rgw: clean-up error mapping in Swift's authentication strategy.

author Radoslaw Zarzynski <rzarzynski@mirantis.com>

Mon, 19 Jun 2017 08:53:06 +0000 (10:53 +0200)

committer Radoslaw Zarzynski <rzarzynski@mirantis.com>

Mon, 19 Jun 2017 08:54:45 +0000 (10:54 +0200)
author Radoslaw Zarzynski <rzarzynski@mirantis.com>
Mon, 19 Jun 2017 08:53:06 +0000 (10:53 +0200)
committer Radoslaw Zarzynski <rzarzynski@mirantis.com>
Mon, 19 Jun 2017 08:54:45 +0000 (10:54 +0200)
diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc

index 2a18afb8afe48f18c65a2b1cc45ec118c6e30151..a8c0ec86ad5a04d5b200b2acabb86fe335f2230b 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -523,7 +523,7 @@ rgw::auth::Engine::result_t
  rgw::auth::AnonymousEngine::authenticate(const req_state* const s) const
  {
    if (! is_applicable(s)) {
-    return result_t::deny();
+    return result_t::deny(-EPERM);
    } else {
      RGWUserInfo user_info;
      rgw_get_anon_user(user_info);
diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc

index 0b5ee41a17e4d0fffb37efa775e98fef75d9523a..5602025d42ce46675e8d4d21f50ab919967c8716 100644 (file)
--- a/src/rgw/rgw_auth_keystone.cc
+++ b/src/rgw/rgw_auth_keystone.cc
@@ -262,7 +262,7 @@ TokenEngine::authenticate(const std::string& token,
      ldout(cct, 0) << "got expired token: " << t->get_project_name()
                    << ":" << t->get_user_name()
                    << " expired: " << t->get_expires() << dendl;
-    return result_t::deny();
+    return result_t::deny(-EPERM);
    }
  
    /* Check for necessary roles. */
@@ -281,7 +281,7 @@ TokenEngine::authenticate(const std::string& token,
    ldout(cct, 0) << "user does not hold a matching role; required roles: "
                  << g_conf->rgw_keystone_accepted_roles << dendl;
  
-  return result_t::deny();
+  return result_t::deny(-EPERM);
  }
  
  
diff --git a/src/rgw/rgw_rest_swift.cc b/src/rgw/rgw_rest_swift.cc

index 2efa83b050861bcbd86e548eaf4a634a8f51008b..a3ccdca781a634bb58c2fa1d7ed52ec1e9db3636 100644 (file)
--- a/src/rgw/rgw_rest_swift.cc
+++ b/src/rgw/rgw_rest_swift.cc
@@ -2530,11 +2530,7 @@ RGWOp *RGWHandler_REST_Obj_SWIFT::op_options()
  
  int RGWHandler_REST_SWIFT::authorize()
  {
-  int r = rgw::auth::Strategy::apply(auth_strategy, s);
-  if (r == -EACCES) { // XXX: hacky fix for Strategy::apply() refactoring
-    r = -EPERM;
-  }
-  return r;
+  return rgw::auth::Strategy::apply(auth_strategy, s);
  }
  
  int RGWHandler_REST_SWIFT::postauth_init()
diff --git a/src/rgw/rgw_swift_auth.cc b/src/rgw/rgw_swift_auth.cc

index 196d1988e01811c05d3f5142565e42809b8a3e3e..8ce6bb0816efae60f6b08b9a0fae1ff3f125732e 100644 (file)
--- a/src/rgw/rgw_swift_auth.cc
+++ b/src/rgw/rgw_swift_auth.cc
@@ -328,17 +328,17 @@ ExternalTokenEngine::authenticate(const std::string& token,
                  ",", swift_groups);
  
      if (0 == swift_groups.size()) {
-      return result_t::deny();
+      return result_t::deny(-EPERM);
      } else {
        swift_user = std::move(swift_groups[0]);
      }
    } catch (std::out_of_range) {
      /* The X-Auth-Groups header isn't present in the response. */
-    return result_t::deny();
+    return result_t::deny(-EPERM);
    }
  
    if (swift_user.empty()) {
-    return result_t::deny();
+    return result_t::deny(-EPERM);
    }
  
    ldout(cct, 10) << "swift user=" << swift_user << dendl;
@@ -416,7 +416,7 @@ SignedTokenEngine::authenticate(const std::string& token,
                                  const req_state* const s) const
  {
    if (! is_applicable(token)) {
-    return result_t::deny();
+    return result_t::deny(-EPERM);
    }
  
    /* Effective token string is the part after the prefix. */
@@ -458,7 +458,7 @@ SignedTokenEngine::authenticate(const std::string& token,
      ldout(cct, 0) << "NOTICE: old timed out token was used now=" << now
                   << " token.expiration=" << expiration
                    << dendl;
-    return result_t::deny();
+    return result_t::deny(-EPERM);
    }
  
    RGWUserInfo user_info;
@@ -471,7 +471,7 @@ SignedTokenEngine::authenticate(const std::string& token,
  
    const auto siter = user_info.swift_keys.find(swift_user);
    if (siter == std::end(user_info.swift_keys)) {
-    return result_t::deny();
+    return result_t::deny(-EPERM);
    }
  
    const auto swift_key = siter->second;
@@ -487,7 +487,7 @@ SignedTokenEngine::authenticate(const std::string& token,
                    << " tok_bl.length()=" << tok_bl.length()
                   << " local_tok_bl.length()=" << local_tok_bl.length()
                    << dendl;
-    return result_t::deny();
+    return result_t::deny(-EPERM);
    }
  
    if (memcmp(local_tok_bl.c_str(), tok_bl.c_str(),
@@ -498,7 +498,7 @@ SignedTokenEngine::authenticate(const std::string& token,
                 local_tok_bl.length(), buf);
  
      ldout(cct, 0) << "NOTICE: tokens mismatch tok=" << buf << dendl;
-    return result_t::deny();
+    return result_t::deny(-EPERM);
    }
  
    auto apl = apl_factory->create_apl_local(cct, s, user_info,
author	Radoslaw Zarzynski <rzarzynski@mirantis.com>
	Mon, 19 Jun 2017 08:53:06 +0000 (10:53 +0200)
committer	Radoslaw Zarzynski <rzarzynski@mirantis.com>
	Mon, 19 Jun 2017 08:54:45 +0000 (10:54 +0200)
src/rgw/rgw_auth.cc		patch \| blob \| history
src/rgw/rgw_auth_keystone.cc		patch \| blob \| history
src/rgw/rgw_rest_swift.cc		patch \| blob \| history
src/rgw/rgw_swift_auth.cc		patch \| blob \| history