From: Matt Benjamin <mbenjamin@redhat.com>
Date: Tue, 7 Jun 2016 14:36:30 +0000 (-0400)
Subject: Merge pull request #8657 from rzarzynski/wip-rgw-swift-auth
X-Git-Tag: v11.0.0~283
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=c8f0380d4f34a737d31e83fb5f956ce9d787e802;p=ceph.git

Merge pull request #8657 from rzarzynski/wip-rgw-swift-auth

rgw: authentication subsystem rework

Passed teuthology rgw suite.
---

c8f0380d4f34a737d31e83fb5f956ce9d787e802
diff --cc src/rgw/rgw_admin.cc
index a69eaa1cc2c1,3abfbdd6a338..f37474daadea
--- a/src/rgw/rgw_admin.cc
+++ b/src/rgw/rgw_admin.cc
@@@ -3638,9 -3641,12 +3643,12 @@@ int main(int argc, char **argv
    if (gen_secret_key)
      user_op.set_gen_secret(); // assume that a key pair should be created
  
 -  if (max_buckets >= 0)
 +  if (max_buckets_specified)
      user_op.set_max_buckets(max_buckets);
  
+   if (admin_specified)
+      user_op.set_admin(admin);
+ 
    if (system_specified)
      user_op.set_system(system);
  
diff --cc src/rgw/rgw_common.h
index 5841962aae4e,c4a95fc4d2b5..acd512660647
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@@ -539,9 -537,10 +537,10 @@@ struct RGWUserInf
    map<string, RGWAccessKey> swift_keys;
    map<string, RGWSubUser> subusers;
    __u8 suspended;
 -  uint32_t max_buckets;
 +  int32_t max_buckets;
    uint32_t op_mask;
    RGWUserCaps caps;
+   __u8 admin;
    __u8 system;
    string default_placement;
    list<string> placement_tags;
diff --cc src/rgw/rgw_op.cc
index 5bc7cb43fa05,8a9683dfc9ba..a8add0ea48d5
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@@ -1783,19 -1888,24 +1888,27 @@@ int RGWGetBucketLocation::verify_permis
  
  int RGWCreateBucket::verify_permission()
  {
-   if (!rgw_user_is_authenticated(*(s->user)))
+   /* This check is mostly needed for S3 that doesn't support account ACL.
+    * Swift doesn't allow to delegate any permission to an anonymous user,
+    * so it will become an early exit in such case. */
+   if (s->auth_identity->is_anonymous()) {
      return -EACCES;
+   }
+ 
+   if (!verify_user_permission(s, RGW_PERM_WRITE)) {
+     return -EACCES;
+   }
  
    if (s->user->user_id.tenant != s->bucket_tenant) {
-     ldout(s->cct, 10)
-       << "user cannot create a bucket in a different tenant (user_id.tenant="
-       << s->user->user_id.tenant << " requested=" << s->bucket_tenant << ")"
-       << dendl;
+     ldout(s->cct, 10) << "user cannot create a bucket in a different tenant"
+                       << " (user_id.tenant=" << s->user->user_id.tenant
+                       << " requested=" << s->bucket_tenant << ")"
+                       << dendl;
      return -EACCES;
    }
 +  if (s->user->max_buckets < 0) {
 +    return -EPERM;
 +  }
  
    if (s->user->max_buckets) {
      RGWUserBuckets buckets;
@@@ -1804,10 -1914,11 +1917,11 @@@
      op_ret = rgw_read_user_buckets(store, s->user->user_id, buckets,
  				   marker, string(), s->user->max_buckets,
  				   false, &is_truncated);
-     if (op_ret < 0)
+     if (op_ret < 0) {
        return op_ret;
+     }
  
 -    if (buckets.count() >= s->user->max_buckets) {
 +    if ((int)buckets.count() >= s->user->max_buckets) {
        return -ERR_TOO_MANY_BUCKETS;
      }
    }
diff --cc src/rgw/rgw_user.h
index 269ae90dc30f,e13aee4894ff..832b66553017
--- a/src/rgw/rgw_user.h
+++ b/src/rgw/rgw_user.h
@@@ -157,8 -156,9 +156,9 @@@ struct RGWUserAdminOpState 
    rgw_user user_id;
    std::string user_email;
    std::string display_name;
 -  uint32_t max_buckets;
 +  int32_t max_buckets;
    __u8 suspended;
+   __u8 admin;
    __u8 system;
    __u8 exclusive;
    __u8 fetch_stats;