From: Casey Bodley Date: Fri, 26 Jan 2024 17:20:53 +0000 (-0500) Subject: rgw/role: support Description for Create/Get/UpdateRole X-Git-Tag: testing/wip-yuriw-testing-20240416.150233~10^2~91 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=520e71180c43b7a030eb5cebda81f879b436e673;p=ceph-ci.git rgw/role: support Description for Create/Get/UpdateRole Signed-off-by: Casey Bodley (cherry picked from commit 44804b1d27c8cd3c0ec57cdd7be0a0deb3f89280) --- diff --git a/src/rgw/driver/daos/rgw_sal_daos.cc b/src/rgw/driver/daos/rgw_sal_daos.cc index 86529befbaa..ed50697113e 100644 --- a/src/rgw/driver/daos/rgw_sal_daos.cc +++ b/src/rgw/driver/daos/rgw_sal_daos.cc @@ -2079,7 +2079,7 @@ int DaosMultipartWriter::complete( std::unique_ptr DaosStore::get_role( std::string name, std::string tenant, rgw_account_id account_id, std::string path, - std::string trust_policy, std::string max_session_duration_str, + std::string trust_policy, std::string description, std::string max_session_duration_str, std::multimap tags) { RGWRole* p = nullptr; return std::unique_ptr(p); diff --git a/src/rgw/driver/daos/rgw_sal_daos.h b/src/rgw/driver/daos/rgw_sal_daos.h index 2b61347b807..c823d00992b 100644 --- a/src/rgw/driver/daos/rgw_sal_daos.h +++ b/src/rgw/driver/daos/rgw_sal_daos.h @@ -995,7 +995,7 @@ class DaosStore : public StoreDriver { std::unique_ptr get_lua_manager(const DoutPrefixProvider *dpp = nullptr, const std::string& luarocks_path = "") override; virtual std::unique_ptr get_role( std::string name, std::string tenant, rgw_account_id account_id, std::string path = "", - std::string trust_policy = "", std::string max_session_duration_str = "", + std::string trust_policy = "", std::string description = "", std::string max_session_duration_str = "", std::multimap tags = {}) override; virtual std::unique_ptr get_role(const RGWRoleInfo& info) override; virtual std::unique_ptr get_role(std::string id) override; diff --git a/src/rgw/driver/motr/rgw_sal_motr.cc b/src/rgw/driver/motr/rgw_sal_motr.cc index 7160cf01aa8..455151e0e7b 100644 --- a/src/rgw/driver/motr/rgw_sal_motr.cc +++ b/src/rgw/driver/motr/rgw_sal_motr.cc @@ -3032,6 +3032,7 @@ std::unique_ptr MotrStore::get_role(std::string name, rgw_account_id account_id, std::string path, std::string trust_policy, + std::string description, std::string max_session_duration_str, std::multimap tags) { diff --git a/src/rgw/driver/motr/rgw_sal_motr.h b/src/rgw/driver/motr/rgw_sal_motr.h index 64d16824471..852becf521b 100644 --- a/src/rgw/driver/motr/rgw_sal_motr.h +++ b/src/rgw/driver/motr/rgw_sal_motr.h @@ -1061,6 +1061,7 @@ class MotrStore : public StoreDriver { rgw_account_id account_id, std::string path="", std::string trust_policy="", + std::string description="", std::string max_session_duration_str="", std::multimap tags={}) override; virtual std::unique_ptr get_role(const RGWRoleInfo& info) override; diff --git a/src/rgw/driver/rados/rgw_sal_rados.cc b/src/rgw/driver/rados/rgw_sal_rados.cc index 4aeb4b79774..51bdaa2a91a 100644 --- a/src/rgw/driver/rados/rgw_sal_rados.cc +++ b/src/rgw/driver/rados/rgw_sal_rados.cc @@ -1761,10 +1761,11 @@ std::unique_ptr RadosStore::get_role(std::string name, rgw_account_id account_id, std::string path, std::string trust_policy, + std::string description, std::string max_session_duration_str, std::multimap tags) { - return std::make_unique(this, name, tenant, std::move(account_id), path, trust_policy, max_session_duration_str, tags); + return std::make_unique(this, name, tenant, std::move(account_id), path, trust_policy, std::move(description), max_session_duration_str, tags); } std::unique_ptr RadosStore::get_role(std::string id) diff --git a/src/rgw/driver/rados/rgw_sal_rados.h b/src/rgw/driver/rados/rgw_sal_rados.h index edd977fcb33..7ba21ead5a1 100644 --- a/src/rgw/driver/rados/rgw_sal_rados.h +++ b/src/rgw/driver/rados/rgw_sal_rados.h @@ -329,6 +329,7 @@ class RadosStore : public StoreDriver { rgw_account_id account_id, std::string path="", std::string trust_policy="", + std::string description="", std::string max_session_duration_str="", std::multimap tags={}) override; virtual std::unique_ptr get_role(std::string id) override; @@ -1078,9 +1079,10 @@ public: rgw_account_id account_id, std::string path, std::string trust_policy, + std::string description, std::string max_session_duration, std::multimap tags) - : RGWRole(name, tenant, std::move(account_id), path, trust_policy, max_session_duration, tags), store(_store) {} + : RGWRole(name, tenant, std::move(account_id), path, trust_policy, std::move(description), max_session_duration, tags), store(_store) {} RadosRole(RadosStore* _store, std::string id) : RGWRole(id), store(_store) {} RadosRole(RadosStore* _store, const RGWRoleInfo& info) : RGWRole(info), store(_store) {} RadosRole(RadosStore* _store) : store(_store) {} diff --git a/src/rgw/rgw_admin.cc b/src/rgw/rgw_admin.cc index dabd5ec34ff..18a486567e2 100644 --- a/src/rgw/rgw_admin.cc +++ b/src/rgw/rgw_admin.cc @@ -484,6 +484,7 @@ void usage() cout << " --policy-name name of the policy document\n"; cout << " --policy-doc permission policy document\n"; cout << " --path-prefix path prefix for filtering roles\n"; + cout << " --description Role description\n"; cout << "\nMFA options:\n"; cout << " --totp-serial a string that represents the ID of a TOTP token\n"; cout << " --totp-seed the secret seed that is used to calculate the TOTP\n"; @@ -3350,6 +3351,7 @@ int main(int argc, const char **argv) std::optional opt_zonegroup_name, opt_zonegroup_id; std::string api_name; std::string role_name, path, assume_role_doc, policy_name, perm_policy_doc, path_prefix, max_session_duration; + std::string description; std::string redirect_zone; bool redirect_zone_set = false; list endpoints; @@ -4005,6 +4007,8 @@ int main(int argc, const char **argv) path_prefix = val; } else if (ceph_argparse_witharg(args, i, &val, "--max-session-duration", (char*)NULL)) { max_session_duration = val; + } else if (ceph_argparse_witharg(args, i, &val, "--description", (char*)NULL)) { + description = val; } else if (ceph_argparse_witharg(args, i, &val, "--totp-serial", (char*)NULL)) { totp_serial = val; } else if (ceph_argparse_witharg(args, i, &val, "--totp-pin", (char*)NULL)) { @@ -6784,7 +6788,7 @@ int main(int argc, const char **argv) return -EINVAL; } std::unique_ptr role = driver->get_role(role_name, tenant, account_id, path, - assume_role_doc, max_session_duration); + assume_role_doc, description, max_session_duration); ret = role->create(dpp(), true, "", null_yield); if (ret < 0) { return -ret; diff --git a/src/rgw/rgw_rest_role.cc b/src/rgw/rgw_rest_role.cc index f8cf22d00a7..0e338bc63a0 100644 --- a/src/rgw/rgw_rest_role.cc +++ b/src/rgw/rgw_rest_role.cc @@ -47,6 +47,7 @@ static void dump_iam_role(const rgw::sal::RGWRoleInfo& role, Formatter *f) encode_json("Path", role.path, f); encode_json("Arn", role.arn, f); encode_json("CreateDate", role.creation_date, f); + encode_json("Description", role.description, f); encode_json("MaxSessionDuration", role.max_session_duration, f); encode_json("AssumeRolePolicyDocument", role.trust_policy, f); } @@ -183,6 +184,7 @@ int RGWCreateRole::init_processing(optional_yield y) } trust_policy = s->info.args.get("AssumeRolePolicyDocument"); + description = s->info.args.get("Description"); max_session_duration = s->info.args.get("MaxSessionDuration"); if (trust_policy.empty()) { @@ -196,10 +198,14 @@ int RGWCreateRole::init_processing(optional_yield y) s->cct->_conf.get_val("rgw_policy_reject_invalid_principals")); } catch (rgw::IAM::PolicyParseException& e) { - ldpp_dout(this, 5) << "failed to parse policy: " << e.what() << dendl; + ldpp_dout(this, 5) << "failed to parse policy '" << trust_policy << "' with: " << e.what() << dendl; s->err.message = e.what(); return -ERR_MALFORMED_DOC; } + if (description.size() > 1000) { + s->err.message = "Description exceeds maximum length of 1000 characters."; + return -EINVAL; + } int ret = parse_tags(this, s->info.args.get_params(), tags, s->err.message); if (ret < 0) { @@ -234,6 +240,7 @@ void RGWCreateRole::execute(optional_yield y) account_id, role_path, trust_policy, + description, max_session_duration, tags); if (!user_tenant.empty() && role->get_tenant() != user_tenant) { @@ -895,6 +902,12 @@ int RGWUpdateRole::init_processing(optional_yield y) return -EINVAL; } + description = s->info.args.get_optional("Description"); + if (description && description->size() > 1000) { + s->err.message = "Description exceeds maximum length of 1000 characters."; + return -EINVAL; + } + max_session_duration = s->info.args.get("MaxSessionDuration"); return load_role(this, y, driver, s->owner.id, account_id, @@ -927,6 +940,9 @@ void RGWUpdateRole::execute(optional_yield y) } } + if (description) { + role->get_info().description = std::move(*description); + } role->update_max_session_duration(max_session_duration); if (!role->validate_max_session_duration(this)) { op_ret = -EINVAL; diff --git a/src/rgw/rgw_rest_role.h b/src/rgw/rgw_rest_role.h index be8f80b53ae..bc3897acfcd 100644 --- a/src/rgw/rgw_rest_role.h +++ b/src/rgw/rgw_rest_role.h @@ -3,6 +3,7 @@ #pragma once +#include #include "common/async/yield_context.h" #include "rgw_arn.h" @@ -27,6 +28,7 @@ class RGWCreateRole : public RGWRestRole { std::string role_name; std::string role_path; std::string trust_policy; + std::string description; std::string max_session_duration; std::multimap tags; public: @@ -192,6 +194,7 @@ public: class RGWUpdateRole : public RGWRestRole { bufferlist bl_post_body; std::string role_name; + boost::optional description; std::string max_session_duration; std::unique_ptr role; public: diff --git a/src/rgw/rgw_role.cc b/src/rgw/rgw_role.cc index 1f7648e690f..c5116398788 100644 --- a/src/rgw/rgw_role.cc +++ b/src/rgw/rgw_role.cc @@ -50,6 +50,7 @@ void RGWRoleInfo::dump(Formatter *f) const encode_json("Path", path, f); encode_json("Arn", arn, f); encode_json("CreateDate", creation_date, f); + encode_json("Description", description, f); encode_json("MaxSessionDuration", max_session_duration, f); encode_json("AssumeRolePolicyDocument", trust_policy, f); encode_json("AccountId", account_id, f); @@ -82,6 +83,7 @@ void RGWRoleInfo::decode_json(JSONObj *obj) JSONDecoder::decode_json("Path", path, obj); JSONDecoder::decode_json("Arn", arn, obj); JSONDecoder::decode_json("CreateDate", creation_date, obj); + JSONDecoder::decode_json("Description", description, obj); JSONDecoder::decode_json("MaxSessionDuration", max_session_duration, obj); JSONDecoder::decode_json("AssumeRolePolicyDocument", trust_policy, obj); JSONDecoder::decode_json("AccountId", account_id, obj); @@ -123,6 +125,7 @@ RGWRole::RGWRole(std::string name, rgw_account_id account_id, std::string path, std::string trust_policy, + std::string description, std::string max_session_duration_str, std::multimap tags) { @@ -135,6 +138,7 @@ RGWRole::RGWRole(std::string name, if (this->info.path.empty()) this->info.path = "/"; extract_name_tenant(this->info.name); + info.description = std::move(description); if (max_session_duration_str.empty()) { info.max_session_duration = SESSION_DURATION_MIN; } else { diff --git a/src/rgw/rgw_role.h b/src/rgw/rgw_role.h index 90a4a6a3128..3b5fa039f52 100644 --- a/src/rgw/rgw_role.h +++ b/src/rgw/rgw_role.h @@ -25,7 +25,8 @@ struct RGWRoleInfo std::string trust_policy; std::map perm_policy_map; std::string tenant; - uint64_t max_session_duration; + std::string description; + uint64_t max_session_duration = 0; std::multimap tags; std::map attrs; RGWObjVersionTracker objv_tracker; @@ -48,6 +49,7 @@ struct RGWRoleInfo encode(tenant, bl); encode(max_session_duration, bl); encode(account_id, bl); + encode(description, bl); ENCODE_FINISH(bl); } @@ -68,6 +70,7 @@ struct RGWRoleInfo } if (struct_v >= 4) { decode(account_id, bl); + decode(description, bl); } DECODE_FINISH(bl); } @@ -106,6 +109,7 @@ public: rgw_account_id account_id, std::string path="", std::string trust_policy="", + std::string description="", std::string max_session_duration_str="", std::multimap tags={}); diff --git a/src/rgw/rgw_sal.h b/src/rgw/rgw_sal.h index fd0bb5bdade..b453e9881fa 100644 --- a/src/rgw/rgw_sal.h +++ b/src/rgw/rgw_sal.h @@ -562,6 +562,7 @@ class Driver { rgw_account_id account_id, std::string path="", std::string trust_policy="", + std::string description="", std::string max_session_duration_str="", std::multimap tags={}) = 0; /** Get an IAM Role by ID */ diff --git a/src/rgw/rgw_sal_dbstore.cc b/src/rgw/rgw_sal_dbstore.cc index d10b1652c43..e1175c86a25 100644 --- a/src/rgw/rgw_sal_dbstore.cc +++ b/src/rgw/rgw_sal_dbstore.cc @@ -1393,6 +1393,7 @@ namespace rgw::sal { rgw_account_id account_id, std::string path, std::string trust_policy, + std::string description, std::string max_session_duration_str, std::multimap tags) { diff --git a/src/rgw/rgw_sal_dbstore.h b/src/rgw/rgw_sal_dbstore.h index 4df5a55b975..d645a1a8477 100644 --- a/src/rgw/rgw_sal_dbstore.h +++ b/src/rgw/rgw_sal_dbstore.h @@ -902,6 +902,7 @@ public: rgw_account_id account_id, std::string path="", std::string trust_policy="", + std::string description="", std::string max_session_duration_str="", std::multimap tags={}) override; virtual std::unique_ptr get_role(std::string id) override; diff --git a/src/rgw/rgw_sal_filter.cc b/src/rgw/rgw_sal_filter.cc index 0485ad96a12..039734ea589 100644 --- a/src/rgw/rgw_sal_filter.cc +++ b/src/rgw/rgw_sal_filter.cc @@ -546,10 +546,11 @@ std::unique_ptr FilterDriver::get_role(std::string name, rgw_account_id account_id, std::string path, std::string trust_policy, + std::string description, std::string max_session_duration_str, std::multimap tags) { - return next->get_role(name, tenant, std::move(account_id), path, trust_policy, max_session_duration_str, tags); + return next->get_role(name, tenant, std::move(account_id), path, trust_policy, std::move(description), max_session_duration_str, tags); } std::unique_ptr FilterDriver::get_role(std::string id) diff --git a/src/rgw/rgw_sal_filter.h b/src/rgw/rgw_sal_filter.h index 39bb1af10f7..be04a7a0acb 100644 --- a/src/rgw/rgw_sal_filter.h +++ b/src/rgw/rgw_sal_filter.h @@ -387,8 +387,8 @@ public: rgw_account_id account_id, std::string path="", std::string trust_policy="", - std::string - max_session_duration_str="", + std::string description="", + std::string max_session_duration_str="", std::multimap tags={}) override; virtual std::unique_ptr get_role(std::string id) override; virtual std::unique_ptr get_role(const RGWRoleInfo& info) override; diff --git a/src/test/cli/radosgw-admin/help.t b/src/test/cli/radosgw-admin/help.t index 9110cf03290..46fb15c8146 100644 --- a/src/test/cli/radosgw-admin/help.t +++ b/src/test/cli/radosgw-admin/help.t @@ -356,6 +356,7 @@ --policy-name name of the policy document --policy-doc permission policy document --path-prefix path prefix for filtering roles + --description Role description MFA options: --totp-serial a string that represents the ID of a TOTP token