From: Radoslaw Zarzynski Date: Wed, 29 Jun 2016 15:01:57 +0000 (+0200) Subject: rgw: handle Swift auth errors in a way compatible with new Tempests. X-Git-Tag: v11.1.0~707^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=0c03dcb259ade57a126e974ec8c36434a5936fc6;p=ceph.git rgw: handle Swift auth errors in a way compatible with new Tempests. We have to differentiate the error codes depending on whether user is anonymous (401 Unauthorized) or he doesn't have necessary permissions (403 Forbidden). The reason behind that is the change in Tempest. See commit ID: 6b1cd29b763dbc556137c89c5fed54c624da7f69. Fixes: http://tracker.ceph.com/issues/16590 Signed-off-by: Radoslaw Zarzynski --- diff --git a/src/rgw/rgw_auth_decoimpl.h b/src/rgw/rgw_auth_decoimpl.h index fb232d91397d..53625db767ca 100644 --- a/src/rgw/rgw_auth_decoimpl.h +++ b/src/rgw/rgw_auth_decoimpl.h @@ -153,7 +153,11 @@ void RGWThirdPartyAccountAuthApplier::load_acct_info(RGWUserInfo& user_info) if (ret < 0) { /* We aren't trying to recover from ENOENT here. It's supposed that creating * someone else's account isn't a thing we want to support in this filter. */ - throw ret; + if (ret == -ENOENT) { + throw -EACCES; + } else { + throw ret; + } } } diff --git a/src/rgw/rgw_http_errors.h b/src/rgw/rgw_http_errors.h index 4e6107e1e4dc..fec8b6f0ab03 100644 --- a/src/rgw/rgw_http_errors.h +++ b/src/rgw/rgw_http_errors.h @@ -71,7 +71,7 @@ const static struct rgw_http_errors RGW_HTTP_ERRORS[] = { }; const static struct rgw_http_errors RGW_HTTP_SWIFT_ERRORS[] = { - { EACCES, 401, "AccessDenied" }, + { EACCES, 403, "AccessDenied" }, { EPERM, 401, "AccessDenied" }, { ERR_USER_SUSPENDED, 401, "UserSuspended" }, { ERR_INVALID_UTF8, 412, "Invalid UTF8" }, diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index f198ea6c3093..06c93c0bd7a3 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -3051,7 +3051,7 @@ int RGWPutMetadataAccount::verify_permission() * override in rgw_process.cc. This is the way to specify a given RGWOp * expect extra privileges. */ if (new_quota_extracted) { - return -EPERM; + return -EACCES; } return 0; diff --git a/src/rgw/rgw_rest_swift.cc b/src/rgw/rgw_rest_swift.cc index 3a3537ba8027..9ff33fe7f04a 100644 --- a/src/rgw/rgw_rest_swift.cc +++ b/src/rgw/rgw_rest_swift.cc @@ -678,6 +678,20 @@ static int get_delete_at_param(req_state *s, real_time *delete_at) return 0; } +int RGWPutObj_ObjStore_SWIFT::verify_permission() +{ + op_ret = RGWPutObj_ObjStore::verify_permission(); + + /* We have to differentiate error codes depending on whether user is + * anonymous (401 Unauthorized) or he doesn't have necessary permissions + * (403 Forbidden). */ + if (s->auth_identity->is_anonymous() && op_ret == -EACCES) { + return -EPERM; + } else { + return op_ret; + } +} + int RGWPutObj_ObjStore_SWIFT::get_params() { if (s->has_bad_meta) { @@ -968,6 +982,20 @@ static void bulkdelete_respond(const unsigned num_deleted, formatter.close_section(); } +int RGWDeleteObj_ObjStore_SWIFT::verify_permission() +{ + op_ret = RGWDeleteObj_ObjStore::verify_permission(); + + /* We have to differentiate error codes depending on whether user is + * anonymous (401 Unauthorized) or he doesn't have necessary permissions + * (403 Forbidden). */ + if (s->auth_identity->is_anonymous() && op_ret == -EACCES) { + return -EPERM; + } else { + return op_ret; + } +} + int RGWDeleteObj_ObjStore_SWIFT::get_params() { const string& mm = s->info.args.get("multipart-manifest"); diff --git a/src/rgw/rgw_rest_swift.h b/src/rgw/rgw_rest_swift.h index 0c4b1e25100c..87b01e235f8b 100644 --- a/src/rgw/rgw_rest_swift.h +++ b/src/rgw/rgw_rest_swift.h @@ -95,6 +95,7 @@ public: RGWPutObj_ObjStore_SWIFT() {} ~RGWPutObj_ObjStore_SWIFT() {} + int verify_permission() override; int get_params(); void send_response(); }; @@ -132,6 +133,7 @@ public: RGWDeleteObj_ObjStore_SWIFT() {} ~RGWDeleteObj_ObjStore_SWIFT() {} + int verify_permission() override; int get_params(); bool need_object_expiration() { return true; } void send_response();