From: Daniel Gryniewicz Date: Tue, 19 Jan 2021 15:35:16 +0000 (-0500) Subject: Zipper - zipperify the Auth code X-Git-Tag: v17.1.0~2768^2~9 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=b67d5bca22581a2b8616f0c9ffe3adeca3d2f558;p=ceph.git Zipper - zipperify the Auth code This also removes the only user of s->sysobj_ctx, so that can be removed as well. Signed-off-by: Daniel Gryniewicz --- diff --git a/src/rgw/librgw.cc b/src/rgw/librgw.cc index a32a083a56a..6c215eac141 100644 --- a/src/rgw/librgw.cc +++ b/src/rgw/librgw.cc @@ -236,9 +236,6 @@ namespace rgw { RGWObjectCtx rados_ctx(store, s); // XXX holds std::map - auto sysobj_ctx = static_cast(store)->svc()->sysobj->init_obj_ctx(); - s->sysobj_ctx = &sysobj_ctx; - /* XXX and -then- stash req_state pointers everywhere they are needed */ ret = req->init(rgw_env, &rados_ctx, io, s); if (ret < 0) { diff --git a/src/rgw/rgw_admin.cc b/src/rgw/rgw_admin.cc index 14cbbc63e48..373f7300d35 100644 --- a/src/rgw/rgw_admin.cc +++ b/src/rgw/rgw_admin.cc @@ -5753,7 +5753,7 @@ int main(int argc, const char **argv) cerr << "failed to parse policy: " << e.what() << std::endl; return -EINVAL; } - RGWRole role(g_ceph_context, store->get_ctl(), role_name, path, assume_role_doc, tenant); + RGWRole role(g_ceph_context, store, role_name, path, assume_role_doc, tenant); ret = role.create(dpp(), true, null_yield); if (ret < 0) { return -ret; @@ -5767,7 +5767,7 @@ int main(int argc, const char **argv) cerr << "ERROR: empty role name" << std::endl; return -EINVAL; } - RGWRole role(g_ceph_context, store->get_ctl(), role_name, tenant); + RGWRole role(g_ceph_context, store, role_name, tenant); ret = role.delete_obj(dpp(), null_yield); if (ret < 0) { return -ret; @@ -5781,7 +5781,7 @@ int main(int argc, const char **argv) cerr << "ERROR: empty role name" << std::endl; return -EINVAL; } - RGWRole role(g_ceph_context, store->get_ctl(), role_name, tenant); + RGWRole role(g_ceph_context, store, role_name, tenant); ret = role.get(dpp(), null_yield); if (ret < 0) { return -ret; @@ -5809,7 +5809,7 @@ int main(int argc, const char **argv) return -EINVAL; } - RGWRole role(g_ceph_context, store->get_ctl(), role_name, tenant); + RGWRole role(g_ceph_context, store, role_name, tenant); ret = role.get(dpp(), null_yield); if (ret < 0) { return -ret; @@ -5857,7 +5857,7 @@ int main(int argc, const char **argv) return -EINVAL; } - RGWRole role(g_ceph_context, store->get_ctl(), role_name, tenant); + RGWRole role(g_ceph_context, store, role_name, tenant); ret = role.get(dpp(), null_yield); if (ret < 0) { return -ret; @@ -5876,7 +5876,7 @@ int main(int argc, const char **argv) cerr << "ERROR: Role name is empty" << std::endl; return -EINVAL; } - RGWRole role(g_ceph_context, store->get_ctl(), role_name, tenant); + RGWRole role(g_ceph_context, store, role_name, tenant); ret = role.get(dpp(), null_yield); if (ret < 0) { return -ret; @@ -5896,7 +5896,7 @@ int main(int argc, const char **argv) cerr << "ERROR: policy name is empty" << std::endl; return -EINVAL; } - RGWRole role(g_ceph_context, store->get_ctl(), role_name, tenant); + RGWRole role(g_ceph_context, store, role_name, tenant); int ret = role.get(dpp(), null_yield); if (ret < 0) { return -ret; @@ -5920,7 +5920,7 @@ int main(int argc, const char **argv) cerr << "ERROR: policy name is empty" << std::endl; return -EINVAL; } - RGWRole role(g_ceph_context, store->get_ctl(), role_name, tenant); + RGWRole role(g_ceph_context, store, role_name, tenant); ret = role.get(dpp(), null_yield); if (ret < 0) { return -ret; diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index 88925a23332..f3c26c5917b 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -368,22 +368,22 @@ void rgw::auth::WebIdentityApplier::create_account(const DoutPrefixProvider* dpp const string& display_name, RGWUserInfo& user_info) const /* out */ { - user_info.user_id = acct_user; - user_info.display_name = display_name; - user_info.type = TYPE_WEB; - - user_info.max_buckets = + std::unique_ptr user = store->get_user(acct_user); + user->get_info().display_name = display_name; + user->get_info().type = TYPE_WEB; + user->get_info().max_buckets = cct->_conf.get_val("rgw_user_max_buckets"); - rgw_apply_default_bucket_quota(user_info.bucket_quota, cct->_conf); - rgw_apply_default_user_quota(user_info.user_quota, cct->_conf); + rgw_apply_default_bucket_quota(user->get_info().bucket_quota, cct->_conf); + rgw_apply_default_user_quota(user->get_info().user_quota, cct->_conf); - int ret = ctl->user->store_info(dpp, user_info, null_yield, - RGWUserCtl::PutParams().set_exclusive(true)); + int ret = user->store_info(dpp, null_yield, + RGWUserCtl::PutParams().set_exclusive(true)); if (ret < 0) { ldpp_dout(dpp, 0) << "ERROR: failed to store new user info: user=" - << user_info.user_id << " ret=" << ret << dendl; + << user << " ret=" << ret << dendl; throw ret; } + user_info = user->get_info(); } void rgw::auth::WebIdentityApplier::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const { @@ -392,22 +392,26 @@ void rgw::auth::WebIdentityApplier::load_acct_info(const DoutPrefixProvider* dpp federated_user.tenant = role_tenant; federated_user.ns = "oidc"; + std::unique_ptr user = store->get_user(federated_user); + //Check in oidc namespace - if (ctl->user->get_info_by_uid(dpp, federated_user, &user_info, null_yield) >= 0) { + if (user->load_by_id(dpp, null_yield) >= 0) { /* Succeeded. */ + user_info = user->get_info(); return; } - federated_user.ns.clear(); + user->clear_ns(); //Check for old users which wouldn't have been created in oidc namespace - if (ctl->user->get_info_by_uid(dpp, federated_user, &user_info, null_yield) >= 0) { + if (user->load_by_id(dpp, null_yield) >= 0) { /* Succeeded. */ + user_info = user->get_info(); return; } //Check if user_id.buckets already exists, may have been from the time, when shadow users didnt exist RGWStorageStats stats; - int ret = ctl->user->read_stats(federated_user, &stats, null_yield); + int ret = user->read_stats(null_yield, &stats); if (ret < 0 && ret != -ENOENT) { ldpp_dout(dpp, 0) << "ERROR: reading stats for the user returned error " << ret << dendl; return; @@ -581,30 +585,29 @@ void rgw::auth::RemoteApplier::create_account(const DoutPrefixProvider* dpp, { rgw_user new_acct_user = acct_user; - if (info.acct_type) { - //ldap/keystone for s3 users - user_info.type = info.acct_type; - } - /* An upper layer may enforce creating new accounts within their own * tenants. */ if (new_acct_user.tenant.empty() && implicit_tenant) { new_acct_user.tenant = new_acct_user.id; } - user_info.user_id = new_acct_user; - user_info.display_name = info.acct_name; - - user_info.max_buckets = + std::unique_ptr user = store->get_user(new_acct_user); + user->get_info().display_name = info.acct_name; + if (info.acct_type) { + //ldap/keystone for s3 users + user->get_info().type = info.acct_type; + } + user->get_info().max_buckets = cct->_conf.get_val("rgw_user_max_buckets"); - rgw_apply_default_bucket_quota(user_info.bucket_quota, cct->_conf); - rgw_apply_default_user_quota(user_info.user_quota, cct->_conf); + rgw_apply_default_bucket_quota(user->get_info().bucket_quota, cct->_conf); + rgw_apply_default_user_quota(user->get_info().user_quota, cct->_conf); + user_info = user->get_info(); - int ret = ctl->user->store_info(dpp, user_info, null_yield, - RGWUserCtl::PutParams().set_exclusive(true)); + int ret = user->store_info(dpp, null_yield, + RGWUserCtl::PutParams().set_exclusive(true)); if (ret < 0) { ldpp_dout(dpp, 0) << "ERROR: failed to store new user info: user=" - << user_info.user_id << " ret=" << ret << dendl; + << user << " ret=" << ret << dendl; throw ret; } } @@ -619,6 +622,7 @@ void rgw::auth::RemoteApplier::load_acct_info(const DoutPrefixProvider* dpp, RGW auto implicit_value = implicit_tenant_context.get_value(); bool implicit_tenant = implicit_value.implicit_tenants_for_(implicit_tenant_bit); bool split_mode = implicit_value.is_split_mode(); + std::unique_ptr user; /* Normally, empty "tenant" field of acct_user means the authenticated * identity has the legacy, global tenant. However, due to inclusion @@ -641,18 +645,23 @@ void rgw::auth::RemoteApplier::load_acct_info(const DoutPrefixProvider* dpp, RGW ; /* suppress lookup for id used by "other" protocol */ else if (acct_user.tenant.empty()) { const rgw_user tenanted_uid(acct_user.id, acct_user.id); + user = store->get_user(tenanted_uid); - if (ctl->user->get_info_by_uid(dpp, tenanted_uid, &user_info, null_yield) >= 0) { + if (user->load_by_id(dpp, null_yield) >= 0) { /* Succeeded. */ + user_info = user->get_info(); return; } } + user = store->get_user(acct_user); + if (split_mode && implicit_tenant) ; /* suppress lookup for id used by "other" protocol */ - else if (ctl->user->get_info_by_uid(dpp, acct_user, &user_info, null_yield) >= 0) { - /* Succeeded. */ - return; + else if (user->load_by_id(dpp, null_yield) >= 0) { + /* Succeeded. */ + user_info = user->get_info(); + return; } ldpp_dout(dpp, 0) << "NOTICE: couldn't map swift user " << acct_user << dendl; diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index c65f0b335b1..1b5d8b81736 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -366,7 +366,7 @@ class StrategyRegistry; class WebIdentityApplier : public IdentityApplier { protected: CephContext* const cct; - RGWCtl* const ctl; + rgw::sal::RGWStore* store; string role_session; string role_tenant; rgw::web_idp::WebTokenClaims token_claims; @@ -379,12 +379,12 @@ protected: RGWUserInfo& user_info) const; /* out */ public: WebIdentityApplier( CephContext* const cct, - RGWCtl* const ctl, + rgw::sal::RGWStore* store, const string& role_session, const string& role_tenant, const rgw::web_idp::WebTokenClaims& token_claims) : cct(cct), - ctl(ctl), + store(store), role_session(role_session), role_tenant(role_tenant), token_claims(token_claims) { @@ -521,7 +521,7 @@ protected: CephContext* const cct; /* Read-write is intensional here due to RGWUserInfo creation process. */ - RGWCtl* const ctl; + rgw::sal::RGWStore* store; /* Supplemental strategy for extracting permissions from ACLs. Its results * will be combined (ORed) with a default strategy that is responsible for @@ -539,13 +539,13 @@ protected: public: RemoteApplier(CephContext* const cct, - RGWCtl* const ctl, + rgw::sal::RGWStore* store, acl_strategy_t&& extra_acl_strategy, const AuthInfo& info, rgw::auth::ImplicitTenants& implicit_tenant_context, rgw::auth::ImplicitTenants::implicit_tenant_flag_bits implicit_tenant_bit) : cct(cct), - ctl(ctl), + store(store), extra_acl_strategy(std::move(extra_acl_strategy)), info(info), implicit_tenant_context(implicit_tenant_context), diff --git a/src/rgw/rgw_auth_filters.h b/src/rgw/rgw_auth_filters.h index bea9665e416..14cae3ad430 100644 --- a/src/rgw/rgw_auth_filters.h +++ b/src/rgw/rgw_auth_filters.h @@ -123,7 +123,7 @@ public: template class ThirdPartyAccountApplier : public DecoratedApplier { - /* const */RGWCtl* const ctl; + rgw::sal::RGWStore* store; const rgw_user acct_user_override; public: @@ -133,11 +133,11 @@ public: static const rgw_user UNKNOWN_ACCT; template - ThirdPartyAccountApplier(RGWCtl* const ctl, + ThirdPartyAccountApplier(rgw::sal::RGWStore* store, const rgw_user &acct_user_override, U&& decoratee) : DecoratedApplier(std::move(decoratee)), - ctl(ctl), + store(store), acct_user_override(acct_user_override) { } @@ -179,16 +179,21 @@ void ThirdPartyAccountApplier::load_acct_info(const DoutPrefixProvider* dpp, } else { /* Compatibility mechanism for multi-tenancy. For more details refer to * load_acct_info method of rgw::auth::RemoteApplier. */ + std::unique_ptr user; + if (acct_user_override.tenant.empty()) { const rgw_user tenanted_uid(acct_user_override.id, acct_user_override.id); + user = store->get_user(tenanted_uid); - if (ctl->user->get_info_by_uid(dpp, tenanted_uid, &user_info, null_yield) >= 0) { + if (user->load_by_id(dpp, null_yield) >= 0) { + user_info = user->get_info(); /* Succeeded. */ return; } } - const int ret = ctl->user->get_info_by_uid(dpp, acct_user_override, &user_info, null_yield); + user = store->get_user(acct_user_override); + const int ret = user->load_by_id(dpp, null_yield); if (ret < 0) { /* We aren't trying to recover from ENOENT here. It's supposed that creating * someone else's account isn't a thing we want to support in this filter. */ @@ -198,15 +203,15 @@ void ThirdPartyAccountApplier::load_acct_info(const DoutPrefixProvider* dpp, throw ret; } } - + user_info = user->get_info(); } } template static inline -ThirdPartyAccountApplier add_3rdparty(RGWCtl* const ctl, +ThirdPartyAccountApplier add_3rdparty(rgw::sal::RGWStore* store, const rgw_user &acct_user_override, T&& t) { - return ThirdPartyAccountApplier(ctl, acct_user_override, + return ThirdPartyAccountApplier(store, acct_user_override, std::forward(t)); } @@ -214,19 +219,19 @@ ThirdPartyAccountApplier add_3rdparty(RGWCtl* const ctl, template class SysReqApplier : public DecoratedApplier { CephContext* const cct; - /*const*/ RGWCtl* const ctl; + rgw::sal::RGWStore* store; const RGWHTTPArgs& args; mutable boost::tribool is_system; public: template SysReqApplier(CephContext* const cct, - /*const*/ RGWCtl* const ctl, + rgw::sal::RGWStore* store, const req_state* const s, U&& decoratee) : DecoratedApplier(std::forward(decoratee)), cct(cct), - ctl(ctl), + store(store), args(s->info.args), is_system(boost::logic::indeterminate) { } @@ -257,12 +262,12 @@ void SysReqApplier::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo /* We aren't writing directly to user_info for consistency and security * reasons. rgw_get_user_info_by_uid doesn't trigger the operator=() but * calls ::decode instead. */ - RGWUserInfo euser_info; - if (ctl->user->get_info_by_uid(dpp, effective_uid, &euser_info, null_yield) < 0) { + std::unique_ptr user = store->get_user(effective_uid); + if (user->load_by_id(dpp, null_yield) < 0) { //ldpp_dout(dpp, 0) << "User lookup failed!" << dendl; throw -EACCES; } - user_info = euser_info; + user_info = user->get_info(); } } } @@ -284,10 +289,10 @@ void SysReqApplier::modify_request_state(const DoutPrefixProvider* dpp, req_s template static inline SysReqApplier add_sysreq(CephContext* const cct, - /* const */ RGWCtl* const ctl, + rgw::sal::RGWStore* store, const req_state* const s, T&& t) { - return SysReqApplier(cct, ctl, s, std::forward(t)); + return SysReqApplier(cct, store, s, std::forward(t)); } } /* namespace auth */ diff --git a/src/rgw/rgw_auth_registry.h b/src/rgw/rgw_auth_registry.h index a38cb7d6c6d..70e1d93cbfe 100644 --- a/src/rgw/rgw_auth_registry.h +++ b/src/rgw/rgw_auth_registry.h @@ -38,9 +38,9 @@ class StrategyRegistry { s3_main_strategy_t(CephContext* const cct, ImplicitTenants& implicit_tenant_context, - RGWCtl* const ctl) - : s3_main_strategy_plain(cct, implicit_tenant_context, ctl), - s3_main_strategy_boto2(cct, implicit_tenant_context, ctl) { + rgw::sal::RGWStore* store) + : s3_main_strategy_plain(cct, implicit_tenant_context, store), + s3_main_strategy_boto2(cct, implicit_tenant_context, store) { add_engine(Strategy::Control::SUFFICIENT, s3_main_strategy_plain); add_engine(Strategy::Control::FALLBACK, s3_main_strategy_boto2); } @@ -61,11 +61,11 @@ class StrategyRegistry { public: StrategyRegistry(CephContext* const cct, ImplicitTenants& implicit_tenant_context, - RGWCtl* const ctl) - : s3_main_strategy(cct, implicit_tenant_context, ctl), - s3_post_strategy(cct, implicit_tenant_context, ctl), - swift_strategy(cct, implicit_tenant_context, ctl), - sts_strategy(cct, implicit_tenant_context, ctl) { + rgw::sal::RGWStore* store) + : s3_main_strategy(cct, implicit_tenant_context, store), + s3_post_strategy(cct, implicit_tenant_context, store), + swift_strategy(cct, implicit_tenant_context, store), + sts_strategy(cct, implicit_tenant_context, store) { } const s3_main_strategy_t& get_s3_main() const { @@ -87,8 +87,8 @@ public: static std::shared_ptr create(CephContext* const cct, ImplicitTenants& implicit_tenant_context, - RGWCtl* const ctl) { - return std::make_shared(cct, implicit_tenant_context, ctl); + rgw::sal::RGWStore* store) { + return std::make_shared(cct, implicit_tenant_context, store); } }; diff --git a/src/rgw/rgw_auth_s3.h b/src/rgw/rgw_auth_s3.h index 20767bedf64..33e563320f9 100644 --- a/src/rgw/rgw_auth_s3.h +++ b/src/rgw/rgw_auth_s3.h @@ -35,7 +35,7 @@ class STSAuthStrategy : public rgw::auth::Strategy, public rgw::auth::LocalApplier::Factory, public rgw::auth::RoleApplier::Factory { typedef rgw::auth::IdentityApplier::aplptr_t aplptr_t; - RGWCtl* const ctl; + rgw::sal::RGWStore* store; rgw::auth::ImplicitTenants& implicit_tenant_context; STSEngine sts_engine; @@ -45,8 +45,8 @@ class STSAuthStrategy : public rgw::auth::Strategy, rgw::auth::RemoteApplier::acl_strategy_t&& acl_alg, const rgw::auth::RemoteApplier::AuthInfo &info ) const override { - auto apl = rgw::auth::add_sysreq(cct, ctl, s, - rgw::auth::RemoteApplier(cct, ctl, std::move(acl_alg), info, + auto apl = rgw::auth::add_sysreq(cct, store, s, + rgw::auth::RemoteApplier(cct, store, std::move(acl_alg), info, implicit_tenant_context, rgw::auth::ImplicitTenants::IMPLICIT_TENANTS_S3)); return aplptr_t(new decltype(apl)(std::move(apl))); @@ -57,7 +57,7 @@ class STSAuthStrategy : public rgw::auth::Strategy, const RGWUserInfo& user_info, const std::string& subuser, const boost::optional& perm_mask) const override { - auto apl = rgw::auth::add_sysreq(cct, ctl, s, + auto apl = rgw::auth::add_sysreq(cct, store, s, rgw::auth::LocalApplier(cct, user_info, subuser, perm_mask)); return aplptr_t(new decltype(apl)(std::move(apl))); } @@ -70,19 +70,19 @@ class STSAuthStrategy : public rgw::auth::Strategy, const std::string& role_session_name, const std::vector& token_claims, const std::string& token_issued_at) const override { - auto apl = rgw::auth::add_sysreq(cct, ctl, s, + auto apl = rgw::auth::add_sysreq(cct, store, s, rgw::auth::RoleApplier(cct, role, user_id, token_policy, role_session_name, token_claims, token_issued_at)); return aplptr_t(new decltype(apl)(std::move(apl))); } public: STSAuthStrategy(CephContext* const cct, - RGWCtl* const ctl, + rgw::sal::RGWStore* store, rgw::auth::ImplicitTenants& implicit_tenant_context, AWSEngine::VersionAbstractor* const ver_abstractor) - : ctl(ctl), + : store(store), implicit_tenant_context(implicit_tenant_context), - sts_engine(cct, ctl, *ver_abstractor, + sts_engine(cct, store, *ver_abstractor, static_cast(this), static_cast(this), static_cast(this)) { @@ -99,7 +99,7 @@ public: class ExternalAuthStrategy : public rgw::auth::Strategy, public rgw::auth::RemoteApplier::Factory { typedef rgw::auth::IdentityApplier::aplptr_t aplptr_t; - RGWCtl* const ctl; + rgw::sal::RGWStore* store; rgw::auth::ImplicitTenants& implicit_tenant_context; using keystone_config_t = rgw::keystone::CephCtxConfig; @@ -115,8 +115,8 @@ class ExternalAuthStrategy : public rgw::auth::Strategy, rgw::auth::RemoteApplier::acl_strategy_t&& acl_alg, const rgw::auth::RemoteApplier::AuthInfo &info ) const override { - auto apl = rgw::auth::add_sysreq(cct, ctl, s, - rgw::auth::RemoteApplier(cct, ctl, std::move(acl_alg), info, + auto apl = rgw::auth::add_sysreq(cct, store, s, + rgw::auth::RemoteApplier(cct, store, std::move(acl_alg), info, implicit_tenant_context, rgw::auth::ImplicitTenants::IMPLICIT_TENANTS_S3)); /* TODO(rzarzynski): replace with static_ptr. */ @@ -125,12 +125,12 @@ class ExternalAuthStrategy : public rgw::auth::Strategy, public: ExternalAuthStrategy(CephContext* const cct, - RGWCtl* const ctl, + rgw::sal::RGWStore* store, rgw::auth::ImplicitTenants& implicit_tenant_context, AWSEngine::VersionAbstractor* const ver_abstractor) - : ctl(ctl), + : store(store), implicit_tenant_context(implicit_tenant_context), - ldap_engine(cct, ctl, *ver_abstractor, + ldap_engine(cct, store, *ver_abstractor, static_cast(this)) { if (cct->_conf->rgw_s3_auth_use_keystone && @@ -166,7 +166,7 @@ class AWSAuthStrategy : public rgw::auth::Strategy, AbstractorT>::value, "AbstractorT must be a subclass of rgw::auth::s3::VersionAbstractor"); - RGWCtl* const ctl; + rgw::sal::RGWStore* store; AbstractorT ver_abstractor; S3AnonymousEngine anonymous_engine; @@ -179,7 +179,7 @@ class AWSAuthStrategy : public rgw::auth::Strategy, const RGWUserInfo& user_info, const std::string& subuser, const boost::optional& perm_mask) const override { - auto apl = rgw::auth::add_sysreq(cct, ctl, s, + auto apl = rgw::auth::add_sysreq(cct, store, s, rgw::auth::LocalApplier(cct, user_info, subuser, perm_mask)); /* TODO(rzarzynski): replace with static_ptr. */ return aplptr_t(new decltype(apl)(std::move(apl))); @@ -224,14 +224,14 @@ public: AWSAuthStrategy(CephContext* const cct, rgw::auth::ImplicitTenants& implicit_tenant_context, - RGWCtl* const ctl) - : ctl(ctl), + rgw::sal::RGWStore* store) + : store(store), ver_abstractor(cct), anonymous_engine(cct, static_cast(this)), - external_engines(cct, ctl, implicit_tenant_context, &ver_abstractor), - sts_engine(cct, ctl, implicit_tenant_context, &ver_abstractor), - local_engine(cct, ctl, ver_abstractor, + external_engines(cct, store, implicit_tenant_context, &ver_abstractor), + sts_engine(cct, store, implicit_tenant_context, &ver_abstractor), + local_engine(cct, store, ver_abstractor, static_cast(this)) { /* The anonymous auth. */ if (AllowAnonAccessT) { diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h index 3631273075d..2a50c6600b1 100644 --- a/src/rgw/rgw_common.h +++ b/src/rgw/rgw_common.h @@ -1596,7 +1596,6 @@ struct req_state : DoutPrefixProvider { Clock::duration time_elapsed() const { return Clock::now() - time; } RGWObjectCtx *obj_ctx{nullptr}; - RGWSysObjectCtx *sysobj_ctx{nullptr}; string dialect; string req_id; string trans_id; diff --git a/src/rgw/rgw_frontend.h b/src/rgw/rgw_frontend.h index 6c5a61c8f7e..50519b21dea 100644 --- a/src/rgw/rgw_frontend.h +++ b/src/rgw/rgw_frontend.h @@ -291,7 +291,7 @@ class RGWFrontendPauser : public RGWRealmReloader::Pauser { /* Initialize the registry of auth strategies which will coordinate * the dynamic reconfiguration. */ auto auth_registry = \ - rgw::auth::StrategyRegistry::create(g_ceph_context, implicit_tenants, store->get_ctl()); + rgw::auth::StrategyRegistry::create(g_ceph_context, implicit_tenants, store); for (auto frontend : frontends) frontend->unpause_with_new_config(store, auth_registry); diff --git a/src/rgw/rgw_lib.h b/src/rgw/rgw_lib.h index 11e09efe05f..7e272f54aae 100644 --- a/src/rgw/rgw_lib.h +++ b/src/rgw/rgw_lib.h @@ -131,7 +131,6 @@ namespace rgw { std::unique_ptr tuser; // Don't use this. It's empty except during init. public: CephContext* cct; - boost::optional sysobj_ctx; /* unambiguiously return req_state */ inline struct req_state* get_state() { return this->RGWRequest::s; } @@ -161,10 +160,7 @@ namespace rgw { RGWRequest::init_state(_s); RGWHandler::init(rados_ctx->get_store(), _s, io); - sysobj_ctx.emplace(static_cast(store)->svc()->sysobj); - get_state()->obj_ctx = rados_ctx; - get_state()->sysobj_ctx = &(sysobj_ctx.get()); get_state()->req_id = static_cast(store)->svc()->zone_utils->unique_id(id); get_state()->trans_id = static_cast(store)->svc()->zone_utils->unique_trans_id(id); get_state()->bucket_tenant = tuser->get_tenant(); @@ -203,11 +199,7 @@ namespace rgw { RGWRequest::init_state(&rstate); RGWHandler::init(rados_ctx.get_store(), &rstate, &io_ctx); - sysobj_ctx.emplace(static_cast(store)->svc()->sysobj); - - get_state()->cio = &io_ctx; get_state()->obj_ctx = &rados_ctx; - get_state()->sysobj_ctx = &(sysobj_ctx.get()); get_state()->req_id = static_cast(store)->svc()->zone_utils->unique_id(id); get_state()->trans_id = static_cast(store)->svc()->zone_utils->unique_trans_id(id); diff --git a/src/rgw/rgw_main.cc b/src/rgw/rgw_main.cc index 3223d7b0e26..b9fa385e946 100644 --- a/src/rgw/rgw_main.cc +++ b/src/rgw/rgw_main.cc @@ -483,7 +483,7 @@ int radosgw_Main(int argc, const char **argv) rgw::auth::ImplicitTenants implicit_tenant_context{g_conf()}; g_conf().add_observer(&implicit_tenant_context); auto auth_registry = \ - rgw::auth::StrategyRegistry::create(g_ceph_context, implicit_tenant_context, store->get_ctl()); + rgw::auth::StrategyRegistry::create(g_ceph_context, implicit_tenant_context, store); /* Header custom behavior */ rest.register_x_headers(g_conf()->rgw_log_http_headers); diff --git a/src/rgw/rgw_oidc_provider.cc b/src/rgw/rgw_oidc_provider.cc index 7f00a7fc1c7..7e420bbeb52 100644 --- a/src/rgw/rgw_oidc_provider.cc +++ b/src/rgw/rgw_oidc_provider.cc @@ -33,13 +33,10 @@ int RGWOIDCProvider::store_url(const string& url, bool exclusive, using ceph::encode; string oid = tenant + get_url_oid_prefix() + url; - auto svc = ctl->svc; - bufferlist bl; encode(*this, bl); - auto obj_ctx = svc->sysobj->init_obj_ctx(); - return rgw_put_system_obj(obj_ctx, svc->zone->get_zone_params().oidc_pool, oid, - bl, exclusive, NULL, real_time(), y); + return store->put_system_obj(store->get_zone_params().oidc_pool, oid, + bl, exclusive, NULL, real_time(), y); } int RGWOIDCProvider::get_tenant_url_from_arn(string& tenant, string& url) @@ -95,9 +92,7 @@ int RGWOIDCProvider::create(const DoutPrefixProvider *dpp, bool exclusive, optio sprintf(buf + strlen(buf),".%dZ",(int)tv.tv_usec/1000); creation_date.assign(buf, strlen(buf)); - auto svc = ctl->svc; - - auto& pool = svc->zone->get_zone_params().oidc_pool; + auto& pool = store->get_zone_params().oidc_pool; ret = store_url(idp_url, exclusive, y); if (ret < 0) { ldpp_dout(dpp, 0) << "ERROR: storing role info in pool: " << pool.name << ": " @@ -110,8 +105,7 @@ int RGWOIDCProvider::create(const DoutPrefixProvider *dpp, bool exclusive, optio int RGWOIDCProvider::delete_obj(optional_yield y) { - auto svc = ctl->svc; - auto& pool = svc->zone->get_zone_params().oidc_pool; + auto& pool = store->get_zone_params().oidc_pool; string url, tenant; auto ret = get_tenant_url_from_arn(tenant, url); @@ -128,7 +122,7 @@ int RGWOIDCProvider::delete_obj(optional_yield y) // Delete url string oid = tenant + get_url_oid_prefix() + url; - ret = rgw_delete_system_obj(svc->sysobj, pool, oid, NULL, y); + ret = store->delete_system_obj(pool, oid, NULL, y); if (ret < 0) { ldout(cct, 0) << "ERROR: deleting oidc url from pool: " << pool.name << ": " << provider_url << ": " << cpp_strerror(-ret) << dendl; @@ -188,13 +182,11 @@ void RGWOIDCProvider::decode_json(JSONObj *obj) int RGWOIDCProvider::read_url(const DoutPrefixProvider *dpp, const string& url, const string& tenant) { - auto svc = ctl->svc; - auto& pool = svc->zone->get_zone_params().oidc_pool; + auto& pool = store->get_zone_params().oidc_pool; string oid = tenant + get_url_oid_prefix() + url; bufferlist bl; - auto obj_ctx = svc->sysobj->init_obj_ctx(); - int ret = rgw_get_system_obj(obj_ctx, pool, oid, bl, NULL, NULL, null_yield, dpp); + int ret = store->get_system_obj(dpp, pool, oid, bl, NULL, NULL, null_yield); if (ret < 0) { return ret; } @@ -248,8 +240,6 @@ int RGWOIDCProvider::get_providers(const DoutPrefixProvider *dpp, const string& tenant, vector& providers) { - auto ctl = store->get_ctl(); - auto svc = ctl->svc; auto pool = store->get_zone_params().oidc_pool; string prefix = tenant + oidc_url_oid_prefix; @@ -266,11 +256,10 @@ int RGWOIDCProvider::get_providers(const DoutPrefixProvider *dpp, return r; } for (const auto& iter : oids) { - RGWOIDCProvider provider(ctl->cct, store->get_ctl()); + RGWOIDCProvider provider(store->ctx(), store); bufferlist bl; - auto obj_ctx = svc->sysobj->init_obj_ctx(); - int ret = rgw_get_system_obj(obj_ctx, pool, iter, bl, NULL, NULL, null_yield, dpp); + int ret = store->get_system_obj(dpp, pool, iter, bl, NULL, NULL, null_yield); if (ret < 0) { return ret; } diff --git a/src/rgw/rgw_oidc_provider.h b/src/rgw/rgw_oidc_provider.h index a19803afc10..d654b85b4ef 100644 --- a/src/rgw/rgw_oidc_provider.h +++ b/src/rgw/rgw_oidc_provider.h @@ -11,7 +11,6 @@ #include "rgw/rgw_sal.h" -class RGWCtl; class RGWOIDCProvider { @@ -25,7 +24,7 @@ class RGWOIDCProvider static constexpr int MAX_OIDC_URL_LEN = 255; CephContext *cct; - RGWCtl *ctl; + rgw::sal::RGWStore* store; string id; string provider_url; string arn; @@ -41,13 +40,13 @@ class RGWOIDCProvider public: RGWOIDCProvider(CephContext *cct, - RGWCtl *ctl, + rgw::sal::RGWStore* store, string provider_url, string tenant, vector client_ids, vector thumbprints) : cct(cct), - ctl(ctl), + store(store), provider_url(std::move(provider_url)), tenant(std::move(tenant)), client_ids(std::move(client_ids)), @@ -55,26 +54,26 @@ public: } RGWOIDCProvider(CephContext *cct, - RGWCtl *ctl, + rgw::sal::RGWStore* store, string arn, string tenant) : cct(cct), - ctl(ctl), + store(store), arn(std::move(arn)), tenant(std::move(tenant)) { } RGWOIDCProvider(CephContext *cct, - RGWCtl *ctl, + rgw::sal::RGWStore* store, string tenant) : cct(cct), - ctl(ctl), + store(store), tenant(std::move(tenant)) {} RGWOIDCProvider(CephContext *cct, - RGWCtl *ctl) + rgw::sal::RGWStore* store) : cct(cct), - ctl(ctl) {} + store(store) {} RGWOIDCProvider() {} diff --git a/src/rgw/rgw_process.cc b/src/rgw/rgw_process.cc index 3cfe5d53a0a..d60c9c5a11c 100644 --- a/src/rgw/rgw_process.cc +++ b/src/rgw/rgw_process.cc @@ -201,9 +201,6 @@ int process_request(rgw::sal::RGWStore* const store, RGWObjectCtx rados_ctx(store, s); s->obj_ctx = &rados_ctx; - auto sysobj_ctx = static_cast(store)->svc()->sysobj->init_obj_ctx(); - s->sysobj_ctx = &sysobj_ctx; - if (ret < 0) { s->cio = client_io; abort_early(s, nullptr, ret, nullptr, yield); diff --git a/src/rgw/rgw_rest_oidc_provider.cc b/src/rgw/rgw_rest_oidc_provider.cc index 7d2cea60fd1..764f69b27ef 100644 --- a/src/rgw/rgw_rest_oidc_provider.cc +++ b/src/rgw/rgw_rest_oidc_provider.cc @@ -121,7 +121,7 @@ void RGWCreateOIDCProvider::execute(optional_yield y) return; } - RGWOIDCProvider provider(s->cct, store->get_ctl(), provider_url, + RGWOIDCProvider provider(s->cct, store, provider_url, s->user->get_tenant(), client_ids, thumbprints); op_ret = provider.create(s, true, y); @@ -140,7 +140,7 @@ void RGWCreateOIDCProvider::execute(optional_yield y) void RGWDeleteOIDCProvider::execute(optional_yield y) { - RGWOIDCProvider provider(s->cct, store->get_ctl(), provider_arn, s->user->get_tenant()); + RGWOIDCProvider provider(s->cct, store, provider_arn, s->user->get_tenant()); op_ret = provider.delete_obj(y); if (op_ret < 0 && op_ret != -ENOENT && op_ret != -EINVAL) { @@ -158,7 +158,7 @@ void RGWDeleteOIDCProvider::execute(optional_yield y) void RGWGetOIDCProvider::execute(optional_yield y) { - RGWOIDCProvider provider(s->cct, store->get_ctl(), provider_arn, s->user->get_tenant()); + RGWOIDCProvider provider(s->cct, store, provider_arn, s->user->get_tenant()); op_ret = provider.get(s); if (op_ret < 0 && op_ret != -ENOENT && op_ret != -EINVAL) { diff --git a/src/rgw/rgw_rest_role.cc b/src/rgw/rgw_rest_role.cc index 6693de0dbdf..68239081566 100644 --- a/src/rgw/rgw_rest_role.cc +++ b/src/rgw/rgw_rest_role.cc @@ -26,7 +26,7 @@ int RGWRestRole::verify_permission(optional_yield y) } string role_name = s->info.args.get("RoleName"); - RGWRole role(s->cct, store->get_ctl(), role_name, s->user->get_tenant()); + RGWRole role(s->cct, store, role_name, s->user->get_tenant()); if (op_ret = role.get(s, y); op_ret < 0) { if (op_ret == -ENOENT) { op_ret = -ERR_NO_ROLE_FOUND; @@ -130,7 +130,7 @@ void RGWCreateRole::execute(optional_yield y) if (op_ret < 0) { return; } - RGWRole role(s->cct, store->get_ctl(), role_name, role_path, trust_policy, + RGWRole role(s->cct, store, role_name, role_path, trust_policy, s->user->get_tenant(), max_session_duration); op_ret = role.create(s, true, y); @@ -229,7 +229,7 @@ void RGWGetRole::execute(optional_yield y) if (op_ret < 0) { return; } - RGWRole role(s->cct, store->get_ctl(), role_name, s->user->get_tenant()); + RGWRole role(s->cct, store, role_name, s->user->get_tenant()); op_ret = role.get(s, y); if (op_ret == -ENOENT) { diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index de8b50576ab..989c8fe31a4 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -5720,11 +5720,12 @@ rgw::auth::s3::LocalEngine::authenticate( optional_yield y) const { /* get the user info */ - RGWUserInfo user_info; + std::unique_ptr user; /* TODO(rzarzynski): we need to have string-view taking variant. */ - const std::string access_key_id(_access_key_id); - if (rgw_get_user_info_by_access_key(dpp, ctl->user, access_key_id, user_info, y) < 0) { - ldpp_dout(dpp, 5) << "error reading user info, uid=" << access_key_id + RGWAccessKey access_key; + access_key.id = _access_key_id; + if (store->get_user(dpp, access_key, y, &user) < 0) { + ldpp_dout(dpp, 5) << "error reading user info, uid=" << access_key.id << " can't authenticate" << dendl; return result_t::deny(-ERR_INVALID_ACCESS_KEY); } @@ -5737,8 +5738,8 @@ rgw::auth::s3::LocalEngine::authenticate( } }*/ - const auto iter = user_info.access_keys.find(access_key_id); - if (iter == std::end(user_info.access_keys)) { + const auto iter = user->get_info().access_keys.find(access_key.id); + if (iter == std::end(user->get_info().access_keys)) { ldpp_dout(dpp, 0) << "ERROR: access key not encoded in user info" << dendl; return result_t::deny(-EPERM); } @@ -5759,7 +5760,7 @@ rgw::auth::s3::LocalEngine::authenticate( return result_t::deny(-ERR_SIGNATURE_NO_MATCH); } - auto apl = apl_factory->create_apl_local(cct, s, user_info, k.subuser, boost::none); + auto apl = apl_factory->create_apl_local(cct, s, user->get_info(), k.subuser, boost::none); return result_t::grant(std::move(apl), completer_factory(k.key)); } @@ -5891,12 +5892,12 @@ rgw::auth::s3::STSEngine::authenticate( } // Get all the authorization info - RGWUserInfo user_info; + std::unique_ptr user; rgw_user user_id; string role_id; rgw::auth::RoleApplier::Role r; if (! token.roleId.empty()) { - RGWRole role(s->cct, ctl, token.roleId); + RGWRole role(s->cct, store, token.roleId); if (role.get_by_id(dpp, y) < 0) { return result_t::deny(-EPERM); } @@ -5915,9 +5916,10 @@ rgw::auth::s3::STSEngine::authenticate( user_id = token.user; } + user = store->get_user(token.user); if (! token.user.empty() && token.acct_type != TYPE_ROLE) { // get user info - int ret = rgw_get_user_info_by_uid(dpp, ctl->user, token.user, user_info, y, NULL); + int ret = user->load_by_id(dpp, y); if (ret < 0) { ldpp_dout(dpp, 5) << "ERROR: failed reading user info: uid=" << token.user << dendl; return result_t::reject(-EPERM); @@ -5933,7 +5935,7 @@ rgw::auth::s3::STSEngine::authenticate( return result_t::grant(std::move(apl), completer_factory(token.secret_access_key)); } else { // This is for all local users of type TYPE_RGW or TYPE_NONE string subuser; - auto apl = local_apl_factory->create_apl_local(cct, s, user_info, subuser, token.perm_mask); + auto apl = local_apl_factory->create_apl_local(cct, s, user->get_info(), subuser, token.perm_mask); return result_t::grant(std::move(apl), completer_factory(token.secret_access_key)); } } diff --git a/src/rgw/rgw_rest_s3.h b/src/rgw/rgw_rest_s3.h index 5faf16fec19..d3acce2064b 100644 --- a/src/rgw/rgw_rest_s3.h +++ b/src/rgw/rgw_rest_s3.h @@ -1091,7 +1091,7 @@ class LDAPEngine : public AWSEngine { using result_t = rgw::auth::Engine::result_t; protected: - RGWCtl* const ctl; + rgw::sal::RGWStore* store; const rgw::auth::RemoteApplier::Factory* const apl_factory; acl_strategy_t get_acl_strategy() const; @@ -1108,11 +1108,11 @@ protected: optional_yield y) const override; public: LDAPEngine(CephContext* const cct, - RGWCtl* const ctl, + rgw::sal::RGWStore* store, const VersionAbstractor& ver_abstractor, const rgw::auth::RemoteApplier::Factory* const apl_factory) : AWSEngine(cct, ver_abstractor), - ctl(ctl), + store(store), apl_factory(apl_factory) { init(cct); } @@ -1128,7 +1128,7 @@ public: }; class LocalEngine : public AWSEngine { - RGWCtl* const ctl; + rgw::sal::RGWStore* store; const rgw::auth::LocalApplier::Factory* const apl_factory; result_t authenticate(const DoutPrefixProvider* dpp, @@ -1142,11 +1142,11 @@ class LocalEngine : public AWSEngine { optional_yield y) const override; public: LocalEngine(CephContext* const cct, - RGWCtl* const ctl, + rgw::sal::RGWStore* store, const VersionAbstractor& ver_abstractor, const rgw::auth::LocalApplier::Factory* const apl_factory) : AWSEngine(cct, ver_abstractor), - ctl(ctl), + store(store), apl_factory(apl_factory) { } @@ -1158,7 +1158,7 @@ public: }; class STSEngine : public AWSEngine { - RGWCtl* const ctl; + rgw::sal::RGWStore* store; const rgw::auth::LocalApplier::Factory* const local_apl_factory; const rgw::auth::RemoteApplier::Factory* const remote_apl_factory; const rgw::auth::RoleApplier::Factory* const role_apl_factory; @@ -1183,13 +1183,13 @@ class STSEngine : public AWSEngine { optional_yield y) const override; public: STSEngine(CephContext* const cct, - RGWCtl* const ctl, + rgw::sal::RGWStore* store, const VersionAbstractor& ver_abstractor, const rgw::auth::LocalApplier::Factory* const local_apl_factory, const rgw::auth::RemoteApplier::Factory* const remote_apl_factory, const rgw::auth::RoleApplier::Factory* const role_apl_factory) : AWSEngine(cct, ver_abstractor), - ctl(ctl), + store(store), local_apl_factory(local_apl_factory), remote_apl_factory(remote_apl_factory), role_apl_factory(role_apl_factory) { diff --git a/src/rgw/rgw_rest_sts.cc b/src/rgw/rgw_rest_sts.cc index 03920b4766d..38a0a0c2d96 100644 --- a/src/rgw/rgw_rest_sts.cc +++ b/src/rgw/rgw_rest_sts.cc @@ -82,7 +82,7 @@ WebTokenEngine::get_provider(const DoutPrefixProvider *dpp, const string& role_a } auto provider_arn = rgw::ARN(idp_url, "oidc-provider", tenant); string p_arn = provider_arn.to_string(); - RGWOIDCProvider provider(cct, ctl, p_arn, tenant); + RGWOIDCProvider provider(cct, store, p_arn, tenant); auto ret = provider.get(dpp); if (ret < 0) { return boost::none; diff --git a/src/rgw/rgw_rest_sts.h b/src/rgw/rgw_rest_sts.h index 797ce204c1f..ad7932df0ca 100644 --- a/src/rgw/rgw_rest_sts.h +++ b/src/rgw/rgw_rest_sts.h @@ -15,7 +15,7 @@ namespace rgw::auth::sts { class WebTokenEngine : public rgw::auth::Engine { CephContext* const cct; - RGWCtl* const ctl; + rgw::sal::RGWStore* store; using result_t = rgw::auth::Engine::result_t; using token_t = rgw::web_idp::WebTokenClaims; @@ -44,11 +44,11 @@ class WebTokenEngine : public rgw::auth::Engine { public: WebTokenEngine(CephContext* const cct, - RGWCtl* const ctl, + rgw::sal::RGWStore* store, const rgw::auth::TokenExtractor* const extractor, const rgw::auth::WebIdentityApplier::Factory* const apl_factory) : cct(cct), - ctl(ctl), + store(store), extractor(extractor), apl_factory(apl_factory) { } @@ -65,7 +65,7 @@ public: class DefaultStrategy : public rgw::auth::Strategy, public rgw::auth::TokenExtractor, public rgw::auth::WebIdentityApplier::Factory { - RGWCtl* const ctl; + rgw::sal::RGWStore* store; ImplicitTenants& implicit_tenant_context; /* The engine. */ @@ -83,18 +83,18 @@ class DefaultStrategy : public rgw::auth::Strategy, const string& role_session, const string& role_tenant, const rgw::web_idp::WebTokenClaims& token) const override { - auto apl = rgw::auth::add_sysreq(cct, ctl, s, - rgw::auth::WebIdentityApplier(cct, ctl, role_session, role_tenant, token)); + auto apl = rgw::auth::add_sysreq(cct, store, s, + rgw::auth::WebIdentityApplier(cct, store, role_session, role_tenant, token)); return aplptr_t(new decltype(apl)(std::move(apl))); } public: DefaultStrategy(CephContext* const cct, ImplicitTenants& implicit_tenant_context, - RGWCtl* const ctl) - : ctl(ctl), + rgw::sal::RGWStore* store) + : store(store), implicit_tenant_context(implicit_tenant_context), - web_token_engine(cct, ctl, + web_token_engine(cct, store, static_cast(this), static_cast(this)) { /* When the constructor's body is being executed, all member engines diff --git a/src/rgw/rgw_role.cc b/src/rgw/rgw_role.cc index 1dc7c123198..c3f408c0ba0 100644 --- a/src/rgw/rgw_role.cc +++ b/src/rgw/rgw_role.cc @@ -38,11 +38,8 @@ int RGWRole::store_info(bool exclusive, optional_yield y) bufferlist bl; encode(*this, bl); - auto svc = ctl->svc; - - auto obj_ctx = ctl->svc->sysobj->init_obj_ctx(); - return rgw_put_system_obj(obj_ctx, svc->zone->get_zone_params().roles_pool, oid, - bl, exclusive, NULL, real_time(), y, NULL); + return store->put_system_obj(store->get_zone_params().roles_pool, oid, + bl, exclusive, NULL, real_time(), y, NULL); } int RGWRole::store_name(bool exclusive, optional_yield y) @@ -56,23 +53,17 @@ int RGWRole::store_name(bool exclusive, optional_yield y) using ceph::encode; encode(nameToId, bl); - auto svc = ctl->svc; - - auto obj_ctx = svc->sysobj->init_obj_ctx(); - return rgw_put_system_obj(obj_ctx, svc->zone->get_zone_params().roles_pool, oid, - bl, exclusive, NULL, real_time(), y, NULL); + return store->put_system_obj(store->get_zone_params().roles_pool, oid, + bl, exclusive, NULL, real_time(), y, NULL); } int RGWRole::store_path(bool exclusive, optional_yield y) { string oid = tenant + get_path_oid_prefix() + path + get_info_oid_prefix() + id; - auto svc = ctl->svc; - bufferlist bl; - auto obj_ctx = svc->sysobj->init_obj_ctx(); - return rgw_put_system_obj(obj_ctx, svc->zone->get_zone_params().roles_pool, oid, - bl, exclusive, NULL, real_time(), y, NULL); + return store->put_system_obj(store->get_zone_params().roles_pool, oid, + bl, exclusive, NULL, real_time(), y, NULL); } int RGWRole::create(const DoutPrefixProvider *dpp, bool exclusive, optional_yield y) @@ -118,9 +109,7 @@ int RGWRole::create(const DoutPrefixProvider *dpp, bool exclusive, optional_yiel sprintf(buf + strlen(buf),".%dZ",(int)tv.tv_usec/1000); creation_date.assign(buf, strlen(buf)); - auto svc = ctl->svc; - - auto& pool = svc->zone->get_zone_params().roles_pool; + auto& pool = store->get_zone_params().roles_pool; ret = store_info(exclusive, y); if (ret < 0) { ldpp_dout(dpp, 0) << "ERROR: storing role info in pool: " << pool.name << ": " @@ -135,7 +124,7 @@ int RGWRole::create(const DoutPrefixProvider *dpp, bool exclusive, optional_yiel //Delete the role info that was stored in the previous call string oid = get_info_oid_prefix() + id; - int info_ret = rgw_delete_system_obj(svc->sysobj, pool, oid, NULL, y); + int info_ret = store->delete_system_obj(pool, oid, nullptr, y); if (info_ret < 0) { ldpp_dout(dpp, 0) << "ERROR: cleanup of role id from pool: " << pool.name << ": " << id << ": " << cpp_strerror(-info_ret) << dendl; @@ -149,14 +138,14 @@ int RGWRole::create(const DoutPrefixProvider *dpp, bool exclusive, optional_yiel << path << ": " << cpp_strerror(-ret) << dendl; //Delete the role info that was stored in the previous call string oid = get_info_oid_prefix() + id; - int info_ret = rgw_delete_system_obj(svc->sysobj, pool, oid, NULL, y); + int info_ret = store->delete_system_obj(pool, oid, nullptr, y); if (info_ret < 0) { ldpp_dout(dpp, 0) << "ERROR: cleanup of role id from pool: " << pool.name << ": " << id << ": " << cpp_strerror(-info_ret) << dendl; } //Delete role name that was stored in previous call oid = tenant + get_names_oid_prefix() + name; - int name_ret = rgw_delete_system_obj(svc->sysobj, pool, oid, NULL, y); + int name_ret = store->delete_system_obj(pool, oid, nullptr, y); if (name_ret < 0) { ldpp_dout(dpp, 0) << "ERROR: cleanup of role name from pool: " << pool.name << ": " << name << ": " << cpp_strerror(-name_ret) << dendl; @@ -168,8 +157,7 @@ int RGWRole::create(const DoutPrefixProvider *dpp, bool exclusive, optional_yiel int RGWRole::delete_obj(const DoutPrefixProvider *dpp, optional_yield y) { - auto svc = ctl->svc; - auto& pool = svc->zone->get_zone_params().roles_pool; + auto& pool = store->get_zone_params().roles_pool; int ret = read_name(dpp, y); if (ret < 0) { @@ -187,7 +175,7 @@ int RGWRole::delete_obj(const DoutPrefixProvider *dpp, optional_yield y) // Delete id string oid = get_info_oid_prefix() + id; - ret = rgw_delete_system_obj(svc->sysobj, pool, oid, NULL, y); + ret = store->delete_system_obj(pool, oid, nullptr, y); if (ret < 0) { ldpp_dout(dpp, 0) << "ERROR: deleting role id from pool: " << pool.name << ": " << id << ": " << cpp_strerror(-ret) << dendl; @@ -195,7 +183,7 @@ int RGWRole::delete_obj(const DoutPrefixProvider *dpp, optional_yield y) // Delete name oid = tenant + get_names_oid_prefix() + name; - ret = rgw_delete_system_obj(svc->sysobj, pool, oid, NULL, y); + ret = store->delete_system_obj(pool, oid, nullptr, y); if (ret < 0) { ldpp_dout(dpp, 0) << "ERROR: deleting role name from pool: " << pool.name << ": " << name << ": " << cpp_strerror(-ret) << dendl; @@ -203,7 +191,7 @@ int RGWRole::delete_obj(const DoutPrefixProvider *dpp, optional_yield y) // Delete path oid = tenant + get_path_oid_prefix() + path + get_info_oid_prefix() + id; - ret = rgw_delete_system_obj(svc->sysobj, pool, oid, NULL, y); + ret = store->delete_system_obj(pool, oid, nullptr, y); if (ret < 0) { ldpp_dout(dpp, 0) << "ERROR: deleting role path from pool: " << pool.name << ": " << path << ": " << cpp_strerror(-ret) << dendl; @@ -238,7 +226,7 @@ int RGWRole::get_by_id(const DoutPrefixProvider *dpp, optional_yield y) int RGWRole::update(optional_yield y) { - auto& pool = ctl->svc->zone->get_zone_params().roles_pool; + auto& pool = store->get_zone_params().roles_pool; int ret = store_info(false, y); if (ret < 0) { @@ -314,13 +302,11 @@ void RGWRole::decode_json(JSONObj *obj) int RGWRole::read_id(const DoutPrefixProvider *dpp, const string& role_name, const string& tenant, string& role_id, optional_yield y) { - auto svc = ctl->svc; - auto& pool = svc->zone->get_zone_params().roles_pool; + auto& pool = store->get_zone_params().roles_pool; string oid = tenant + get_names_oid_prefix() + role_name; bufferlist bl; - auto obj_ctx = svc->sysobj->init_obj_ctx(); - int ret = rgw_get_system_obj(obj_ctx, pool, oid, bl, NULL, NULL, y, dpp); + int ret = store->get_system_obj(dpp, pool, oid, bl, NULL, NULL, y); if (ret < 0) { return ret; } @@ -341,13 +327,11 @@ int RGWRole::read_id(const DoutPrefixProvider *dpp, const string& role_name, con int RGWRole::read_info(const DoutPrefixProvider *dpp, optional_yield y) { - auto svc = ctl->svc; - auto& pool = svc->zone->get_zone_params().roles_pool; + auto& pool = store->get_zone_params().roles_pool; string oid = get_info_oid_prefix() + id; bufferlist bl; - auto obj_ctx = svc->sysobj->init_obj_ctx(); - int ret = rgw_get_system_obj(obj_ctx, pool, oid, bl, NULL, NULL, y, dpp); + int ret = store->get_system_obj(dpp, pool, oid, bl, NULL, NULL, y); if (ret < 0) { ldpp_dout(dpp, 0) << "ERROR: failed reading role info from pool: " << pool.name << ": " << id << ": " << cpp_strerror(-ret) << dendl; @@ -369,13 +353,11 @@ int RGWRole::read_info(const DoutPrefixProvider *dpp, optional_yield y) int RGWRole::read_name(const DoutPrefixProvider *dpp, optional_yield y) { - auto svc = ctl->svc; - auto& pool = svc->zone->get_zone_params().roles_pool; + auto& pool = store->get_zone_params().roles_pool; string oid = tenant + get_names_oid_prefix() + name; bufferlist bl; - auto obj_ctx = svc->sysobj->init_obj_ctx(); - int ret = rgw_get_system_obj(obj_ctx, pool, oid, bl, NULL, NULL, y, dpp); + int ret = store->get_system_obj(dpp, pool, oid, bl, NULL, NULL, y); if (ret < 0) { ldpp_dout(dpp, 0) << "ERROR: failed reading role name from pool: " << pool.name << ": " << name << ": " << cpp_strerror(-ret) << dendl; @@ -492,7 +474,7 @@ int RGWRole::get_roles_by_path_prefix(const DoutPrefixProvider *dpp, //Get id from info oid prefix + id string id = it.substr(pos + role_oid_prefix.length()); - RGWRole role(cct, store->get_ctl()); + RGWRole role(cct, store); role.set_id(id); int ret = role.read_info(dpp, y); if (ret < 0) { diff --git a/src/rgw/rgw_role.h b/src/rgw/rgw_role.h index c8642253cbf..67c43ad07d9 100644 --- a/src/rgw/rgw_role.h +++ b/src/rgw/rgw_role.h @@ -13,7 +13,7 @@ #include "rgw/rgw_rados.h" -struct RGWCtl; +namespace rgw { namespace sal { class RGWStore; } } class RGWRole { @@ -28,7 +28,7 @@ class RGWRole static constexpr uint64_t SESSION_DURATION_MAX = 43200; // in seconds CephContext *cct; - RGWCtl *ctl; + rgw::sal::RGWStore* store; string id; string name; string path; @@ -50,14 +50,14 @@ class RGWRole public: RGWRole(CephContext *cct, - RGWCtl *ctl, + rgw::sal::RGWStore* store, string name, string path, string trust_policy, string tenant, string max_session_duration_str="") : cct(cct), - ctl(ctl), + store(store), name(std::move(name)), path(std::move(path)), trust_policy(std::move(trust_policy)), @@ -73,27 +73,27 @@ public: } RGWRole(CephContext *cct, - RGWCtl *ctl, + rgw::sal::RGWStore* store, string name, string tenant) : cct(cct), - ctl(ctl), + store(store), name(std::move(name)), tenant(std::move(tenant)) { extract_name_tenant(this->name); } RGWRole(CephContext *cct, - RGWCtl *ctl, + rgw::sal::RGWStore* store, string id) : cct(cct), - ctl(ctl), + store(store), id(std::move(id)) {} RGWRole(CephContext *cct, - RGWCtl *ctl) + rgw::sal::RGWStore* store) : cct(cct), - ctl(ctl) {} + store(store) {} RGWRole() {} diff --git a/src/rgw/rgw_sal.h b/src/rgw/rgw_sal.h index 3214046c225..eaa090ac9ff 100644 --- a/src/rgw/rgw_sal.h +++ b/src/rgw/rgw_sal.h @@ -202,6 +202,19 @@ class RGWStore { map& usage) = 0; virtual int trim_all_usage(uint64_t start_epoch, uint64_t end_epoch) = 0; virtual int get_config_key_val(string name, bufferlist *bl) = 0; + virtual int put_system_obj(const rgw_pool& pool, const string& oid, + bufferlist& data, bool exclusive, + RGWObjVersionTracker *objv_tracker, real_time set_mtime, + optional_yield y, map *pattrs = nullptr) = 0; + virtual int get_system_obj(const DoutPrefixProvider *dpp, + const rgw_pool& pool, const string& key, + bufferlist& bl, + RGWObjVersionTracker *objv_tracker, real_time *pmtime, + optional_yield y, map *pattrs = nullptr, + rgw_cache_entry_info *cache_info = nullptr, + boost::optional refresh_version = boost::none) = 0; + virtual int delete_system_obj(const rgw_pool& pool, const string& oid, + RGWObjVersionTracker *objv_tracker, optional_yield y) = 0; virtual void finalize(void) = 0; virtual CephContext *ctx(void) = 0; @@ -236,6 +249,7 @@ class RGWUser { void set_tenant(std::string& _t) { info.user_id.tenant = _t; } const std::string& get_ns() { return info.user_id.ns; } void set_ns(std::string& _ns) { info.user_id.ns = _ns; } + void clear_ns() { info.user_id.ns.clear(); } const rgw_user& get_id() const { return info.user_id; } uint32_t get_type() const { return info.type; } int32_t get_max_buckets() const { return info.max_buckets; } diff --git a/src/rgw/rgw_sal_rados.cc b/src/rgw/rgw_sal_rados.cc index af3e795ee59..3fc2e12e313 100644 --- a/src/rgw/rgw_sal_rados.cc +++ b/src/rgw/rgw_sal_rados.cc @@ -1003,6 +1003,32 @@ int RGWRadosStore::get_config_key_val(string name, bufferlist *bl) return svc()->config_key->get(name, true, bl); } +int RGWRadosStore::put_system_obj(const rgw_pool& pool, const string& oid, + bufferlist& data, bool exclusive, + RGWObjVersionTracker *objv_tracker, real_time set_mtime, + optional_yield y, map *pattrs) +{ + auto obj_ctx = svc()->sysobj->init_obj_ctx(); + return rgw_put_system_obj(obj_ctx, pool, oid, data, exclusive, objv_tracker, set_mtime, y, pattrs); +} + +int RGWRadosStore::get_system_obj(const DoutPrefixProvider *dpp, + const rgw_pool& pool, const string& key, + bufferlist& bl, + RGWObjVersionTracker *objv_tracker, real_time *pmtime, + optional_yield y, map *pattrs, + rgw_cache_entry_info *cache_info, + boost::optional refresh_version) +{ + auto obj_ctx = svc()->sysobj->init_obj_ctx(); + return rgw_get_system_obj(obj_ctx, pool, key, bl, objv_tracker, pmtime, y, dpp, pattrs, cache_info, refresh_version); +} + +int RGWRadosStore::delete_system_obj(const rgw_pool& pool, const string& oid, + RGWObjVersionTracker *objv_tracker, optional_yield y) +{ + return rgw_delete_system_obj(svc()->sysobj, pool, oid, objv_tracker, y); +} void RGWRadosStore::finalize(void) { if (rados) diff --git a/src/rgw/rgw_sal_rados.h b/src/rgw/rgw_sal_rados.h index 9cf5bec8092..9464b5252b5 100644 --- a/src/rgw/rgw_sal_rados.h +++ b/src/rgw/rgw_sal_rados.h @@ -418,6 +418,20 @@ class RGWRadosStore : public RGWStore { map& usage) override; virtual int trim_all_usage(uint64_t start_epoch, uint64_t end_epoch) override; virtual int get_config_key_val(string name, bufferlist *bl) override; + virtual int put_system_obj(const rgw_pool& pool, const string& oid, + bufferlist& data, bool exclusive, + RGWObjVersionTracker *objv_tracker, real_time set_mtime, + optional_yield y, map *pattrs = nullptr) + override; + virtual int get_system_obj(const DoutPrefixProvider *dpp, + const rgw_pool& pool, const string& key, + bufferlist& bl, + RGWObjVersionTracker *objv_tracker, real_time *pmtime, + optional_yield y, map *pattrs = nullptr, + rgw_cache_entry_info *cache_info = nullptr, + boost::optional refresh_version = boost::none) override; + virtual int delete_system_obj(const rgw_pool& pool, const string& oid, + RGWObjVersionTracker *objv_tracker, optional_yield y) override; virtual void finalize(void) override; virtual CephContext *ctx(void) override { return rados->ctx(); } diff --git a/src/rgw/rgw_sts.cc b/src/rgw/rgw_sts.cc index 98aee40c0f7..9673fe66c89 100644 --- a/src/rgw/rgw_sts.cc +++ b/src/rgw/rgw_sts.cc @@ -283,7 +283,7 @@ std::tuple STSService::getRoleInfo(const DoutPrefixProvider *dpp, if (auto r_arn = rgw::ARN::parse(arn); r_arn) { auto pos = r_arn->resource.find_last_of('/'); string roleName = r_arn->resource.substr(pos + 1); - RGWRole role(cct, store->get_ctl(), roleName, r_arn->account); + RGWRole role(cct, store, roleName, r_arn->account); if (int ret = role.get(dpp, y); ret < 0) { if (ret == -ENOENT) { ldpp_dout(dpp, 0) << "Role doesn't exist: " << roleName << dendl; diff --git a/src/rgw/rgw_swift_auth.cc b/src/rgw/rgw_swift_auth.cc index 9e3e29483b3..81e5c009303 100644 --- a/src/rgw/rgw_swift_auth.cc +++ b/src/rgw/rgw_swift_auth.cc @@ -85,43 +85,36 @@ void TempURLEngine::get_owner_info(const DoutPrefixProvider* dpp, const req_stat * the access would be limited to accounts with empty tenant. */ string bucket_tenant; if (!s->account_name.empty()) { - RGWUserInfo uinfo; - bool found = false; + std::unique_ptr user; - const rgw_user uid(s->account_name); + rgw_user uid(s->account_name); if (uid.tenant.empty()) { - const rgw_user tenanted_uid(uid.id, uid.id); - - if (ctl->user->get_info_by_uid(dpp, tenanted_uid, &uinfo, s->yield) >= 0) { - /* Succeeded. */ - bucket_tenant = uinfo.user_id.tenant; - found = true; - } + uid.tenant = uid.id; } - if (!found && ctl->user->get_info_by_uid(dpp, uid, &uinfo, s->yield) < 0) { + user = store->get_user(uid); + if (user->load_by_id(dpp, s->yield) < 0) { throw -EPERM; - } else { - bucket_tenant = uinfo.user_id.tenant; } + + bucket_tenant = user->get_tenant(); } rgw_bucket b; b.tenant = std::move(bucket_tenant); b.name = std::move(bucket_name); - - /* Need to get user info of bucket owner. */ - RGWBucketInfo bucket_info; - RGWSI_MetaBackend_CtxParams bectx_params = RGWSI_MetaBackend_CtxParams_SObj(s->sysobj_ctx); - int ret = ctl->bucket->read_bucket_info(b, &bucket_info, y, dpp, RGWBucketCtl::BucketInstance::GetParams().set_bectx_params(bectx_params)); + std::unique_ptr bucket; + int ret = store->get_bucket(dpp, nullptr, b, &bucket, s->yield); if (ret < 0) { throw ret; } - ldpp_dout(dpp, 20) << "temp url user (bucket owner): " << bucket_info.owner + ldpp_dout(dpp, 20) << "temp url user (bucket owner): " << bucket->get_info().owner << dendl; - if (ctl->user->get_info_by_uid(dpp, bucket_info.owner, &owner_info, s->yield) < 0) { + std::unique_ptr user; + user = store->get_user(bucket->get_info().owner); + if (user->load_by_id(dpp, s->yield) < 0) { throw -EPERM; } } @@ -448,14 +441,14 @@ ExternalTokenEngine::authenticate(const DoutPrefixProvider* dpp, ldpp_dout(dpp, 10) << "swift user=" << swift_user << dendl; - RGWUserInfo tmp_uinfo; - ret = ctl->user->get_info_by_swift(dpp, swift_user, &tmp_uinfo, s->yield); + std::unique_ptr user; + ret = store->get_user_by_swift(dpp, swift_user, s->yield, &user); if (ret < 0) { ldpp_dout(dpp, 0) << "NOTICE: couldn't map swift user" << dendl; throw ret; } - auto apl = apl_factory->create_apl_local(cct, s, tmp_uinfo, + auto apl = apl_factory->create_apl_local(cct, s, user->get_info(), extract_swift_subuser(swift_user), boost::none); return result_t::grant(std::move(apl)); @@ -569,16 +562,16 @@ SignedTokenEngine::authenticate(const DoutPrefixProvider* dpp, return result_t::deny(-EPERM); } - RGWUserInfo user_info; - ret = ctl->user->get_info_by_swift(dpp, swift_user, &user_info, s->yield); + std::unique_ptr user; + ret = store->get_user_by_swift(dpp, swift_user, s->yield, &user); if (ret < 0) { throw ret; } ldpp_dout(dpp, 10) << "swift_user=" << swift_user << dendl; - const auto siter = user_info.swift_keys.find(swift_user); - if (siter == std::end(user_info.swift_keys)) { + const auto siter = user->get_info().swift_keys.find(swift_user); + if (siter == std::end(user->get_info().swift_keys)) { return result_t::deny(-EPERM); } @@ -609,7 +602,7 @@ SignedTokenEngine::authenticate(const DoutPrefixProvider* dpp, return result_t::deny(-EPERM); } - auto apl = apl_factory->create_apl_local(cct, s, user_info, + auto apl = apl_factory->create_apl_local(cct, s, user->get_info(), extract_swift_subuser(swift_user), boost::none); return result_t::grant(std::move(apl)); diff --git a/src/rgw/rgw_swift_auth.h b/src/rgw/rgw_swift_auth.h index 480d72bd290..2511247bf76 100644 --- a/src/rgw/rgw_swift_auth.h +++ b/src/rgw/rgw_swift_auth.h @@ -42,7 +42,7 @@ class TempURLEngine : public rgw::auth::Engine { using result_t = rgw::auth::Engine::result_t; CephContext* const cct; - /* const */ RGWCtl* const ctl; + rgw::sal::RGWStore* store; const TempURLApplier::Factory* const apl_factory; /* Helper methods. */ @@ -60,10 +60,10 @@ class TempURLEngine : public rgw::auth::Engine { public: TempURLEngine(CephContext* const cct, - /*const*/ RGWCtl* const ctl, + rgw::sal::RGWStore* _store , const TempURLApplier::Factory* const apl_factory) : cct(cct), - ctl(ctl), + store(_store), apl_factory(apl_factory) { } @@ -81,7 +81,7 @@ class SignedTokenEngine : public rgw::auth::Engine { using result_t = rgw::auth::Engine::result_t; CephContext* const cct; - RGWCtl* const ctl; + rgw::sal::RGWStore* store; const rgw::auth::TokenExtractor* const extractor; const rgw::auth::LocalApplier::Factory* const apl_factory; @@ -93,11 +93,11 @@ class SignedTokenEngine : public rgw::auth::Engine { public: SignedTokenEngine(CephContext* const cct, - /* const */RGWCtl* const ctl, + rgw::sal::RGWStore* _store, const rgw::auth::TokenExtractor* const extractor, const rgw::auth::LocalApplier::Factory* const apl_factory) : cct(cct), - ctl(ctl), + store(_store), extractor(extractor), apl_factory(apl_factory) { } @@ -118,7 +118,7 @@ class ExternalTokenEngine : public rgw::auth::Engine { using result_t = rgw::auth::Engine::result_t; CephContext* const cct; - RGWCtl* const ctl; + rgw::sal::RGWStore* store; const rgw::auth::TokenExtractor* const extractor; const rgw::auth::LocalApplier::Factory* const apl_factory; @@ -129,11 +129,11 @@ class ExternalTokenEngine : public rgw::auth::Engine { public: ExternalTokenEngine(CephContext* const cct, - /* const */RGWCtl* const ctl, + rgw::sal::RGWStore* _store, const rgw::auth::TokenExtractor* const extractor, const rgw::auth::LocalApplier::Factory* const apl_factory) : cct(cct), - ctl(ctl), + store(_store), extractor(extractor), apl_factory(apl_factory) { } @@ -185,7 +185,7 @@ class DefaultStrategy : public rgw::auth::Strategy, public rgw::auth::RemoteApplier::Factory, public rgw::auth::LocalApplier::Factory, public rgw::auth::swift::TempURLApplier::Factory { - RGWCtl* const ctl; + rgw::sal::RGWStore* store; ImplicitTenants& implicit_tenant_context; /* The engines. */ @@ -212,9 +212,9 @@ class DefaultStrategy : public rgw::auth::Strategy, acl_strategy_t&& extra_acl_strategy, const rgw::auth::RemoteApplier::AuthInfo &info) const override { auto apl = \ - rgw::auth::add_3rdparty(ctl, rgw_user(s->account_name), - rgw::auth::add_sysreq(cct, ctl, s, - rgw::auth::RemoteApplier(cct, ctl, std::move(extra_acl_strategy), info, + rgw::auth::add_3rdparty(store, rgw_user(s->account_name), + rgw::auth::add_sysreq(cct, store, s, + rgw::auth::RemoteApplier(cct, store, std::move(extra_acl_strategy), info, implicit_tenant_context, rgw::auth::ImplicitTenants::IMPLICIT_TENANTS_SWIFT))); /* TODO(rzarzynski): replace with static_ptr. */ @@ -227,8 +227,8 @@ class DefaultStrategy : public rgw::auth::Strategy, const std::string& subuser, const boost::optional& perm_mask) const override { auto apl = \ - rgw::auth::add_3rdparty(ctl, rgw_user(s->account_name), - rgw::auth::add_sysreq(cct, ctl, s, + rgw::auth::add_3rdparty(store, rgw_user(s->account_name), + rgw::auth::add_sysreq(cct, store, s, rgw::auth::LocalApplier(cct, user_info, subuser, perm_mask))); /* TODO(rzarzynski): replace with static_ptr. */ return aplptr_t(new decltype(apl)(std::move(apl))); @@ -246,18 +246,18 @@ class DefaultStrategy : public rgw::auth::Strategy, public: DefaultStrategy(CephContext* const cct, ImplicitTenants& implicit_tenant_context, - RGWCtl* const ctl) - : ctl(ctl), + rgw::sal::RGWStore* _store) + : store(_store), implicit_tenant_context(implicit_tenant_context), tempurl_engine(cct, - ctl, + store, static_cast(this)), signed_engine(cct, - ctl, + store, static_cast(this), static_cast(this)), external_engine(cct, - ctl, + store, static_cast(this), static_cast(this)), anon_engine(cct,