RGW: When using Keystone auth for RGW, include the Keystone user in ops log

Resolves: rhbz#1769182

Signed-off-by: Ali Masarwa <ali.saed.masarwa@gmail.com>
Signed-off-by: Ali Masarwa <amasarwa@redhat.com>
(cherry picked from commit 47166556c5bbcf1f26621bf24cf04221b65af366)

diff --git a/qa/workunits/rgw/keystone-service-token.sh b/qa/workunits/rgw/keystone-service-token.sh
index fc39731ca951cacb50d85a3e83fa51e771bb3e93..df8bfdc8c0e14ac90d3a20ff9c2843559e86e7c0 100755 (executable)
--- a/qa/workunits/rgw/keystone-service-token.sh
+++ b/qa/workunits/rgw/keystone-service-token.sh
@@ -13,6 +13,24 @@
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU Library Public License for more details.
+#
+<<comment Running this script with vstart should be should have these options
+MON=1 OSD=1 MDS=0 MGR=0 RGW=1 ../src/vstart.sh -n -d -o 'rgw_keystone_accepted_admin_roles="admin"
+       rgw_keystone_accepted_roles="admin,Member"
+       rgw_keystone_admin_domain="Default"
+       rgw_keystone_admin_password="ADMIN"
+       rgw_keystone_admin_project="admin"
+       rgw_keystone_admin_user="admin"
+       rgw_keystone_api_version=3
+       rgw_keystone_expired_token_cache_expiration=10
+       rgw_keystone_implicit_tenants=true
+       rgw_keystone_service_token_accepted_roles="admin"
+       rgw_keystone_service_token_enabled=true
+       rgw_keystone_url="http://localhost:5000"
+       rgw_swift_account_in_url=true
+       rgw_swift_enforce_content_length=true
+       rgw_swift_versioning_enabled=true'
+comment
 
 source $CEPH_ROOT/qa/standalone/ceph-helpers.sh
 

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index 2f6bc5d2763aa678f17bdac878d0af7691373b00..a2f792ac008a144bfd05beec3c5c794a8cfea0a7 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -787,6 +787,7 @@ bool rgw::auth::WebIdentityApplier::is_identity(const Principal& p) const
 
 const std::string rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER;
 const std::string rgw::auth::RemoteApplier::AuthInfo::NO_ACCESS_KEY;
+const std::string rgw::auth::RemoteApplier::AuthInfo::NO_KEYSTONE_USER;
 
 /* rgw::auth::RemoteAuthApplier */
 ACLOwner rgw::auth::RemoteApplier::get_aclowner() const
@@ -959,6 +960,7 @@ void rgw::auth::RemoteApplier::write_ops_log_entry(rgw_log_entry& entry) const
   if (account) {
     entry.account_id = account->id;
   }
+  entry.user = info.keystone_user;
 }
 
 /* TODO(rzarzynski): we need to handle display_name changes. */

diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
index 1951040a323d38626a4bd829da23ec6b03fb9540..0630f36d929e24f6b3a730d2b027a06bf7d63591 100644 (file)
--- a/src/rgw/rgw_auth.h
+++ b/src/rgw/rgw_auth.h
@@ -597,6 +597,7 @@ public:
     const uint32_t acct_type;
     const std::string access_key_id;
     const std::string subuser;
+    const std::string keystone_user;
 
   public:
     enum class acct_privilege_t {
@@ -606,6 +607,7 @@ public:
 
     static const std::string NO_SUBUSER;
     static const std::string NO_ACCESS_KEY;
+    static const std::string NO_KEYSTONE_USER;
 
     AuthInfo(const rgw_user& acct_user,
              const std::string& acct_name,
@@ -613,6 +615,7 @@ public:
              const acct_privilege_t level,
              const std::string access_key_id,
              const std::string subuser,
+             const std::string keystone_user,
              const uint32_t acct_type=TYPE_NONE)
     : acct_user(acct_user),
       acct_name(acct_name),
@@ -620,7 +623,8 @@ public:
       is_admin(acct_privilege_t::IS_ADMIN_ACCT == level),
       acct_type(acct_type),
       access_key_id(access_key_id),
-      subuser(subuser) {
+      subuser(subuser),
+      keystone_user(keystone_user) {
     }
   };
 

diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc
index e74fe97bf778096ccb9b6e4e20518b12fe808d58..cd56959b295c0b17bd7afcf491d041c4886f9051 100644 (file)
--- a/src/rgw/rgw_auth_keystone.cc
+++ b/src/rgw/rgw_auth_keystone.cc
@@ -164,6 +164,7 @@ TokenEngine::get_creds_info(const TokenEngine::token_envelope_t& token
     level,
     rgw::auth::RemoteApplier::AuthInfo::NO_ACCESS_KEY,
     rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER,
+    token.get_user_name(),
     TYPE_KEYSTONE
 };
 }
@@ -670,6 +671,7 @@ EC2Engine::get_creds_info(const EC2Engine::token_envelope_t& token,
     level,
     access_key_id,
     rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER,
+    token.get_user_name(),
     TYPE_KEYSTONE
   };
 }

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 10395bcd39810d7f6afcdb8244611ffb58b2ba6a..32631761d384bdac038ce647ef43121bb16bedc9 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -6819,6 +6819,7 @@ rgw::auth::s3::LDAPEngine::get_creds_info(const rgw::RGWToken& token) const noex
     acct_privilege_t::IS_PLAIN_ACCT,
     rgw::auth::RemoteApplier::AuthInfo::NO_ACCESS_KEY,
     rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER,
+    rgw::auth::RemoteApplier::AuthInfo::NO_KEYSTONE_USER,
     TYPE_LDAP
   };
 }
@@ -7000,6 +7001,7 @@ rgw::auth::s3::STSEngine::get_creds_info(const STS::SessionToken& token) const n
     (token.is_admin) ? acct_privilege_t::IS_ADMIN_ACCT: acct_privilege_t::IS_PLAIN_ACCT,
     token.access_key_id,
     rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER,
+    rgw::auth::RemoteApplier::AuthInfo::NO_KEYSTONE_USER,
     token.acct_type
   };
 }