From: Ali Masarwa <ali.saed.masarwa@gmail.com>
Date: Thu, 24 Aug 2023 15:40:22 +0000 (+0300)
Subject: RGW: When using Keystone auth for RGW, include the Keystone user in ops log
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=47166556c5bbcf1f26621bf24cf04221b65af366;p=ceph.git

RGW: When using Keystone auth for RGW, include the Keystone user in ops log

Signed-off-by: Ali Masarwa <ali.saed.masarwa@gmail.com>
Signed-off-by: Ali Masarwa <amasarwa@redhat.com>
---

diff --git a/qa/workunits/rgw/keystone-service-token.sh b/qa/workunits/rgw/keystone-service-token.sh
index fc39731ca951..df8bfdc8c0e1 100755
--- a/qa/workunits/rgw/keystone-service-token.sh
+++ b/qa/workunits/rgw/keystone-service-token.sh
@@ -13,6 +13,24 @@
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU Library Public License for more details.
+#
+<<comment Running this script with vstart should be should have these options
+MON=1 OSD=1 MDS=0 MGR=0 RGW=1 ../src/vstart.sh -n -d -o 'rgw_keystone_accepted_admin_roles="admin"
+	rgw_keystone_accepted_roles="admin,Member"
+	rgw_keystone_admin_domain="Default"
+	rgw_keystone_admin_password="ADMIN"
+	rgw_keystone_admin_project="admin"
+	rgw_keystone_admin_user="admin"
+	rgw_keystone_api_version=3
+	rgw_keystone_expired_token_cache_expiration=10
+	rgw_keystone_implicit_tenants=true
+	rgw_keystone_service_token_accepted_roles="admin"
+	rgw_keystone_service_token_enabled=true
+	rgw_keystone_url="http://localhost:5000"
+	rgw_swift_account_in_url=true
+	rgw_swift_enforce_content_length=true
+	rgw_swift_versioning_enabled=true'
+comment
 
 source $CEPH_ROOT/qa/standalone/ceph-helpers.sh
 
diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index 4dee2bf46968..25d6e1b56b34 100644
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -782,6 +782,7 @@ bool rgw::auth::WebIdentityApplier::is_identity(const Principal& p) const
 
 const std::string rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER;
 const std::string rgw::auth::RemoteApplier::AuthInfo::NO_ACCESS_KEY;
+const std::string rgw::auth::RemoteApplier::AuthInfo::NO_KEYSTONE_USER;
 
 /* rgw::auth::RemoteAuthApplier */
 ACLOwner rgw::auth::RemoteApplier::get_aclowner() const
@@ -954,6 +955,7 @@ void rgw::auth::RemoteApplier::write_ops_log_entry(rgw_log_entry& entry) const
   if (account) {
     entry.account_id = account->id;
   }
+  entry.user = info.keystone_user;
 }
 
 /* TODO(rzarzynski): we need to handle display_name changes. */
diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
index 6632a38e6a61..d2c32729b208 100644
--- a/src/rgw/rgw_auth.h
+++ b/src/rgw/rgw_auth.h
@@ -590,6 +590,7 @@ public:
     const uint32_t acct_type;
     const std::string access_key_id;
     const std::string subuser;
+    const std::string keystone_user;
 
   public:
     enum class acct_privilege_t {
@@ -599,6 +600,7 @@ public:
 
     static const std::string NO_SUBUSER;
     static const std::string NO_ACCESS_KEY;
+    static const std::string NO_KEYSTONE_USER;
 
     AuthInfo(const rgw_user& acct_user,
              const std::string& acct_name,
@@ -606,6 +608,7 @@ public:
              const acct_privilege_t level,
              const std::string access_key_id,
              const std::string subuser,
+             const std::string keystone_user,
              const uint32_t acct_type=TYPE_NONE)
     : acct_user(acct_user),
       acct_name(acct_name),
@@ -613,7 +616,8 @@ public:
       is_admin(acct_privilege_t::IS_ADMIN_ACCT == level),
       acct_type(acct_type),
       access_key_id(access_key_id),
-      subuser(subuser) {
+      subuser(subuser),
+      keystone_user(keystone_user) {
     }
   };
 
diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc
index 7f3bd66a1b95..4d610ff4b5b6 100644
--- a/src/rgw/rgw_auth_keystone.cc
+++ b/src/rgw/rgw_auth_keystone.cc
@@ -159,6 +159,7 @@ TokenEngine::get_creds_info(const TokenEngine::token_envelope_t& token
     level,
     rgw::auth::RemoteApplier::AuthInfo::NO_ACCESS_KEY,
     rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER,
+    token.get_user_name(),
     TYPE_KEYSTONE
 };
 }
@@ -665,6 +666,7 @@ EC2Engine::get_creds_info(const EC2Engine::token_envelope_t& token,
     level,
     access_key_id,
     rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER,
+    token.get_user_name(),
     TYPE_KEYSTONE
   };
 }
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 1b49b8e995c4..98b05cc17ded 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -6749,6 +6749,7 @@ rgw::auth::s3::LDAPEngine::get_creds_info(const rgw::RGWToken& token) const noex
     acct_privilege_t::IS_PLAIN_ACCT,
     rgw::auth::RemoteApplier::AuthInfo::NO_ACCESS_KEY,
     rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER,
+    rgw::auth::RemoteApplier::AuthInfo::NO_KEYSTONE_USER,
     TYPE_LDAP
   };
 }
@@ -6893,6 +6894,7 @@ rgw::auth::s3::STSEngine::get_creds_info(const STS::SessionToken& token) const n
     (token.is_admin) ? acct_privilege_t::IS_ADMIN_ACCT: acct_privilege_t::IS_PLAIN_ACCT,
     token.access_key_id,
     rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER,
+    rgw::auth::RemoteApplier::AuthInfo::NO_KEYSTONE_USER,
     token.acct_type
   };
 }