From: Casey Bodley <cbodley@redhat.com>
Date: Tue, 20 Feb 2024 22:46:06 +0000 (-0500)
Subject: rgw/auth: AssumeRole uses role account as owner
X-Git-Tag: v20.0.0~2159^2~54
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=aeecbe14d00cb0da974ff1f5e5505ca220fecd3d;p=ceph.git

rgw/auth: AssumeRole uses role account as owner

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index 1f84fcb2da4a7..dc662c7b905df 100644
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -943,11 +943,20 @@ void rgw::auth::LocalApplier::write_ops_log_entry(rgw_log_entry& entry) const
 ACLOwner rgw::auth::RoleApplier::get_aclowner() const
 {
   ACLOwner owner;
-  owner.id = token_attrs.user_id;
+  if (!role.account_id.empty()) {
+    owner.id = role.account_id;
+  } else {
+    owner.id = token_attrs.user_id;
+  }
   owner.display_name = role.name;
   return owner;
 }
 
+bool rgw::auth::RoleApplier::is_owner_of(const rgw_owner& o) const
+{
+  return match_owner(o, token_attrs.user_id, role.account_id);
+}
+
 void rgw::auth::RoleApplier::to_str(std::ostream& out) const {
   out << "rgw::auth::RoleApplier(role name =" << role.name;
   for (auto& policy: role.inline_policies) {
diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
index 3c3dd5ebe7c86..e2249e5fdf00e 100644
--- a/src/rgw/rgw_auth.h
+++ b/src/rgw/rgw_auth.h
@@ -727,6 +727,7 @@ public:
     std::string id;
     std::string name;
     std::string tenant;
+    rgw_account_id account_id;
     std::vector<std::string> inline_policies;
     std::vector<std::string> managed_policies;
   };
@@ -757,11 +758,7 @@ public:
   bool is_admin_of(const rgw_owner& o) const override {
     return false;
   }
-  bool is_owner_of(const rgw_owner& o) const override {
-    auto* uid = std::get_if<rgw_user>(&o);
-    // TODO: handle account roles
-    return uid && *uid == token_attrs.user_id;
-  }
+  bool is_owner_of(const rgw_owner& o) const override;
   bool is_identity(const Principal& p) const override;
   uint32_t get_perm_mask() const override {
     return RGW_PERM_NONE; 
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index ee5b21bd25913..37cd303cfa2bd 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -6468,6 +6468,7 @@ rgw::auth::s3::STSEngine::authenticate(
     r.id = token.roleId;
     r.name = role->get_name();
     r.tenant = role->get_tenant();
+    r.account_id = role->get_account_id();
 
     for (auto& [name, policy] : role->get_info().perm_policy_map) {
       r.inline_policies.push_back(std::move(policy));