From: Casey Bodley <cbodley@redhat.com>
Date: Tue, 5 Mar 2024 19:28:41 +0000 (-0500)
Subject: rgw: link account root to account user index
X-Git-Tag: testing/wip-pdonnell-testing-20240416.232051-debug~25^2~36
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=b60335997266932f0a2c26fefc128732c66551a1;p=ceph-ci.git

rgw: link account root to account user index

account root users were not linked to the account's user index because
they're not visible to iam apis like ListUsers

but now that 'account rm' is prevented from deleting the account while
users are still present, we want account root users to prevent deletion
too

add root users back to the account user index, but filter them out of
the iam user apis

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---

diff --git a/src/rgw/rgw_rest_iam_user.cc b/src/rgw/rgw_rest_iam_user.cc
index 06c0d5bde08..ae413e6d185 100644
--- a/src/rgw/rgw_rest_iam_user.cc
+++ b/src/rgw/rgw_rest_iam_user.cc
@@ -275,7 +275,9 @@ int RGWGetUser_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   int r = driver->load_account_user_by_name(this, y, account_id,
                                             tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     s->err.message = "No such UserName in the account";
     return -ERR_NO_SUCH_ENTITY;
   }
@@ -375,7 +377,9 @@ int RGWUpdateUser_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   int r = driver->load_account_user_by_name(this, y, account_id,
                                             tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     s->err.message = "No such UserName in the account";
     return -ERR_NO_SUCH_ENTITY;
   }
@@ -514,7 +518,9 @@ int RGWDeleteUser_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   int r = driver->load_account_user_by_name(this, y, account_id,
                                             tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     s->err.message = "No such UserName in the account";
     return -ERR_NO_SUCH_ENTITY;
   }
@@ -764,6 +770,9 @@ void RGWListUsers_IAM::send_response_data(std::span<RGWUserInfo> users)
   }
 
   for (const auto& info : users) {
+    if (info.type == TYPE_ROOT) {
+      continue; // root user is hidden from user apis
+    }
     s->formatter->open_object_section("member");
     dump_iam_user(info, s->formatter);
     s->formatter->close_section(); // member
@@ -838,7 +847,9 @@ int RGWCreateAccessKey_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   int r = driver->load_account_user_by_name(this, y, account_id,
                                             tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     s->err.message = "No such UserName in the account";
     return -ERR_NO_SUCH_ENTITY;
   }
@@ -1059,7 +1070,9 @@ int RGWUpdateAccessKey_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   int r = driver->load_account_user_by_name(this, y, account_id,
                                             tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     s->err.message = "No such UserName in the account";
     return -ERR_NO_SUCH_ENTITY;
   }
@@ -1205,7 +1218,9 @@ int RGWDeleteAccessKey_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   int r = driver->load_account_user_by_name(this, y, account_id,
                                             tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     s->err.message = "No such UserName in the account";
     return -ERR_NO_SUCH_ENTITY;
   }
@@ -1350,7 +1365,9 @@ int RGWListAccessKeys_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   r = driver->load_account_user_by_name(this, y, account_id,
                                         tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     return -ERR_NO_SUCH_ENTITY;
   }
   return r;
diff --git a/src/rgw/services/svc_user_rados.cc b/src/rgw/services/svc_user_rados.cc
index c061b964239..a7cdc08185e 100644
--- a/src/rgw/services/svc_user_rados.cc
+++ b/src/rgw/services/svc_user_rados.cc
@@ -164,7 +164,7 @@ struct users_entry {
 };
 
 static users_entry account_users_link(const RGWUserInfo* info) {
-  if (info && !info->account_id.empty() && info->type != TYPE_ROOT) {
+  if (info && !info->account_id.empty()) {
     return {info->account_id, info->path, info->display_name};
   }
   return {};