From: Radoslaw Zarzynski <rzarzynski@mirantis.com>
Date: Thu, 11 Aug 2016 16:28:38 +0000 (+0200)
Subject: rgw: improve handling account privilege level in the auth infrastructure.
X-Git-Tag: v11.0.1~221^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=32a04b03342c8d3e0b416bcd0c3d28896af5836d;p=ceph.git

rgw: improve handling account privilege level in the auth infrastructure.

Signed-off-by: Radoslaw Zarzynski <rzarzynski@mirantis.com>
---

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index fb265281213..4b5f784933c 100644
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -368,11 +368,13 @@ RGWKeystoneAuthEngine::get_creds_info(const KeystoneToken& token,
                                       const std::vector<std::string>& admin_roles
                                     ) const noexcept
 {
+  using acct_privilege_t = RGWRemoteAuthApplier::AuthInfo::acct_privilege_t;
+
   /* Check whether the user has an admin status. */
-  bool is_admin = false;
+  acct_privilege_t level = acct_privilege_t::IS_PLAIN_ACCT;
   for (const auto& admin_role : admin_roles) {
     if (token.has_role(admin_role)) {
-      is_admin = true;
+      level = acct_privilege_t::IS_ADMIN_ACCT;
       break;
     }
   }
@@ -385,7 +387,7 @@ RGWKeystoneAuthEngine::get_creds_info(const KeystoneToken& token,
     /* Keystone doesn't support RGW's subuser concept, so we cannot cut down
      * the access rights through the perm_mask. At least at this layer. */
     RGW_PERM_FULL_CONTROL,
-    is_admin,
+    level,
   };
 }
 
diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
index d1ec8fc4184..79d5263257a 100644
--- a/src/rgw/rgw_auth.h
+++ b/src/rgw/rgw_auth.h
@@ -120,15 +120,20 @@ public:
     const uint32_t acct_type;
 
   public:
+    enum class acct_privilege_t {
+      IS_ADMIN_ACCT,
+      IS_PLAIN_ACCT
+    };
+
     AuthInfo(const rgw_user& acct_user,
              const std::string& acct_name,
              const uint32_t perm_mask,
-             const bool is_admin,
+             const acct_privilege_t level,
              const uint32_t acct_type=TYPE_NONE)
     : acct_user(acct_user),
       acct_name(acct_name),
       perm_mask(perm_mask),
-      is_admin(is_admin),
+      is_admin(acct_privilege_t::IS_ADMIN_ACCT == level),
       acct_type(acct_type) {
     }
   };
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 69e6980fe3d..df570c74f76 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -4357,11 +4357,13 @@ RGWRemoteAuthApplier::acl_strategy_t RGWLDAPAuthEngine::get_acl_strategy() const
 RGWRemoteAuthApplier::AuthInfo
 RGWLDAPAuthEngine::get_creds_info(const rgw::RGWToken& token) const noexcept
 {
+  using acct_privilege_t = RGWRemoteAuthApplier::AuthInfo::acct_privilege_t;
+
   return RGWRemoteAuthApplier::AuthInfo {
     rgw_user(token.id),
     token.id,
     RGW_PERM_FULL_CONTROL,
-    false,
+    acct_privilege_t::IS_PLAIN_ACCT,
     TYPE_LDAP
   };
 }