From: Yehuda Sadeh <yehuda@redhat.com>
Date: Sat, 27 Feb 2016 14:22:09 +0000 (-0800)
Subject: Merge pull request #7630 from rzarzynski/wip-rgw-admin-token-cache
X-Git-Tag: v10.1.0~282
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=894738f845c8257c9ca1bae82a03a8b9ea015a9f;p=ceph.git

Merge pull request #7630 from rzarzynski/wip-rgw-admin-token-cache

rgw: add support for caching of Keystone admin token.

Reviewed-by: Yehuda Sadeh <yehuda@redhat.com>
---

894738f845c8257c9ca1bae82a03a8b9ea015a9f
diff --cc src/rgw/rgw_keystone.cc
index 5e9d63af28bf4,fb2075a265ba9..ae390feb8e740
--- a/src/rgw/rgw_keystone.cc
+++ b/src/rgw/rgw_keystone.cc
@@@ -56,11 -178,17 +178,17 @@@ int KeystoneToken::parse(CephContext * 
          /* Token structure doesn't follow Identity API v2, so the token
           * must be in v3. Otherwise we can assume it's wrongly formatted. */
          JSONDecoder::decode_json("token", *this, &parser, true);
+         token.id = token_str;
        }
 -    } else if (version == KeystoneApiVersion::VER_2) {
 +    } else if (version == KeystoneApiVersion::VER_3) {
        if (!JSONDecoder::decode_json("token", *this, &parser)) {
 -        /* If the token cannot be parsed according to V2, try V3. */
 +        /* If the token cannot be parsed according to V3, try V2. */
          JSONDecoder::decode_json("access", *this, &parser, true);
+       } else {
+         /* v3 suceeded. We have to fill token.id from external input as it
+          * isn't a part of the JSON response anymore. It has been moved
+          * to X-Subject-Token HTTP header instead. */
+         token.id = token_str;
        }
      } else {
        return -ENOTSUP;
diff --cc src/rgw/rgw_rest_s3.cc
index 4adebb803fe36,5e39f5c3f3dc1..829bd3598a533
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@@ -2805,13 -2802,8 +2805,13 @@@ int RGW_Auth_S3_Keystone_ValidateToken:
      return -EPERM;
    }
  
 +  /* if the supplied signature is wrong, we will get 401 from Keystone */
 +  if (get_http_status() == HTTP_STATUS_UNAUTHORIZED) {
 +    return -ERR_SIGNATURE_NO_MATCH;
 +  }
 +
    /* now parse response */
-   if (response.parse(cct, rx_buffer) < 0) {
+   if (response.parse(cct, string(), rx_buffer) < 0) {
      dout(2) << "s3 keystone: token parsing failed" << dendl;
      return -EPERM;
    }
diff --cc src/rgw/rgw_swift.cc
index 3d2e707087785,627fb3eb587d0..4e8c00989651d
--- a/src/rgw/rgw_swift.cc
+++ b/src/rgw/rgw_swift.cc
@@@ -289,8 -217,18 +220,18 @@@ int RGWSwift::get_keystone_admin_token(
      token = cct->_conf->rgw_keystone_admin_token;
      return 0;
    }
+ 
+   KeystoneToken t;
+ 
+   /* Try cache first. */
+   if (keystone_token_cache->find_admin(t)) {
+     ldout(cct, 20) << "found cached admin token" << dendl;
+     token = t.token.id;
+     return 0;
+   }
+ 
    bufferlist token_bl;
 -  RGWGetKeystoneAdminToken token_req(cct, &token_bl);
 +  RGWGetKeystoneAdminToken token_req(cct, &token_bl, cct->_conf->rgw_keystone_verify_ssl);
    token_req.append_header("Content-Type", "application/json");
    JSONFormatter jf;