From: Casey Bodley Date: Tue, 5 Mar 2024 18:57:09 +0000 (-0500) Subject: rgw/auth: expose Identity::get_account() X-Git-Tag: v19.1.0~99^2~36 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=dff8efba8f65cfdfcbdec35874848e50b15bfc1c;p=ceph.git rgw/auth: expose Identity::get_account() now that all identities store an optional account, expose that to the rest of rgw with get_account(). this cleans up lots of code that otherwise has to deal with the rgw_owner variant Signed-off-by: Casey Bodley (cherry picked from commit 405f93305f0d630a784b2de18a5f263b37362434) --- diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index 75464d3b63931..57eded9eb6a8a 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -279,6 +279,9 @@ static auto transform_old_authinfo(const RGWUserInfo& user, const std::string& get_tenant() const override { return id.tenant; } + const std::optional& get_account() const override { + return account; + } void write_ops_log_entry(rgw_log_entry& entry) const override { if (account) { diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index 9fc92277dbb88..2029bf6ce1e28 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -87,6 +87,9 @@ public: /* Identity's tenant namespace */ virtual const std::string& get_tenant() const = 0; + /* Return the identity's account info if present */ + virtual const std::optional& get_account() const = 0; + /* write any auth-specific fields that are safe to expose in the ops log */ virtual void write_ops_log_entry(rgw_log_entry& entry) const {}; }; @@ -497,6 +500,9 @@ public: const std::string& get_tenant() const override { return role_tenant; } + const std::optional& get_account() const override { + return account; + } void write_ops_log_entry(rgw_log_entry& entry) const override; struct Factory { @@ -656,6 +662,9 @@ public: const std::string& get_tenant() const override { return info.acct_user.tenant; } + const std::optional& get_account() const override { + return account; + } struct Factory { virtual ~Factory() {} @@ -728,6 +737,9 @@ public: const std::string& get_tenant() const override { return user_info.user_id.tenant; } + const std::optional& get_account() const override { + return account; + } void write_ops_log_entry(rgw_log_entry& entry) const override; @@ -793,6 +805,9 @@ public: std::string get_acct_name() const override { return {}; } std::string get_subuser() const override { return {}; } const std::string& get_tenant() const override { return role.tenant; } + const std::optional& get_account() const override { + return role.account; + } void write_ops_log_entry(rgw_log_entry& entry) const override; void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override; diff --git a/src/rgw/rgw_auth_filters.h b/src/rgw/rgw_auth_filters.h index 3725b17514eda..a93641e8b8edd 100644 --- a/src/rgw/rgw_auth_filters.h +++ b/src/rgw/rgw_auth_filters.h @@ -113,6 +113,10 @@ public: return get_decoratee().get_tenant(); } + const std::optional& get_account() const override { + return get_decoratee().get_account(); + } + void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override { /* out */ return get_decoratee().load_acct_info(dpp, user_info); } diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index 7c878eea25442..21df28045849b 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -1286,7 +1286,7 @@ bool verify_user_permission(const DoutPrefixProvider* dpp, { perm_state_from_req_state ps(s); - if (std::holds_alternative(s->owner.id)) { + if (s->auth.identity->get_account()) { // account users always require an Allow from identity-based policy mandatory_policy = true; } @@ -1365,7 +1365,7 @@ bool verify_bucket_permission(const DoutPrefixProvider* dpp, { perm_state_from_req_state ps(s); - if (std::holds_alternative(s->owner.id)) { + if (ps.identity->get_account()) { const bool account_root = (ps.identity->get_identity_type() == TYPE_ROOT); if (!ps.identity->is_owner_of(s->bucket_owner.id)) { ldpp_dout(dpp, 4) << "cross-account request for bucket owner " @@ -1509,7 +1509,7 @@ bool verify_object_permission(const DoutPrefixProvider* dpp, req_state * const s { perm_state_from_req_state ps(s); - if (std::holds_alternative(s->owner.id)) { + if (ps.identity->get_account()) { const bool account_root = (ps.identity->get_identity_type() == TYPE_ROOT); const rgw_owner& object_owner = !object_acl.get_owner().empty() ? diff --git a/src/rgw/rgw_rest_iam_group.cc b/src/rgw/rgw_rest_iam_group.cc index 1880111395fe0..0fbe469ee07d4 100644 --- a/src/rgw/rgw_rest_iam_group.cc +++ b/src/rgw/rgw_rest_iam_group.cc @@ -76,8 +76,8 @@ int RGWCreateGroup_IAM::init_processing(optional_yield y) { // use account id from authenticated user/role. with AssumeRole, this may not // match the account of s->user - if (const auto* id = std::get_if(&s->owner.id); id) { - info.account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + info.account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -254,8 +254,8 @@ class RGWGetGroup_IAM : public RGWOp { int RGWGetGroup_IAM::init_processing(optional_yield y) { - if (const auto* id = std::get_if(&s->owner.id); id) { - account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -365,8 +365,8 @@ class RGWUpdateGroup_IAM : public RGWOp { int RGWUpdateGroup_IAM::init_processing(optional_yield y) { rgw_account_id account_id; - if (const auto* id = std::get_if(&s->owner.id); id) { - account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -512,8 +512,8 @@ class RGWDeleteGroup_IAM : public RGWOp { int RGWDeleteGroup_IAM::init_processing(optional_yield y) { rgw_account_id account_id; - if (const auto* id = std::get_if(&s->owner.id); id) { - account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -688,8 +688,8 @@ class RGWListGroups_IAM : public RGWOp { int RGWListGroups_IAM::init_processing(optional_yield y) { - if (const auto* id = std::get_if(&s->owner.id); id) { - account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -820,8 +820,8 @@ class RGWAddUserToGroup_IAM : public RGWOp { int RGWAddUserToGroup_IAM::init_processing(optional_yield y) { - if (const auto* id = std::get_if(&s->owner.id); id) { - group.account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + group.account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -957,8 +957,8 @@ class RGWRemoveUserFromGroup_IAM : public RGWOp { int RGWRemoveUserFromGroup_IAM::init_processing(optional_yield y) { - if (const auto* id = std::get_if(&s->owner.id); id) { - group.account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + group.account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -1093,8 +1093,8 @@ class RGWListGroupsForUser_IAM : public RGWOp { int RGWListGroupsForUser_IAM::init_processing(optional_yield y) { - if (const auto* id = std::get_if(&s->owner.id); id) { - account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -1203,8 +1203,8 @@ class RGWPutGroupPolicy_IAM : public RGWOp { int RGWPutGroupPolicy_IAM::init_processing(optional_yield y) { - if (const auto* id = std::get_if(&s->owner.id); id) { - info.account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + info.account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -1354,8 +1354,8 @@ class RGWGetGroupPolicy_IAM : public RGWOp { int RGWGetGroupPolicy_IAM::init_processing(optional_yield y) { - if (const auto* id = std::get_if(&s->owner.id); id) { - info.account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + info.account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -1457,8 +1457,8 @@ class RGWDeleteGroupPolicy_IAM : public RGWOp { int RGWDeleteGroupPolicy_IAM::init_processing(optional_yield y) { - if (const auto* id = std::get_if(&s->owner.id); id) { - info.account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + info.account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -1592,8 +1592,8 @@ class RGWListGroupPolicies_IAM : public RGWOp { int RGWListGroupPolicies_IAM::init_processing(optional_yield y) { - if (const auto* id = std::get_if(&s->owner.id); id) { - info.account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + info.account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -1698,8 +1698,8 @@ class RGWAttachGroupPolicy_IAM : public RGWOp { int RGWAttachGroupPolicy_IAM::init_processing(optional_yield y) { - if (const auto* id = std::get_if(&s->owner.id); id) { - info.account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + info.account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -1847,8 +1847,8 @@ class RGWDetachGroupPolicy_IAM : public RGWOp { int RGWDetachGroupPolicy_IAM::init_processing(optional_yield y) { - if (const auto* id = std::get_if(&s->owner.id); id) { - info.account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + info.account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -1982,8 +1982,8 @@ class RGWListAttachedGroupPolicies_IAM : public RGWOp { int RGWListAttachedGroupPolicies_IAM::init_processing(optional_yield y) { - if (const auto* id = std::get_if(&s->owner.id); id) { - info.account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + info.account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } diff --git a/src/rgw/rgw_rest_iam_user.cc b/src/rgw/rgw_rest_iam_user.cc index 90a50e3949e5a..06c0d5bde0834 100644 --- a/src/rgw/rgw_rest_iam_user.cc +++ b/src/rgw/rgw_rest_iam_user.cc @@ -69,8 +69,8 @@ int RGWCreateUser_IAM::init_processing(optional_yield y) { // use account id from authenticated user/role. with AssumeRole, this may not // match the account of s->user - if (const auto* id = std::get_if(&s->owner.id); id) { - info.account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + info.account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -254,8 +254,8 @@ int RGWGetUser_IAM::init_processing(optional_yield y) { // use account id from authenticated user/role. with AssumeRole, this may not // match the account of s->user - if (const auto* id = std::get_if(&s->owner.id); id) { - account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -348,8 +348,8 @@ int RGWUpdateUser_IAM::init_processing(optional_yield y) // use account id from authenticated user/role. with AssumeRole, this may not // match the account of s->user rgw_account_id account_id; - if (const auto* id = std::get_if(&s->owner.id); id) { - account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -498,8 +498,8 @@ int RGWDeleteUser_IAM::init_processing(optional_yield y) // use account id from authenticated user/role. with AssumeRole, this may not // match the account of s->user rgw_account_id account_id; - if (const auto* id = std::get_if(&s->owner.id); id) { - account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -669,8 +669,8 @@ int RGWListUsers_IAM::init_processing(optional_yield y) { // use account id from authenticated user/role. with AssumeRole, this may not // match the account of s->user - if (const auto* id = std::get_if(&s->owner.id); id) { - account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -814,8 +814,8 @@ int RGWCreateAccessKey_IAM::init_processing(optional_yield y) // use account id from authenticated user/role. with AssumeRole, this may not // match the account of s->user rgw_account_id account_id; - if (const auto* id = std::get_if(&s->owner.id); id) { - account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -1015,8 +1015,8 @@ int RGWUpdateAccessKey_IAM::init_processing(optional_yield y) // use account id from authenticated user/role. with AssumeRole, this may not // match the account of s->user rgw_account_id account_id; - if (const auto* id = std::get_if(&s->owner.id); id) { - account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -1175,8 +1175,8 @@ int RGWDeleteAccessKey_IAM::init_processing(optional_yield y) // use account id from authenticated user/role. with AssumeRole, this may not // match the account of s->user rgw_account_id account_id; - if (const auto* id = std::get_if(&s->owner.id); id) { - account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } @@ -1318,8 +1318,8 @@ int RGWListAccessKeys_IAM::init_processing(optional_yield y) // use account id from authenticated user/role. with AssumeRole, this may not // match the account of s->user rgw_account_id account_id; - if (const auto* id = std::get_if(&s->owner.id); id) { - account_id = *id; + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; } else { return -ERR_METHOD_NOT_ALLOWED; } diff --git a/src/rgw/rgw_rest_oidc_provider.cc b/src/rgw/rgw_rest_oidc_provider.cc index c8ad9da9dc7e4..70191879ad1fa 100644 --- a/src/rgw/rgw_rest_oidc_provider.cc +++ b/src/rgw/rgw_rest_oidc_provider.cc @@ -120,8 +120,8 @@ int RGWCreateOIDCProvider::init_processing(optional_yield y) return -EINVAL; } - if (const auto* id = std::get_if(&s->owner.id); id) { - info.tenant = *id; + if (const auto& acc = s->auth.identity->get_account(); acc) { + info.tenant = acc->id; } else { info.tenant = s->user->get_tenant(); } @@ -217,8 +217,8 @@ RGWDeleteOIDCProvider::RGWDeleteOIDCProvider() int RGWDeleteOIDCProvider::init_processing(optional_yield y) { std::string_view account; - if (const auto* id = std::get_if(&s->owner.id); id) { - account = *id; + if (const auto& acc = s->auth.identity->get_account(); acc) { + account = acc->id; } else { account = s->user->get_tenant(); } @@ -252,8 +252,8 @@ RGWGetOIDCProvider::RGWGetOIDCProvider() int RGWGetOIDCProvider::init_processing(optional_yield y) { std::string_view account; - if (const auto* id = std::get_if(&s->owner.id); id) { - account = *id; + if (const auto& acc = s->auth.identity->get_account(); acc) { + account = acc->id; } else { account = s->user->get_tenant(); } @@ -308,8 +308,8 @@ RGWListOIDCProviders::RGWListOIDCProviders() void RGWListOIDCProviders::execute(optional_yield y) { std::string_view account; - if (const auto* id = std::get_if(&s->owner.id); id) { - account = *id; + if (const auto& acc = s->auth.identity->get_account(); acc) { + account = acc->id; } else { account = s->user->get_tenant(); } diff --git a/src/rgw/rgw_rest_role.cc b/src/rgw/rgw_rest_role.cc index 1b8e83b20e2c7..2d6a96cfe62aa 100644 --- a/src/rgw/rgw_rest_role.cc +++ b/src/rgw/rgw_rest_role.cc @@ -108,18 +108,11 @@ static rgw::ARN make_role_arn(const std::string& path, } static int load_role(const DoutPrefixProvider* dpp, optional_yield y, - rgw::sal::Driver* driver, const rgw_owner& owner, - rgw_account_id& account_id, const std::string& tenant, - const std::string& name, + rgw::sal::Driver* driver, const rgw_account_id& account_id, + const std::string& tenant, const std::string& name, std::unique_ptr& role, rgw::ARN& resource, std::string& message) { - auto arn_account = std::ref(tenant); - if (const auto* id = std::get_if(&owner); id) { - account_id = *id; - arn_account = std::ref(account_id); - } - role = driver->get_role(name, tenant, account_id); const int r = role->get(dpp, y); if (r == -ENOENT) { @@ -128,6 +121,7 @@ static int load_role(const DoutPrefixProvider* dpp, optional_yield y, } if (r >= 0) { // construct the ARN once we know the path + const auto& arn_account = !account_id.empty() ? account_id : tenant; resource = make_role_arn(role->get_path(), role->get_name(), arn_account); @@ -345,9 +339,11 @@ int RGWDeleteRole::init_processing(optional_yield y) return -EINVAL; } - return load_role(this, y, driver, s->owner.id, account_id, - s->user->get_tenant(), role_name, role, resource, - s->err.message); + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; + } + return load_role(this, y, driver, account_id, s->user->get_tenant(), + role_name, role, resource, s->err.message); } void RGWDeleteRole::execute(optional_yield y) @@ -412,9 +408,11 @@ int RGWGetRole::init_processing(optional_yield y) return -EINVAL; } - return load_role(this, y, driver, s->owner.id, account_id, - s->user->get_tenant(), role_name, role, resource, - s->err.message); + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; + } + return load_role(this, y, driver, account_id, s->user->get_tenant(), + role_name, role, resource, s->err.message); } void RGWGetRole::execute(optional_yield y) @@ -450,9 +448,11 @@ int RGWModifyRoleTrustPolicy::init_processing(optional_yield y) return -ERR_MALFORMED_DOC; } - return load_role(this, y, driver, s->owner.id, account_id, - s->user->get_tenant(), role_name, role, resource, - s->err.message); + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; + } + return load_role(this, y, driver, account_id, s->user->get_tenant(), + role_name, role, resource, s->err.message); } void RGWModifyRoleTrustPolicy::execute(optional_yield y) @@ -565,9 +565,11 @@ int RGWPutRolePolicy::init_processing(optional_yield y) return -EINVAL; } - int r = load_role(this, y, driver, s->owner.id, account_id, - s->user->get_tenant(), role_name, role, resource, - s->err.message); + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; + } + int r = load_role(this, y, driver, account_id, s->user->get_tenant(), + role_name, role, resource, s->err.message); if (r < 0) { return r; } @@ -642,9 +644,11 @@ int RGWGetRolePolicy::init_processing(optional_yield y) return -EINVAL; } - return load_role(this, y, driver, s->owner.id, account_id, - s->user->get_tenant(), role_name, role, resource, - s->err.message); + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; + } + return load_role(this, y, driver, account_id, s->user->get_tenant(), + role_name, role, resource, s->err.message); } void RGWGetRolePolicy::execute(optional_yield y) @@ -676,9 +680,11 @@ int RGWListRolePolicies::init_processing(optional_yield y) return -EINVAL; } - return load_role(this, y, driver, s->owner.id, account_id, - s->user->get_tenant(), role_name, role, resource, - s->err.message); + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; + } + return load_role(this, y, driver, account_id, s->user->get_tenant(), + role_name, role, resource, s->err.message); } void RGWListRolePolicies::execute(optional_yield y) @@ -711,9 +717,11 @@ int RGWDeleteRolePolicy::init_processing(optional_yield y) return -EINVAL; } - return load_role(this, y, driver, s->owner.id, account_id, - s->user->get_tenant(), role_name, role, resource, - s->err.message); + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; + } + return load_role(this, y, driver, account_id, s->user->get_tenant(), + role_name, role, resource, s->err.message); } void RGWDeleteRolePolicy::execute(optional_yield y) @@ -778,9 +786,11 @@ int RGWTagRole::init_processing(optional_yield y) return r; } - return load_role(this, y, driver, s->owner.id, account_id, - s->user->get_tenant(), role_name, role, resource, - s->err.message); + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; + } + return load_role(this, y, driver, account_id, s->user->get_tenant(), + role_name, role, resource, s->err.message); } void RGWTagRole::execute(optional_yield y) @@ -838,9 +848,11 @@ int RGWListRoleTags::init_processing(optional_yield y) return -EINVAL; } - return load_role(this, y, driver, s->owner.id, account_id, - s->user->get_tenant(), role_name, role, resource, - s->err.message); + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; + } + return load_role(this, y, driver, account_id, s->user->get_tenant(), + role_name, role, resource, s->err.message); } void RGWListRoleTags::execute(optional_yield y) @@ -884,9 +896,11 @@ int RGWUntagRole::init_processing(optional_yield y) }); } - return load_role(this, y, driver, s->owner.id, account_id, - s->user->get_tenant(), role_name, role, resource, - s->err.message); + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; + } + return load_role(this, y, driver, account_id, s->user->get_tenant(), + role_name, role, resource, s->err.message); } void RGWUntagRole::execute(optional_yield y) @@ -947,9 +961,11 @@ int RGWUpdateRole::init_processing(optional_yield y) max_session_duration = s->info.args.get("MaxSessionDuration"); - return load_role(this, y, driver, s->owner.id, account_id, - s->user->get_tenant(), role_name, role, resource, - s->err.message); + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; + } + return load_role(this, y, driver, account_id, s->user->get_tenant(), + role_name, role, resource, s->err.message); } void RGWUpdateRole::execute(optional_yield y) @@ -1037,7 +1053,7 @@ int RGWAttachRolePolicy_IAM::init_processing(optional_yield y) { // managed policy is only supported for account users. adding them to // non-account users would give blanket permissions to all buckets - if (!std::holds_alternative(s->owner.id)) { + if (!s->auth.identity->get_account()) { s->err.message = "Managed policies are only supported for account users"; return -ERR_METHOD_NOT_ALLOWED; } @@ -1052,9 +1068,11 @@ int RGWAttachRolePolicy_IAM::init_processing(optional_yield y) return -EINVAL; } - return load_role(this, y, driver, s->owner.id, account_id, - s->user->get_tenant(), role_name, role, resource, - s->err.message); + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; + } + return load_role(this, y, driver, account_id, s->user->get_tenant(), + role_name, role, resource, s->err.message); } void RGWAttachRolePolicy_IAM::execute(optional_yield y) @@ -1134,7 +1152,7 @@ int RGWDetachRolePolicy_IAM::init_processing(optional_yield y) { // managed policy is only supported for account users. adding them to // non-account users would give blanket permissions to all buckets - if (!std::holds_alternative(s->owner.id)) { + if (!s->auth.identity->get_account()) { s->err.message = "Managed policies are only supported for account users"; return -ERR_METHOD_NOT_ALLOWED; } @@ -1149,9 +1167,11 @@ int RGWDetachRolePolicy_IAM::init_processing(optional_yield y) return -EINVAL; } - return load_role(this, y, driver, s->owner.id, account_id, - s->user->get_tenant(), role_name, role, resource, - s->err.message); + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; + } + return load_role(this, y, driver, account_id, s->user->get_tenant(), + role_name, role, resource, s->err.message); } void RGWDetachRolePolicy_IAM::execute(optional_yield y) @@ -1220,7 +1240,7 @@ int RGWListAttachedRolePolicies_IAM::init_processing(optional_yield y) { // managed policy is only supported for account roles. adding them to // non-account roles would give blanket permissions to all buckets - if (!std::holds_alternative(s->owner.id)) { + if (!s->auth.identity->get_account()) { s->err.message = "Managed policies are only supported for account roles"; return -ERR_METHOD_NOT_ALLOWED; } @@ -1230,9 +1250,11 @@ int RGWListAttachedRolePolicies_IAM::init_processing(optional_yield y) return -EINVAL; } - return load_role(this, y, driver, s->owner.id, account_id, - s->user->get_tenant(), role_name, role, resource, - s->err.message); + if (const auto& account = s->auth.identity->get_account(); account) { + account_id = account->id; + } + return load_role(this, y, driver, account_id, s->user->get_tenant(), + role_name, role, resource, s->err.message); } void RGWListAttachedRolePolicies_IAM::execute(optional_yield y) diff --git a/src/rgw/rgw_rest_user_policy.cc b/src/rgw/rgw_rest_user_policy.cc index 0081bd828b90f..3832b9a499370 100644 --- a/src/rgw/rgw_rest_user_policy.cc +++ b/src/rgw/rgw_rest_user_policy.cc @@ -525,7 +525,7 @@ int RGWRestAttachedUserPolicy::init_processing(optional_yield y) { // managed policy is only supported for account users. adding them to // non-account roles would give blanket permissions to all buckets - if (!std::holds_alternative(s->owner.id)) { + if (!s->auth.identity->get_account()) { s->err.message = "Managed policies are only supported for account users"; return -ERR_METHOD_NOT_ALLOWED; } diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc index d0a18c221e334..3160cf6887ad2 100644 --- a/src/test/rgw/test_rgw_iam_policy.cc +++ b/src/test/rgw/test_rgw_iam_policy.cc @@ -187,6 +187,12 @@ public: return empty; } + const std::optional& get_account() const override { + ceph_abort(); + static std::optional empty; + return empty; + } + void to_str(std::ostream& out) const override { out << id; } diff --git a/src/test/rgw/test_rgw_lua.cc b/src/test/rgw/test_rgw_lua.cc index 68f2e6ab0666d..b2e11e442a28f 100644 --- a/src/test/rgw/test_rgw_lua.cc +++ b/src/test/rgw/test_rgw_lua.cc @@ -70,6 +70,11 @@ public: return empty; } + const std::optional& get_account() const override { + static const std::optional empty; + return empty; + } + void to_str(std::ostream& out) const override { return; }