From: Raja Sharma Date: Fri, 13 Jun 2025 14:58:36 +0000 (+0530) Subject: get_caller_identity utility X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=35ec3cd2bb9fa4559c901eb51e83cb3096e0df37;p=ceph.git get_caller_identity utility Tracker: https://tracker.ceph.com/issues/72157 Signed-off-by: Raja Sharma --- diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index a4abe024e53df..0d6c749af050e 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -280,6 +280,10 @@ static auto transform_old_authinfo(const RGWUserInfo& user, return type; } + std::optional get_caller_identity() const override { + return std::nullopt; + } + string get_acct_name() const override { return {}; } diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index 87fbd47c0b109..f4e469fb2625a 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -87,6 +87,9 @@ public: /* Identity Type: RGW/ LDAP/ Keystone */ virtual uint32_t get_identity_type() const = 0; + /* Identity ARN */ + virtual std::optional get_caller_identity() const = 0; + /* Name of Account */ virtual std::string get_acct_name() const = 0; @@ -504,6 +507,10 @@ public: return TYPE_WEB; } + std::optional get_caller_identity() const override { + return std::nullopt; + } + std::string get_acct_name() const override { return this->user_name; } @@ -679,6 +686,11 @@ public: void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override; void write_ops_log_entry(rgw_log_entry& entry) const override; uint32_t get_identity_type() const override { return info.acct_type; } + + std::optional get_caller_identity() const override { + return std::nullopt; + } + std::string get_acct_name() const override { return info.acct_name; } std::string get_subuser() const override { return {}; } const std::string& get_tenant() const override { @@ -749,6 +761,19 @@ public: auto load_acct_info(const DoutPrefixProvider* dpp) const -> std::unique_ptr override; /* out */ void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override; uint32_t get_identity_type() const override { return user_info.type; } + + std::optional get_caller_identity() const override { + bool has_account_id = !user_info.account_id.empty(); + std::string acct = has_account_id ? user_info.account_id : user_info.user_id.tenant; + if(user_info.type == TYPE_ROOT) { + return rgw::ARN("", "root", acct, true); + } + + std::string username = has_account_id ? user_info.display_name : user_info.user_id.id; + std::string path = user_info.path.empty() ? "/" : user_info.path; + return rgw::ARN(string_cat_reserve(path, username), "user", acct, true); + } + std::string get_acct_name() const override { return {}; } std::string get_subuser() const override { return subuser; } const std::string& get_tenant() const override { @@ -828,6 +853,16 @@ public: void to_str(std::ostream& out) const override; auto load_acct_info(const DoutPrefixProvider* dpp) const -> std::unique_ptr override; /* out */ uint32_t get_identity_type() const override { return TYPE_ROLE; } + + std::optional get_caller_identity() const override { + rgw::Partition partition = rgw::Partition::aws; + rgw::Service service = rgw::Service::sts; + std::string acct = role.account->id.empty() ? role.tenant : role.account->id; + std::string resource = "assumed-role/" + role.name + "/" + token_attrs.role_session_name; + + return rgw::ARN(partition, service, "", acct, resource); + } + std::string get_acct_name() const override { return {}; } std::string get_subuser() const override { return {}; } const std::string& get_tenant() const override { return role.tenant; } @@ -886,6 +921,10 @@ public: return TYPE_RGW; } + std::optional get_caller_identity() const override { + return std::nullopt; + } + std::string get_acct_name() const override { return {}; } diff --git a/src/rgw/rgw_auth_filters.h b/src/rgw/rgw_auth_filters.h index aed3449f13b11..09d9e07b0795d 100644 --- a/src/rgw/rgw_auth_filters.h +++ b/src/rgw/rgw_auth_filters.h @@ -97,6 +97,10 @@ public: return get_decoratee().get_identity_type(); } + std::optional get_caller_identity() const override { + return get_decoratee().get_caller_identity(); + } + std::string get_acct_name() const override { return get_decoratee().get_acct_name(); } diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc index 057bcab362b63..d3a285a14ca59 100644 --- a/src/test/rgw/test_rgw_iam_policy.cc +++ b/src/test/rgw/test_rgw_iam_policy.cc @@ -213,6 +213,10 @@ public: uint32_t get_identity_type() const override { return TYPE_RGW; } + + std::optional get_caller_identity() const override { + return std::nullopt; + } }; class PolicyTest : public ::testing::Test { diff --git a/src/test/rgw/test_rgw_lua.cc b/src/test/rgw/test_rgw_lua.cc index e773e15891f5f..c057c341153c1 100644 --- a/src/test/rgw/test_rgw_lua.cc +++ b/src/test/rgw/test_rgw_lua.cc @@ -49,6 +49,10 @@ public: return TYPE_RGW; } + std::optional get_caller_identity() const override { + return std::nullopt; + } + string get_acct_name() const override { return ""; }