From: Pritha Srivastava Date: Thu, 3 Jun 2021 10:03:03 +0000 (+0530) Subject: rgw/sts: code to add role tags as aws:PrincipalTags and X-Git-Tag: v17.1.0~969^2~7 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=58f1bb65bec5c7af2769732ca8748f2943242fb2;p=ceph.git rgw/sts: code to add role tags as aws:PrincipalTags and iam:ResourceTags. Signed-off-by: Pritha Srivastava --- diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index ea4f9ffd2e772..78d9ee5272b8f 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -482,6 +482,20 @@ void rgw::auth::WebIdentityApplier::modify_request_state(const DoutPrefixProvide } } } + + if (role_tags) { + for (auto& it : role_tags.get()) { + std::string p_key = "aws:PrincipalTag/"; + p_key.append(it.first); + s->principal_tags.emplace_back(std::make_pair(p_key, it.second)); + ldpp_dout(dpp, 10) << "Principal Tag Key: " << p_key << " Value: " << it.second << dendl; + + std::string e_key = "iam:ResourceTag/"; + e_key.append(it.first); + s->env.emplace(e_key, it.second); + ldpp_dout(dpp, 10) << "RGW Env Tag Key: " << e_key << " Value: " << it.second << dendl; + } + } } bool rgw::auth::WebIdentityApplier::is_identity(const idset_t& ids) const diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index 82403fad8d4ab..c31e734a17bb3 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -375,6 +375,7 @@ protected: std::string role_session; std::string role_tenant; std::unordered_multimap token_claims; + boost::optional> role_tags; boost::optional>> principal_tags; std::string get_idp_url() const; @@ -389,12 +390,14 @@ public: const std::string& role_session, const std::string& role_tenant, const std::unordered_multimap& token_claims, + boost::optional> role_tags, boost::optional>> principal_tags) : cct(cct), store(store), role_session(role_session), role_tenant(role_tenant), token_claims(token_claims), + role_tags(role_tags), principal_tags(principal_tags) { const auto& sub = token_claims.find("sub"); if(sub != token_claims.end()) { @@ -479,6 +482,7 @@ public: const std::string& role_session, const std::string& role_tenant, const std::unordered_multimap& token, + boost::optional>, boost::optional>> principal_tags) const = 0; }; }; @@ -718,7 +722,7 @@ public: } bool is_identity(const idset_t& ids) const override; uint32_t get_perm_mask() const override { - return RGW_PERM_NONE; + return RGW_PERM_NONE; } void to_str(std::ostream& out) const override; void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */ diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc index 388fffd6ab4cd..3e623e299d00f 100644 --- a/src/rgw/rgw_rest_sts.cc +++ b/src/rgw/rgw_rest_sts.cc @@ -62,6 +62,23 @@ WebTokenEngine::get_role_tenant(const string& role_arn) const return tenant; } +std::string +WebTokenEngine::get_role_name(const string& role_arn) const +{ + string role_name; + auto r_arn = rgw::ARN::parse(role_arn); + if (r_arn) { + role_name = r_arn->resource; + } + if (!role_name.empty()) { + auto pos = role_name.find_last_of('/'); + if(pos != string::npos) { + role_name = role_name.substr(pos + 1); + } + } + return role_name; +} + std::unique_ptr WebTokenEngine::get_provider(const DoutPrefixProvider *dpp, const string& role_arn, const string& iss) const { @@ -472,7 +489,15 @@ WebTokenEngine::authenticate( const DoutPrefixProvider* dpp, } string role_arn = s->info.args.get("RoleArn"); string role_tenant = get_role_tenant(role_arn); - auto apl = apl_factory->create_apl_web_identity(cct, s, role_session, role_tenant, *t, princ_tags); + string role_name = get_role_name(role_arn); + std::unique_ptr role = store->get_role(role_name, role_tenant); + int ret = role->get(dpp, y); + if (ret < 0) { + ldpp_dout(dpp, 0) << "Role not found: name:" << role_name << " tenant: " << role_tenant << dendl; + return result_t::deny(-EACCES); + } + boost::optional> role_tags = role->get_tags(); + auto apl = apl_factory->create_apl_web_identity(cct, s, role_session, role_tenant, *t, role_tags, princ_tags); return result_t::grant(std::move(apl)); } return result_t::deny(-EACCES); diff --git a/src/rgw/rgw_rest_sts.h b/src/rgw/rgw_rest_sts.h index 576e1f859669e..754b292616ed9 100644 --- a/src/rgw/rgw_rest_sts.h +++ b/src/rgw/rgw_rest_sts.h @@ -36,8 +36,10 @@ class WebTokenEngine : public rgw::auth::Engine { std::string get_role_tenant(const std::string& role_arn) const; - std::string get_cert_url(const std::string& iss, const DoutPrefixProvider *dpp,optional_yield y) const; + std::string get_role_name(const string& role_arn) const; + std::string get_cert_url(const std::string& iss, const DoutPrefixProvider *dpp,optional_yield y) const; + std::tuple, boost::optional> get_from_jwt(const DoutPrefixProvider* dpp, const std::string& token, const req_state* const s, optional_yield y) const; @@ -91,10 +93,11 @@ class DefaultStrategy : public rgw::auth::Strategy, const req_state* s, const std::string& role_session, const std::string& role_tenant, - const std::unordered_multimap& token, + const std::unordered_multimap& token, + boost::optional> role_tags, boost::optional>> principal_tags) const override { auto apl = rgw::auth::add_sysreq(cct, store, s, - rgw::auth::WebIdentityApplier(cct, store, role_session, role_tenant, token, principal_tags)); + rgw::auth::WebIdentityApplier(cct, store, role_session, role_tenant, token, role_tags, principal_tags)); return aplptr_t(new decltype(apl)(std::move(apl))); }