From: Pritha Srivastava Date: Mon, 20 Feb 2017 05:58:32 +0000 (+0530) Subject: rgw: Adding roles under the scope of tenants. X-Git-Tag: v12.1.0~10^2~82^2~4 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=05cf35042f70624678baca9037d2a1544264114e;p=ceph.git rgw: Adding roles under the scope of tenants. Signed-off-by: Pritha Srivastava --- diff --git a/src/rgw/rgw_admin.cc b/src/rgw/rgw_admin.cc index fd1100f3255..cd08f0f3747 100644 --- a/src/rgw/rgw_admin.cc +++ b/src/rgw/rgw_admin.cc @@ -2856,7 +2856,15 @@ int main(int argc, const char **argv) if (tenant.empty()) { tenant = user_id.tenant; } else { - if (user_id.empty() && opt_cmd != OPT_ROLE_CREATE) { + if (user_id.empty() && opt_cmd != OPT_ROLE_CREATE + && opt_cmd != OPT_ROLE_DELETE + && opt_cmd != OPT_ROLE_GET + && opt_cmd != OPT_ROLE_MODIFY + && opt_cmd != OPT_ROLE_LIST + && opt_cmd != OPT_ROLE_POLICY_PUT + && opt_cmd != OPT_ROLE_POLICY_LIST + && opt_cmd != OPT_ROLE_POLICY_GET + && opt_cmd != OPT_ROLE_POLICY_DELETE) { cerr << "ERROR: --tenant is set, but there's no user ID" << std::endl; return EINVAL; } @@ -4625,7 +4633,7 @@ int main(int argc, const char **argv) cerr << "ERROR: empty role name" << std::endl; return -EINVAL; } - RGWRole role(g_ceph_context, store, role_name); + RGWRole role(g_ceph_context, store, role_name, tenant); ret = role.delete_obj(); if (ret < 0) { return -ret; @@ -4639,7 +4647,7 @@ int main(int argc, const char **argv) cerr << "ERROR: empty role name" << std::endl; return -EINVAL; } - RGWRole role(g_ceph_context, store, role_name); + RGWRole role(g_ceph_context, store, role_name, tenant); ret = role.get(); if (ret < 0) { return -ret; @@ -4667,7 +4675,7 @@ int main(int argc, const char **argv) return -EINVAL; } string trust_policy = bl.to_str(); - RGWRole role(g_ceph_context, store, role_name); + RGWRole role(g_ceph_context, store, role_name, tenant); ret = role.get(); if (ret < 0) { return -ret; @@ -4683,7 +4691,7 @@ int main(int argc, const char **argv) case OPT_ROLE_LIST: { vector result; - ret = RGWRole::get_roles_by_path_prefix(store, g_ceph_context, path_prefix, result); + ret = RGWRole::get_roles_by_path_prefix(store, g_ceph_context, path_prefix, tenant, result); if (ret < 0) { return -ret; } @@ -4712,7 +4720,7 @@ int main(int argc, const char **argv) string perm_policy; perm_policy = bl.c_str(); - RGWRole role(g_ceph_context, store, role_name); + RGWRole role(g_ceph_context, store, role_name, tenant); ret = role.get(); if (ret < 0) { return -ret; @@ -4731,7 +4739,7 @@ int main(int argc, const char **argv) cerr << "ERROR: Role name is empty" << std::endl; return -EINVAL; } - RGWRole role(g_ceph_context, store, role_name); + RGWRole role(g_ceph_context, store, role_name, tenant); ret = role.get(); if (ret < 0) { return -ret; @@ -4746,7 +4754,7 @@ int main(int argc, const char **argv) cerr << "ERROR: One of role name or policy name is empty" << std::endl; return -EINVAL; } - RGWRole role(g_ceph_context, store, role_name); + RGWRole role(g_ceph_context, store, role_name, tenant); int ret = role.get(); if (ret < 0) { return -ret; @@ -4765,7 +4773,7 @@ int main(int argc, const char **argv) cerr << "ERROR: One of role name or policy name is empty" << std::endl; return -EINVAL; } - RGWRole role(g_ceph_context, store, role_name); + RGWRole role(g_ceph_context, store, role_name, tenant); ret = role.get(); if (ret < 0) { return -ret; diff --git a/src/rgw/rgw_rest_role.cc b/src/rgw/rgw_rest_role.cc index 36e1787f57a..9d150b903d7 100644 --- a/src/rgw/rgw_rest_role.cc +++ b/src/rgw/rgw_rest_role.cc @@ -109,7 +109,7 @@ void RGWDeleteRole::execute() if (op_ret < 0) { return; } - RGWRole role(s->cct, store, role_name); + RGWRole role(s->cct, store, role_name, s->user->user_id.tenant); op_ret = role.delete_obj(); if (op_ret == -ENOENT) { @@ -135,7 +135,7 @@ void RGWGetRole::execute() if (op_ret < 0) { return; } - RGWRole role(s->cct, store, role_name); + RGWRole role(s->cct, store, role_name, s->user->user_id.tenant); op_ret = role.get(); if (op_ret == -ENOENT) { @@ -173,7 +173,7 @@ void RGWModifyRole::execute() if (op_ret < 0) { return; } - RGWRole role(s->cct, store, role_name); + RGWRole role(s->cct, store, role_name, s->user->user_id.tenant); op_ret = role.get(); if (op_ret == -ENOENT) { op_ret = -ERR_NO_ROLE_FOUND; @@ -199,7 +199,7 @@ void RGWListRoles::execute() return; } vector result; - op_ret = RGWRole::get_roles_by_path_prefix(store, s->cct, path_prefix, result); + op_ret = RGWRole::get_roles_by_path_prefix(store, s->cct, path_prefix, s->user->user_id.tenant, result); if (op_ret == 0) { s->formatter->open_array_section("Roles"); @@ -238,7 +238,7 @@ void RGWPutRolePolicy::execute() return; } - RGWRole role(s->cct, store, role_name); + RGWRole role(s->cct, store, role_name, s->user->user_id.tenant); op_ret = role.get(); if (op_ret == 0) { role.set_perm_policy(policy_name, perm_policy); @@ -265,7 +265,7 @@ void RGWGetRolePolicy::execute() return; } - RGWRole role(g_ceph_context, store, role_name); + RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant); op_ret = role.get(); if (op_ret == -ENOENT) { @@ -304,7 +304,7 @@ void RGWListRolePolicies::execute() return; } - RGWRole role(g_ceph_context, store, role_name); + RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant); op_ret = role.get(); if (op_ret == -ENOENT) { @@ -340,7 +340,7 @@ void RGWDeleteRolePolicy::execute() return; } - RGWRole role(g_ceph_context, store, role_name); + RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant); op_ret = role.get(); if (op_ret == -ENOENT) { diff --git a/src/rgw/rgw_role.cc b/src/rgw/rgw_role.cc index b718aa9d62b..ab08c57807d 100644 --- a/src/rgw/rgw_role.cc +++ b/src/rgw/rgw_role.cc @@ -38,7 +38,7 @@ int RGWRole::store_name(bool exclusive) RGWNameToId nameToId; nameToId.obj_id = id; - string oid = get_names_oid_prefix() + name; + string oid = tenant + get_names_oid_prefix() + name; bufferlist bl; ::encode(nameToId, bl); @@ -48,7 +48,7 @@ int RGWRole::store_name(bool exclusive) int RGWRole::store_path(bool exclusive) { - string oid = get_path_oid_prefix() + path + get_info_oid_prefix() + id; + string oid = tenant + get_path_oid_prefix() + path + get_info_oid_prefix() + id; return rgw_put_system_obj(store, store->get_zone_params().roles_pool, oid, NULL, 0, exclusive, NULL, real_time(), NULL); @@ -59,7 +59,7 @@ int RGWRole::create(bool exclusive) int ret; /* check to see the name is not used */ - ret = read_id(name, id); + ret = read_id(name, tenant, id); if (exclusive && ret == 0) { ldout(cct, 0) << "ERROR: name " << name << " already in use for role id " << id << dendl; @@ -128,7 +128,7 @@ int RGWRole::create(bool exclusive) << id << ": " << cpp_strerror(-info_ret) << dendl; } //Delete role name that was stored in previous call - oid = get_names_oid_prefix() + name; + oid = tenant + get_names_oid_prefix() + name; int name_ret = rgw_delete_system_obj(store, pool, oid, NULL); if (name_ret < 0) { ldout(cct, 0) << "ERROR: cleanup of role name from pool: " << pool.name << ": " @@ -166,7 +166,7 @@ int RGWRole::delete_obj() } // Delete name - oid = get_names_oid_prefix() + name; + oid = tenant + get_names_oid_prefix() + name; ret = rgw_delete_system_obj(store, pool, oid, NULL); if (ret < 0) { ldout(cct, 0) << "ERROR: deleting role name from pool: " << pool.name << ": " @@ -174,7 +174,7 @@ int RGWRole::delete_obj() } // Delete path - oid = get_path_oid_prefix() + path + get_info_oid_prefix() + id; + oid = tenant + get_path_oid_prefix() + path + get_info_oid_prefix() + id; ret = rgw_delete_system_obj(store, pool, oid, NULL); if (ret < 0) { ldout(cct, 0) << "ERROR: deleting role path from pool: " << pool.name << ": " @@ -272,10 +272,10 @@ void RGWRole::decode_json(JSONObj *obj) JSONDecoder::decode_json("assume_role_policy_document", trust_policy, obj); } -int RGWRole::read_id(const string& role_name, string& role_id) +int RGWRole::read_id(const string& role_name, const string& tenant, string& role_id) { auto& pool = store->get_zone_params().roles_pool; - string oid = get_names_oid_prefix() + role_name; + string oid = tenant + get_names_oid_prefix() + role_name; bufferlist bl; RGWObjectCtx obj_ctx(store); @@ -326,7 +326,7 @@ int RGWRole::read_info() int RGWRole::read_name() { auto& pool = store->get_zone_params().roles_pool; - string oid = get_names_oid_prefix() + name; + string oid = tenant + get_names_oid_prefix() + name; bufferlist bl; RGWObjectCtx obj_ctx(store); @@ -355,16 +355,20 @@ void RGWRole::update_trust_policy(string& trust_policy) this->trust_policy = trust_policy; } -int RGWRole::get_roles_by_path_prefix(RGWRados *store, CephContext *cct, const string& path_prefix, vector& roles) +int RGWRole::get_roles_by_path_prefix(RGWRados *store, + CephContext *cct, + const string& path_prefix, + const string& tenant, + vector& roles) { auto pool = store->get_zone_params().roles_pool; string prefix; // List all roles if path prefix is empty if (! path_prefix.empty()) { - prefix = role_path_oid_prefix + path_prefix; + prefix = tenant + role_path_oid_prefix + path_prefix; } else { - prefix = role_path_oid_prefix; + prefix = tenant + role_path_oid_prefix; } //Get the filtered objects diff --git a/src/rgw/rgw_role.h b/src/rgw/rgw_role.h index 861a797662b..138381e74f0 100644 --- a/src/rgw/rgw_role.h +++ b/src/rgw/rgw_role.h @@ -22,7 +22,7 @@ class RGWRole int store_info(bool exclusive); int store_name(bool exclusive); int store_path(bool exclusive); - int read_id(const string& role_name, string& role_id); + int read_id(const string& role_name, const string& tenant, string& role_id); int read_name(); int read_info(); void set_id(const string& id) { this->id = id; } @@ -46,10 +46,12 @@ public: RGWRole(CephContext *cct, RGWRados *store, - string name) + string name, + string tenant) : cct(cct), store(store), - name(std::move(name)) {} + name(std::move(name)), + tenant(std::move(tenant)) {} RGWRole(CephContext *cct, RGWRados *store) @@ -61,7 +63,7 @@ public: ~RGWRole() = default; void encode(bufferlist& bl) const { - ENCODE_START(1, 1, bl); + ENCODE_START(2, 1, bl); ::encode(id, bl); ::encode(name, bl); ::encode(path, bl); @@ -69,11 +71,12 @@ public: ::encode(creation_date, bl); ::encode(trust_policy, bl); ::encode(perm_policy_map, bl); + ::encode(tenant, bl); ENCODE_FINISH(bl); } void decode(bufferlist::iterator& bl) { - DECODE_START(1, bl); + DECODE_START(2, bl); ::decode(id, bl); ::decode(name, bl); ::decode(path, bl); @@ -81,6 +84,9 @@ public: ::decode(creation_date, bl); ::decode(trust_policy, bl); ::decode(perm_policy_map, bl); + if (struct_v >= 2) { + ::decode(tenant, bl); + } DECODE_FINISH(bl); } @@ -104,7 +110,11 @@ public: static const string& get_names_oid_prefix(); static const string& get_info_oid_prefix(); static const string& get_path_oid_prefix(); - static int get_roles_by_path_prefix(RGWRados *store, CephContext *cct, const string& path_prefix, vector& roles); + static int get_roles_by_path_prefix(RGWRados *store, + CephContext *cct, + const string& path_prefix, + const string& tenant, + vector& roles); }; WRITE_CLASS_ENCODER(RGWRole) #endif /* CEPH_RGW_ROLE_H */