From: Yehuda Sadeh Date: Thu, 9 Jan 2014 18:35:53 +0000 (-0800) Subject: rgw: support multiple temp url keys X-Git-Tag: v0.78~333^2~2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=7ccb513c1965ae9a33bc2cdb4cb9622b4f9133af;p=ceph.git rgw: support multiple temp url keys Apparently the swift api defines two temp url keys. Add internal support for multiple keys, radosgw-admin can config two keys. Signed-off-by: Yehuda Sadeh --- diff --git a/src/rgw/rgw_admin.cc b/src/rgw/rgw_admin.cc index 17589730ef92..11f844497a79 100644 --- a/src/rgw/rgw_admin.cc +++ b/src/rgw/rgw_admin.cc @@ -744,7 +744,7 @@ int main(int argc, char **argv) int gen_secret_key = 0; bool set_perm = false; bool set_temp_url_key = false; - string temp_url_key; + map temp_url_keys; string bucket_id; Formatter *formatter = NULL; int purge_data = false; @@ -889,7 +889,10 @@ int main(int argc, char **argv) perm_mask = rgw_str_to_perm(access.c_str()); set_perm = true; } else if (ceph_argparse_witharg(args, i, &val, "--temp-url-key", (char*)NULL)) { - temp_url_key = val; + temp_url_keys[0] = val; + set_temp_url_key = true; + } else if (ceph_argparse_witharg(args, i, &val, "--temp-url-key2", "--temp-url-key-2", (char*)NULL)) { + temp_url_keys[1] = val; set_temp_url_key = true; } else if (ceph_argparse_witharg(args, i, &val, "--bucket-id", (char*)NULL)) { bucket_id = val; @@ -1268,8 +1271,12 @@ int main(int argc, char **argv) if (set_perm) user_op.set_perm(perm_mask); - if (set_temp_url_key) - user_op.set_temp_url_key(temp_url_key); + if (set_temp_url_key) { + map::iterator iter = temp_url_keys.begin(); + for (; iter != temp_url_keys.end(); ++iter) { + user_op.set_temp_url_key(iter->second, iter->first); + } + } if (!op_mask_str.empty()) { uint32_t op_mask; diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h index 7039f39b7432..f255b86a6263 100644 --- a/src/rgw/rgw_common.h +++ b/src/rgw/rgw_common.h @@ -434,7 +434,7 @@ struct RGWUserInfo string default_placement; list placement_tags; RGWQuotaInfo bucket_quota; - string temp_url_key; + map temp_url_keys; RGWUserInfo() : auid(0), suspended(0), max_buckets(RGW_DEFAULT_MAX_BUCKETS), op_mask(RGW_OP_TYPE_ALL), system(0) {} @@ -475,7 +475,7 @@ struct RGWUserInfo ::encode(default_placement, bl); ::encode(placement_tags, bl); ::encode(bucket_quota, bl); - ::encode(temp_url_key, bl); + ::encode(temp_url_keys, bl); ENCODE_FINISH(bl); } void decode(bufferlist::iterator& bl) { @@ -536,7 +536,7 @@ struct RGWUserInfo ::decode(bucket_quota, bl); } if (struct_v >= 15) { - ::decode(temp_url_key, bl); + ::decode(temp_url_keys, bl); } DECODE_FINISH(bl); } diff --git a/src/rgw/rgw_json_enc.cc b/src/rgw/rgw_json_enc.cc index e55e5fed9ce0..720b461a6872 100644 --- a/src/rgw/rgw_json_enc.cc +++ b/src/rgw/rgw_json_enc.cc @@ -397,7 +397,7 @@ void RGWUserInfo::dump(Formatter *f) const encode_json("default_placement", default_placement, f); encode_json("placement_tags", placement_tags, f); encode_json("bucket_quota", bucket_quota, f); - encode_json("temp_url_key", temp_url_key, f); + encode_json("temp_url_keys", temp_url_keys, f); } @@ -449,7 +449,7 @@ void RGWUserInfo::decode_json(JSONObj *obj) JSONDecoder::decode_json("default_placement", default_placement, obj); JSONDecoder::decode_json("placement_tags", placement_tags, obj); JSONDecoder::decode_json("bucket_quota", bucket_quota, obj); - JSONDecoder::decode_json("temp_url_key", temp_url_key, obj); + JSONDecoder::decode_json("temp_url_keys", temp_url_keys, obj); } void RGWQuotaInfo::dump(Formatter *f) const diff --git a/src/rgw/rgw_swift.cc b/src/rgw/rgw_swift.cc index 3ad422c96327..1ae8f94d7f58 100644 --- a/src/rgw/rgw_swift.cc +++ b/src/rgw/rgw_swift.cc @@ -551,7 +551,7 @@ int authenticate_temp_url(RGWRados *store, req_state *s) return -EPERM; } - if (s->user.temp_url_key.empty()) { + if (s->user.temp_url_keys.empty()) { dout(5) << "user does not have temp url key set, aborting" << dendl; return -EPERM; } @@ -578,20 +578,30 @@ int authenticate_temp_url(RGWRados *store, req_state *s) string str = string(s->info.method) + "\n" + temp_url_expires + "\n" + object_path; dout(20) << "temp url signature (plain text): " << str << dendl; - char dest[CEPH_CRYPTO_HMACSHA1_DIGESTSIZE]; - calc_hmac_sha1(s->user.temp_url_key.c_str(), s->user.temp_url_key.size(), - str.c_str(), str.size(), dest); - char dest_str[CEPH_CRYPTO_HMACSHA1_DIGESTSIZE * 2 + 1]; - buf_to_hex((const unsigned char *)dest, sizeof(dest), dest_str); - dout(20) << "temp url signature (calculated): " << dest_str << dendl; + map::iterator iter; + for (iter = s->user.temp_url_keys.begin(); iter != s->user.temp_url_keys.end(); ++iter) { + string& temp_url_key = iter->second; - if (dest_str != temp_url_sig) { - dout(5) << "temp url signature mismatch: " << dest_str << " != " << temp_url_sig << dendl; - return -EPERM; + if (temp_url_key.empty()) + continue; + + char dest[CEPH_CRYPTO_HMACSHA1_DIGESTSIZE]; + calc_hmac_sha1(temp_url_key.c_str(), temp_url_key.size(), + str.c_str(), str.size(), dest); + + char dest_str[CEPH_CRYPTO_HMACSHA1_DIGESTSIZE * 2 + 1]; + buf_to_hex((const unsigned char *)dest, sizeof(dest), dest_str); + dout(20) << "temp url signature [" << iter->first << "] (calculated): " << dest_str << dendl; + + if (dest_str != temp_url_sig) { + dout(5) << "temp url signature mismatch: " << dest_str << " != " << temp_url_sig << dendl; + } else { + return 0; + } } - return 0; + return -EPERM; } bool RGWSwift::verify_swift_token(RGWRados *store, req_state *s) diff --git a/src/rgw/rgw_user.cc b/src/rgw/rgw_user.cc index 2e0777cbd009..de220e005520 100644 --- a/src/rgw/rgw_user.cc +++ b/src/rgw/rgw_user.cc @@ -1685,8 +1685,13 @@ int RGWUser::execute_add(RGWUserAdminOpState& op_state, std::string *err_msg) if (op_state.has_bucket_quota()) user_info.bucket_quota = op_state.get_bucket_quota(); - if (op_state.temp_url_key_specified) - user_info.temp_url_key = op_state.temp_url_key; + if (op_state.temp_url_key_specified) { + map::iterator iter; + for (iter = op_state.temp_url_keys.begin(); + iter != op_state.temp_url_keys.end(); ++iter) { + user_info.temp_url_keys[iter->first] = iter->second; + } + } // update the request op_state.set_user_info(user_info); @@ -1887,8 +1892,13 @@ int RGWUser::execute_modify(RGWUserAdminOpState& op_state, std::string *err_msg) if (op_state.system_specified) user_info.system = op_state.system; - if (op_state.temp_url_key_specified) - user_info.temp_url_key = op_state.temp_url_key; + if (op_state.temp_url_key_specified) { + map::iterator iter; + for (iter = op_state.temp_url_keys.begin(); + iter != op_state.temp_url_keys.end(); ++iter) { + user_info.temp_url_keys[iter->first] = iter->second; + } + } if (op_state.op_mask_specified) user_info.op_mask = op_state.get_op_mask(); diff --git a/src/rgw/rgw_user.h b/src/rgw/rgw_user.h index 25b8f287025f..2f4b328ef0c7 100644 --- a/src/rgw/rgw_user.h +++ b/src/rgw/rgw_user.h @@ -131,7 +131,7 @@ struct RGWUserAdminOpState { std::string caps; RGWObjVersionTracker objv; uint32_t op_mask; - string temp_url_key; + map temp_url_keys; // subuser attributes std::string subuser; @@ -247,8 +247,8 @@ struct RGWUserAdminOpState { op_mask = mask; op_mask_specified = true; } - void set_temp_url_key(const string& key) { - temp_url_key = key; + void set_temp_url_key(const string& key, int index) { + temp_url_keys[index] = key; temp_url_key_specified = true; } void set_key_type(int32_t type) { @@ -343,7 +343,7 @@ struct RGWUserAdminOpState { std::string get_caps() { return caps; }; std::string get_user_email() { return user_email; }; std::string get_display_name() { return display_name; }; - std::string get_temp_url_key() { return temp_url_key; }; + map& get_temp_url_keys() { return temp_url_keys; }; RGWUserInfo& get_user_info() { return info; };