, KeystoneToken& token)
+
+bool TokenCache::find(const std::string& token_id,
+ rgw::keystone::TokenEnvelope& token)
{
Mutex::Locker l(lock);
return find_locked(token_id, token);
}
-bool RGWKeystoneTokenCache::find_locked(const string& token_id, KeystoneToken& token)
+bool TokenCache::find_locked(const std::string& token_id,
+ rgw::keystone::TokenEnvelope& token)
{
assert(lock.is_locked_by_me());
map<string, token_entry>::iterator iter = tokens.find(token_id);
return true;
}
-bool RGWKeystoneTokenCache::find_admin(KeystoneToken& token)
+bool TokenCache::find_admin(rgw::keystone::TokenEnvelope& token)
{
Mutex::Locker l(lock);
return find_locked(admin_token_id, token);
}
-void RGWKeystoneTokenCache::add(const string& token_id,
- const KeystoneToken& token)
+void TokenCache::add(const std::string& token_id,
+ const rgw::keystone::TokenEnvelope& token)
{
Mutex::Locker l(lock);
add_locked(token_id, token);
}
-void RGWKeystoneTokenCache::add_locked(const string& token_id,
- const KeystoneToken& token)
+void TokenCache::add_locked(const std::string& token_id,
+ const rgw::keystone::TokenEnvelope& token)
{
assert(lock.is_locked_by_me());
map<string, token_entry>::iterator iter = tokens.find(token_id);
}
}
-void RGWKeystoneTokenCache::add_admin(const KeystoneToken& token)
+void TokenCache::add_admin(const rgw::keystone::TokenEnvelope& token)
{
Mutex::Locker l(lock);
add_locked(admin_token_id, token);
}
-void RGWKeystoneTokenCache::invalidate(const string& token_id)
+void TokenCache::invalidate(const std::string& token_id)
{
Mutex::Locker l(lock);
map<string, token_entry>::iterator iter = tokens.find(token_id);
tokens.erase(iter);
}
-int RGWKeystoneTokenCache::RevokeThread::check_revoked()
+int TokenCache::RevokeThread::check_revoked()
{
std::string url;
std::string token;
bufferlist bl;
RGWGetRevokedTokens req(cct, &bl);
- if (KeystoneService::get_keystone_admin_token(cct, token) < 0) {
+ if (rgw::keystone::Service::get_keystone_admin_token(cct, token) < 0) {
return -EINVAL;
}
- if (KeystoneService::get_keystone_url(cct, url) < 0) {
+ if (rgw::keystone::Service::get_keystone_url(cct, url) < 0) {
return -EINVAL;
}
req.append_header("X-Auth-Token", token);
- const auto keystone_version = KeystoneService::get_api_version();
- if (keystone_version == KeystoneApiVersion::VER_2) {
+ const auto keystone_version = rgw::keystone::Service::get_api_version();
+ if (keystone_version == rgw::keystone::ApiVersion::VER_2) {
url.append("v2.0/tokens/revoked");
- } else if (keystone_version == KeystoneApiVersion::VER_3) {
+ } else if (keystone_version == rgw::keystone::ApiVersion::VER_3) {
url.append("v3/auth/tokens/OS-PKI/revoked");
}
return 0;
}
-bool RGWKeystoneTokenCache::going_down() const
+bool TokenCache::going_down() const
{
return (down_flag.read() != 0);
}
-void * RGWKeystoneTokenCache::RevokeThread::entry()
+void* TokenCache::RevokeThread::entry()
{
do {
ldout(cct, 2) << "keystone revoke thread: start" << dendl;
return nullptr;
}
-void RGWKeystoneTokenCache::RevokeThread::stop()
+void TokenCache::RevokeThread::stop()
{
Mutex::Locker l(lock);
cond.Signal();
}
+
+}; /* namespace keystone */
+}; /* namespace rgw */
const string& token,
bufferlist& bl);
-enum class KeystoneApiVersion {
+namespace rgw {
+namespace keystone {
+
+enum class ApiVersion {
VER_2,
VER_3
};
-class KeystoneService {
+class Service {
public:
class RGWKeystoneHTTPTransceiver : public RGWHTTPTransceiver {
public:
typedef RGWKeystoneHTTPTransceiver RGWGetKeystoneAdminToken;
typedef RGWKeystoneHTTPTransceiver RGWGetRevokedTokens;
- static KeystoneApiVersion get_api_version();
+ static ApiVersion get_api_version();
static int get_keystone_url(CephContext * const cct,
std::string& url);
std::string& token);
};
-class KeystoneToken {
+
+class TokenEnvelope {
public:
class Domain {
public:
public:
// FIXME: default ctor needs to be eradicated here
- KeystoneToken() = default;
+ TokenEnvelope() = default;
time_t get_expires() const { return token.expires; }
const std::string& get_domain_id() const {return project.domain.id;};
const std::string& get_domain_name() const {return project.domain.name;};
};
-class RGWKeystoneTokenCache {
+class TokenCache {
struct token_entry {
- KeystoneToken token;
+ TokenEnvelope token;
list<string>::iterator lru_iter;
};
+ const rgw::keystone::Config& config;
atomic_t down_flag;
class RevokeThread : public Thread {
- friend class RGWKeystoneTokenCache;
+ friend class TokenCache;
typedef RGWPostHTTPData RGWGetRevokedTokens;
CephContext * const cct;
- RGWKeystoneTokenCache * const cache;
+ TokenCache* const cache;
Mutex lock;
Cond cond;
- RevokeThread(CephContext * const cct, RGWKeystoneTokenCache * cache)
+ RevokeThread(CephContext* const cct,
+ TokenCache* const cache)
: cct(cct),
cache(cache),
- lock("RGWKeystoneTokenCache::RevokeThread") {
+ lock("rgw::keystone::TokenCache::RevokeThread") {
}
void *entry() override;
void stop();
const size_t max;
- RGWKeystoneTokenCache()
+ TokenCache()
: revocator(g_ceph_context, this),
cct(g_ceph_context),
- lock("RGWKeystoneTokenCache"),
+ lock("rgw::keystone::TokenCache"),
max(cct->_conf->rgw_keystone_token_cache_size) {
/* The thread name has been kept for backward compliance. */
revocator.create("rgw_swift_k_rev");
}
- ~RGWKeystoneTokenCache() {
+
+ ~TokenCache() {
down_flag.set(1);
revocator.stop();
}
public:
- RGWKeystoneTokenCache(const RGWKeystoneTokenCache&) = delete;
- void operator=(const RGWKeystoneTokenCache&) = delete;
+ TokenCache(const TokenCache&) = delete;
+ void operator=(const TokenCache&) = delete;
- static RGWKeystoneTokenCache& get_instance();
+ static TokenCache& get_instance();
- bool find(const string& token_id, KeystoneToken& token);
- bool find_admin(KeystoneToken& token);
- void add(const string& token_id, const KeystoneToken& token);
- void add_admin(const KeystoneToken& token);
- void invalidate(const string& token_id);
+ /* In C++11 this is thread safe. */
+ static TokenCache instance(ConfigT::get_instance());
+ return instance;
+ }
+
+ bool find(const std::string& token_id, TokenEnvelope& token);
+ bool find_admin(TokenEnvelope& token);
+ void add(const std::string& token_id, const TokenEnvelope& token);
+ void add_admin(const TokenEnvelope& token);
+ void invalidate(const std::string& token_id);
bool going_down() const;
private:
- void add_locked(const string& token_id, const KeystoneToken& token);
- bool find_locked(const string& token_id, KeystoneToken& token);
+ void add_locked(const std::string& token_id, const TokenEnvelope& token);
+ bool find_locked(const std::string& token_id, TokenEnvelope& token);
};
-class KeystoneAdminTokenRequest {
+class AdminTokenRequest {
public:
- virtual ~KeystoneAdminTokenRequest() = default;
- virtual void dump(Formatter *f) const = 0;
+ virtual ~AdminTokenRequest() = default;
+ virtual void dump(Formatter* f) const = 0;
};
-class KeystoneAdminTokenRequestVer2 : public KeystoneAdminTokenRequest {
- CephContext *cct;
+class AdminTokenRequestVer2 : public AdminTokenRequest {
+ CephContext* cct;
public:
- KeystoneAdminTokenRequestVer2(CephContext * const _cct)
- : cct(_cct) {
+ AdminTokenRequestVer2(CephContext* const cct)
+ : cct(cct) {
}
void dump(Formatter *f) const override;
};
-class KeystoneAdminTokenRequestVer3 : public KeystoneAdminTokenRequest {
- CephContext *cct;
+class AdminTokenRequestVer3 : public AdminTokenRequest {
+ CephContext* cct;
public:
- KeystoneAdminTokenRequestVer3(CephContext * const _cct)
- : cct(_cct) {
+ AdminTokenRequestVer3(CephContext* const cct)
+ : cct(cct) {
}
void dump(Formatter *f) const override;
};
+}; /* namespace keystone */
+}; /* namespace rgw */
+
#endif
keystone_url.append("/");
}
- if (KeystoneService::get_api_version() == KeystoneApiVersion::VER_3) {
+ if (rgw::keystone::Service::get_api_version() == rgw::keystone::ApiVersion::VER_3) {
keystone_url.append("v3/s3tokens");
} else {
keystone_url.append("v2.0/s3tokens");
/* get authentication token for Keystone. */
string admin_token_id;
- int r = KeystoneService::get_keystone_admin_token(cct, admin_token_id);
+ int r = rgw::keystone::Service::get_keystone_admin_token(cct, admin_token_id);
if (r < 0) {
ldout(cct, 2) << "s3 keystone: cannot get token for keystone access" << dendl;
return r;
vector<string> accepted_roles;
public:
- KeystoneToken response;
+ rgw::keystone::TokenEnvelope response;
private:
void set_tx_buffer(const string& d) {
projects / ceph.git / commitdiff