From: Radoslaw Zarzynski Date: Fri, 21 Jul 2017 14:31:25 +0000 (-0400) Subject: rgw: move the S3 anonymous auth handling to a dedicated engine. X-Git-Tag: v12.1.3~144^2 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=529a951d1c9d336c573cefa5d8c6e24af2af4770;p=ceph-ci.git rgw: move the S3 anonymous auth handling to a dedicated engine. Signed-off-by: Radoslaw Zarzynski --- diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index a8c0ec86ad5..65a8b034f97 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -528,9 +528,9 @@ rgw::auth::AnonymousEngine::authenticate(const req_state* const s) const RGWUserInfo user_info; rgw_get_anon_user(user_info); - // FIXME: over 80 columns - auto apl = apl_factory->create_apl_local(cct, s, user_info, - rgw::auth::LocalApplier::NO_SUBUSER); + auto apl = \ + apl_factory->create_apl_local(cct, s, user_info, + rgw::auth::LocalApplier::NO_SUBUSER); return result_t::grant(std::move(apl)); } } diff --git a/src/rgw/rgw_auth_registry.h b/src/rgw/rgw_auth_registry.h index 2b918f4fc3d..08a93c73dac 100644 --- a/src/rgw/rgw_auth_registry.h +++ b/src/rgw/rgw_auth_registry.h @@ -21,14 +21,16 @@ namespace auth { /* A class aggregating the knowledge about all Strategies in RadosGW. It is * responsible for handling the dynamic reconfiguration on e.g. realm update. */ class StrategyRegistry { - template - using s3_strategy_t = rgw::auth::s3::AWSAuthStrategy; + template + using s3_strategy_t = \ + rgw::auth::s3::AWSAuthStrategy; struct s3_main_strategy_t : public Strategy { using s3_main_strategy_plain_t = \ - s3_strategy_t; + s3_strategy_t; using s3_main_strategy_boto2_t = \ - s3_strategy_t; + s3_strategy_t; s3_main_strategy_plain_t s3_main_strategy_plain; s3_main_strategy_boto2_t s3_main_strategy_boto2; diff --git a/src/rgw/rgw_auth_s3.h b/src/rgw/rgw_auth_s3.h index d82fd7b0220..9369864259f 100644 --- a/src/rgw/rgw_auth_s3.h +++ b/src/rgw/rgw_auth_s3.h @@ -80,7 +80,8 @@ public: }; -template +template class AWSAuthStrategy : public rgw::auth::Strategy, public rgw::auth::LocalApplier::Factory { typedef rgw::auth::IdentityApplier::aplptr_t aplptr_t; @@ -92,6 +93,7 @@ class AWSAuthStrategy : public rgw::auth::Strategy, RGWRados* const store; AbstractorT ver_abstractor; + S3AnonymousEngine anonymous_engine; ExternalAuthStrategy external_engines; LocalEngine local_engine; @@ -110,10 +112,17 @@ public: RGWRados* const store) : store(store), ver_abstractor(cct), + anonymous_engine(cct, + static_cast(this)), external_engines(cct, store, &ver_abstractor), local_engine(cct, store, ver_abstractor, static_cast(this)) { + /* The anynoymous auth. */ + if (AllowAnonAccessT) { + add_engine(Control::SUFFICIENT, anonymous_engine); + } + /* The external auth. */ Control local_engine_mode; if (! external_engines.is_empty()) { add_engine(Control::SUFFICIENT, external_engines); @@ -123,6 +132,7 @@ public: local_engine_mode = Control::SUFFICIENT; } + /* The local auth. */ if (cct->_conf->rgw_s3_auth_use_rados) { add_engine(local_engine_mode, local_engine); } diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index 1a8af240f9f..d277f9c963a 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -3324,32 +3324,6 @@ int RGW_Auth_S3::authorize(RGWRados* const store, return -EPERM; } - if (s->op == OP_OPTIONS) { - init_anon_user(s); - return 0; - } - - AwsVersion version; - AwsRoute route; - std::tie(version, route) = discover_aws_flavour(s->info); - - if (route == AwsRoute::QUERY_STRING && version == AwsVersion::UNKOWN) { - /* FIXME(rzarzynski): handle anon user. */ - init_anon_user(const_cast(s)); - return 0; - } - - return authorize_v2(store, auth_registry, s); -} - - -/* - * handle v2 signatures - */ -int RGW_Auth_S3::authorize_v2(RGWRados* const store, - const rgw::auth::StrategyRegistry& auth_registry, - struct req_state* const s) -{ const auto ret = rgw::auth::Strategy::apply(auth_registry.get_s3_main(), s); if (ret == 0) { /* Populate the owner info. */ @@ -4185,3 +4159,17 @@ rgw::auth::s3::LocalEngine::authenticate( auto apl = apl_factory->create_apl_local(cct, s, user_info, k.subuser); return result_t::grant(std::move(apl), completer_factory(k.key)); } + +bool rgw::auth::s3::S3AnonymousEngine::is_applicable( + const req_state* s +) const noexcept { + if (s->op == OP_OPTIONS) { + return true; + } + + AwsVersion version; + AwsRoute route; + std::tie(version, route) = discover_aws_flavour(s->info); + + return route == AwsRoute::QUERY_STRING && version == AwsVersion::UNKOWN; +} diff --git a/src/rgw/rgw_rest_s3.h b/src/rgw/rgw_rest_s3.h index 75615b9b868..d0aa098fa1b 100644 --- a/src/rgw/rgw_rest_s3.h +++ b/src/rgw/rgw_rest_s3.h @@ -470,10 +470,6 @@ public: }; class RGW_Auth_S3 { -private: - static int authorize_v2(RGWRados *store, - const rgw::auth::StrategyRegistry& auth_registry, - struct req_state *s); public: static int authorize(RGWRados *store, const rgw::auth::StrategyRegistry& auth_registry, @@ -887,6 +883,19 @@ public: }; +class S3AnonymousEngine : public rgw::auth::AnonymousEngine { + bool is_applicable(const req_state* s) const noexcept override; + +public: + /* Let's reuse the parent class' constructor. */ + using rgw::auth::AnonymousEngine::AnonymousEngine; + + const char* get_name() const noexcept override { + return "rgw::auth::s3::S3AnonymousEngine"; + } +}; + + class S3AuthFactory : public rgw::auth::RemoteApplier::Factory, public rgw::auth::LocalApplier::Factory { typedef rgw::auth::IdentityApplier::aplptr_t aplptr_t;