rgw/keystone: use secret key from EC2 for sigv4 streaming mode

author Casey Bodley <cbodley@redhat.com>

Wed, 15 Mar 2023 20:50:07 +0000 (16:50 -0400)

committer Casey Bodley <cbodley@redhat.com>

Tue, 11 Apr 2023 13:09:26 +0000 (09:09 -0400)
author Casey Bodley <cbodley@redhat.com>
Wed, 15 Mar 2023 20:50:07 +0000 (16:50 -0400)
committer Casey Bodley <cbodley@redhat.com>
Tue, 11 Apr 2023 13:09:26 +0000 (09:09 -0400)
diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc

index b818325db9f8ccd829655723f646c44be87ed18c..4930a06bea88ed6c77e8cbe9b2cd880079d6d6a5 100644 (file)
--- a/src/rgw/rgw_auth_keystone.cc
+++ b/src/rgw/rgw_auth_keystone.cc
@@ -542,15 +542,16 @@ std::pair<boost::optional<std::string>, int> EC2Engine::get_secret_from_keystone
  /*
   * Try to get a token for S3 authentication, using a secret cache if available
   */
-std::pair<boost::optional<rgw::keystone::TokenEnvelope>, int>
-EC2Engine::get_access_token(const DoutPrefixProvider* dpp,
-                           const std::string_view& access_key_id,
-                            const std::string& string_to_sign,
-                            const std::string_view& signature,
-                           const signature_factory_t& signature_factory) const
+auto EC2Engine::get_access_token(const DoutPrefixProvider* dpp,
+                                 const std::string_view& access_key_id,
+                                 const std::string& string_to_sign,
+                                 const std::string_view& signature,
+                                 const signature_factory_t& signature_factory) const
+    -> access_token_result
  {
    using server_signature_t = VersionAbstractor::server_signature_t;
    boost::optional<rgw::keystone::TokenEnvelope> token;
+  boost::optional<std::string> secret;
    int failure_reason;
  
    /* Get a token from the cache if one has already been stored */
@@ -562,7 +563,7 @@ EC2Engine::get_access_token(const DoutPrefixProvider* dpp,
      std::string sig(signature);
      server_signature_t server_signature = signature_factory(cct, t->get<1>(), string_to_sign);
      if (sig.compare(server_signature) == 0) {
-      return std::make_pair(t->get<0>(), 0);
+      return {t->get<0>(), t->get<1>(), 0};
      } else {
        ldpp_dout(dpp, 0) << "Secret string does not correctly sign payload, cache miss" << dendl;
      }
@@ -575,8 +576,8 @@ EC2Engine::get_access_token(const DoutPrefixProvider* dpp,
  
    if (token) {
      /* Fetch secret from keystone for the access_key_id */
-    boost::optional<std::string> secret;
-    std::tie(secret, failure_reason) = get_secret_from_keystone(dpp, token->get_user_id(), access_key_id);
+    std::tie(secret, failure_reason) =
+        get_secret_from_keystone(dpp, token->get_user_id(), access_key_id);
  
      if (secret) {
        /* Add token, secret pair to cache, and set timeout */
@@ -584,7 +585,7 @@ EC2Engine::get_access_token(const DoutPrefixProvider* dpp,
      }
    }
  
-  return std::make_pair(token, failure_reason);
+  return {token, secret, failure_reason};
  }
  
  EC2Engine::acl_strategy_t
@@ -655,9 +656,7 @@ rgw::auth::Engine::result_t EC2Engine::authenticate(
      std::vector<std::string> admin;
    } accepted_roles(cct);
  
-  boost::optional<token_envelope_t> t;
-  int failure_reason;
-  std::tie(t, failure_reason) = \
+  auto [t, secret_key, failure_reason] =
      get_access_token(dpp, access_key_id, string_to_sign, signature, signature_factory);
    if (! t) {
      return result_t::deny(failure_reason);
@@ -693,7 +692,7 @@ rgw::auth::Engine::result_t EC2Engine::authenticate(
  
      auto apl = apl_factory->create_apl_remote(cct, s, get_acl_strategy(*t),
                                                get_creds_info(*t, accepted_roles.admin, std::string(access_key_id)));
-    return result_t::grant(std::move(apl), completer_factory(boost::none));
+    return result_t::grant(std::move(apl), completer_factory(secret_key));
    }
  }
  
diff --git a/src/rgw/rgw_auth_keystone.h b/src/rgw/rgw_auth_keystone.h

index f3c9604370b9ac27d66a8aef4f0ebada8158a5a2..9d79bc87826e90fb5855209e6c1b269692c150ba 100644 (file)
--- a/src/rgw/rgw_auth_keystone.h
+++ b/src/rgw/rgw_auth_keystone.h
@@ -148,7 +148,13 @@ class EC2Engine : public rgw::auth::s3::AWSEngine {
                      const std::string_view& access_key_id,
                      const std::string& string_to_sign,
                      const std::string_view& signature) const;
-  std::pair<boost::optional<token_envelope_t>, int>
+
+  struct access_token_result {
+    boost::optional<token_envelope_t> token;
+    boost::optional<std::string> secret_key;
+    int failure_reason = 0;
+  };
+  access_token_result
    get_access_token(const DoutPrefixProvider* dpp,
                     const std::string_view& access_key_id,
                     const std::string& string_to_sign,
author	Casey Bodley <cbodley@redhat.com>
	Wed, 15 Mar 2023 20:50:07 +0000 (16:50 -0400)
committer	Casey Bodley <cbodley@redhat.com>
	Tue, 11 Apr 2023 13:09:26 +0000 (09:09 -0400)
src/rgw/rgw_auth_keystone.cc		patch \| blob \| history
src/rgw/rgw_auth_keystone.h		patch \| blob \| history