From: Tobias Urdin <tobias.urdin@binero.se>
Date: Mon, 2 May 2022 09:48:15 +0000 (+0000)
Subject: rgw/auth: Deny request if service token does not have accepted roles
X-Git-Tag: v18.1.0~1023^2~11
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=7ead219d726f63f55d793ebb0c059acbb310a15e;p=ceph.git

rgw/auth: Deny request if service token does not have accepted roles

The default behavior should be that an invalid service token
makes the request invalid even though we have not checked the
X-Auth-Token yet.

This is not required but should reflect the same behavior as other
keystonemiddleware implemented services have.

Signed-off-by: Tobias Urdin <tobias.urdin@binero.com>
---

diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc
index 9976449f28b2..c42b0604cebb 100644
--- a/src/rgw/rgw_auth_keystone.cc
+++ b/src/rgw/rgw_auth_keystone.cc
@@ -300,6 +300,7 @@ TokenEngine::authenticate(const DoutPrefixProvider* dpp,
       if (!allow_expired) {
         ldpp_dout(dpp, 0) << "service token user does not hold a matching role; required roles: "
                   << g_conf()->rgw_keystone_service_token_accepted_roles << dendl;
+        return result_t::deny(-EPERM);
       }
     }
   }