From: Pritha Srivastava Date: Thu, 19 Jul 2018 14:52:24 +0000 (+0530) Subject: rgw: Perm mask. X-Git-Tag: v14.0.1~113^2~13 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=b09fc4079e3b9b27c114025e3206b7f816c52caf;p=ceph.git rgw: Perm mask. Signed-off-by: Pritha Srivastava --- diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index b678ff6449f9..2520e6e7262a 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -556,7 +556,7 @@ rgw::auth::AnonymousEngine::authenticate(const req_state* const s) const auto apl = \ apl_factory->create_apl_local(cct, s, user_info, rgw::auth::LocalApplier::NO_SUBUSER, - boost::none); + boost::none, boost::none); return result_t::grant(std::move(apl)); } } diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index d1ab958e2ab1..4fe791f95ba7 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -455,6 +455,7 @@ protected: const RGWUserInfo user_info; const std::string subuser; vector role_policies; + uint32_t perm_mask; uint32_t get_perm_mask(const std::string& subuser_name, const RGWUserInfo &uinfo) const; @@ -465,12 +466,18 @@ public: LocalApplier(CephContext* const cct, const RGWUserInfo& user_info, std::string subuser, - const boost::optional >& role_policies) + const boost::optional >& role_policies, + const boost::optional& perm_mask) : user_info(user_info), - subuser(std::move(subuser)){ + subuser(std::move(subuser)) { if (role_policies) { this->role_policies = role_policies.get(); } + if (perm_mask) { + this->perm_mask = perm_mask.get(); + } else { + this->perm_mask = RGW_PERM_INVALID; + } } @@ -479,7 +486,11 @@ public: bool is_owner_of(const rgw_user& uid) const override; bool is_identity(const idset_t& ids) const override; uint32_t get_perm_mask() const override { - return get_perm_mask(subuser, user_info); + if (this->perm_mask == RGW_PERM_INVALID) { + return get_perm_mask(subuser, user_info); + } else { + return this->perm_mask; + } } void to_str(std::ostream& out) const override; void load_acct_info(RGWUserInfo& user_info) const override; /* out */ @@ -493,7 +504,8 @@ public: const req_state* s, const RGWUserInfo& user_info, const std::string& subuser, - const boost::optional >& role_policies) const = 0; + const boost::optional >& role_policies, + const boost::optional& perm_mask) const = 0; }; }; diff --git a/src/rgw/rgw_auth_s3.h b/src/rgw/rgw_auth_s3.h index ffa845ea02fd..68e4057491d2 100644 --- a/src/rgw/rgw_auth_s3.h +++ b/src/rgw/rgw_auth_s3.h @@ -55,9 +55,10 @@ class STSAuthStrategy : public rgw::auth::Strategy, const req_state* const s, const RGWUserInfo& user_info, const std::string& subuser, - const boost::optional >& role_policies) const override { + const boost::optional >& role_policies, + const boost::optional& perm_mask) const override { auto apl = rgw::auth::add_sysreq(cct, store, s, - rgw::auth::LocalApplier(cct, user_info, subuser, role_policies)); + rgw::auth::LocalApplier(cct, user_info, subuser, role_policies, perm_mask)); return aplptr_t(new decltype(apl)(std::move(apl))); } @@ -156,9 +157,10 @@ class AWSAuthStrategy : public rgw::auth::Strategy, const req_state* const s, const RGWUserInfo& user_info, const std::string& subuser, - const boost::optional >& role_policies) const override { + const boost::optional >& role_policies, + const boost::optional& perm_mask) const override { auto apl = rgw::auth::add_sysreq(cct, store, s, - rgw::auth::LocalApplier(cct, user_info, subuser, role_policies)); + rgw::auth::LocalApplier(cct, user_info, subuser, role_policies, perm_mask)); /* TODO(rzarzynski): replace with static_ptr. */ return aplptr_t(new decltype(apl)(std::move(apl))); } diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index 38c00944be68..d5a1bed14c5d 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -4341,7 +4341,7 @@ rgw::auth::s3::LocalEngine::authenticate( return result_t::deny(-ERR_SIGNATURE_NO_MATCH); } - auto apl = apl_factory->create_apl_local(cct, s, user_info, k.subuser, boost::none); + auto apl = apl_factory->create_apl_local(cct, s, user_info, k.subuser, boost::none, boost::none); return result_t::grant(std::move(apl), completer_factory(k.key)); } @@ -4480,7 +4480,7 @@ rgw::auth::s3::STSEngine::authenticate( return result_t::grant(std::move(apl), completer_factory(boost::none)); } else { string subuser; - auto apl = local_apl_factory->create_apl_local(cct, s, user_info, subuser, role_policies); + auto apl = local_apl_factory->create_apl_local(cct, s, user_info, subuser, role_policies, token.perm_mask); return result_t::grant(std::move(apl), completer_factory(token.secret_access_key)); } } diff --git a/src/rgw/rgw_rest_s3.h b/src/rgw/rgw_rest_s3.h index 25827beb673f..97181b291857 100644 --- a/src/rgw/rgw_rest_s3.h +++ b/src/rgw/rgw_rest_s3.h @@ -956,9 +956,10 @@ public: const req_state* const s, const RGWUserInfo& user_info, const std::string& subuser, - const boost::optional >& role_policies) const override { + const boost::optional >& role_policies, + const boost::optional& perm_mask) const override { return aplptr_t( - new rgw::auth::LocalApplier(cct, user_info, subuser, role_policies)); + new rgw::auth::LocalApplier(cct, user_info, subuser, role_policies, perm_mask)); } }; diff --git a/src/rgw/rgw_swift_auth.cc b/src/rgw/rgw_swift_auth.cc index 45c3b00d7fe7..4fd2d37196d9 100644 --- a/src/rgw/rgw_swift_auth.cc +++ b/src/rgw/rgw_swift_auth.cc @@ -419,7 +419,7 @@ ExternalTokenEngine::authenticate(const std::string& token, auto apl = apl_factory->create_apl_local(cct, s, tmp_uinfo, extract_swift_subuser(swift_user), - boost::none); + boost::none, boost::none); return result_t::grant(std::move(apl)); } @@ -569,7 +569,7 @@ SignedTokenEngine::authenticate(const std::string& token, auto apl = apl_factory->create_apl_local(cct, s, user_info, extract_swift_subuser(swift_user), - boost::none); + boost::none, boost::none); return result_t::grant(std::move(apl)); } diff --git a/src/rgw/rgw_swift_auth.h b/src/rgw/rgw_swift_auth.h index 2102c2fa95b1..008366b4ef2a 100644 --- a/src/rgw/rgw_swift_auth.h +++ b/src/rgw/rgw_swift_auth.h @@ -21,7 +21,7 @@ class TempURLApplier : public rgw::auth::LocalApplier { public: TempURLApplier(CephContext* const cct, const RGWUserInfo& user_info) - : LocalApplier(cct, user_info, LocalApplier::NO_SUBUSER, boost::none) { + : LocalApplier(cct, user_info, LocalApplier::NO_SUBUSER, boost::none, boost::none) { }; void modify_request_state(req_state * s) const override; /* in/out */ @@ -201,11 +201,12 @@ class DefaultStrategy : public rgw::auth::Strategy, const req_state* const s, const RGWUserInfo& user_info, const std::string& subuser, - const boost::optional >& role_policies) const override { + const boost::optional >& role_policies, + const boost::optional& perm_mask) const override { auto apl = \ rgw::auth::add_3rdparty(store, s->account_name, rgw::auth::add_sysreq(cct, store, s, - rgw::auth::LocalApplier(cct, user_info, subuser, boost::none))); + rgw::auth::LocalApplier(cct, user_info, subuser, role_policies, perm_mask))); /* TODO(rzarzynski): replace with static_ptr. */ return aplptr_t(new decltype(apl)(std::move(apl))); }