From: Ali Maredia Date: Wed, 3 Oct 2018 19:59:34 +0000 (-0400) Subject: rgw: thread DoutPrefixProvider into RGW::Auth_S3::authorize X-Git-Tag: v14.0.1~74^2~3 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=e997ed23641225fb5066a059d733c00fb87cf238;p=ceph.git rgw: thread DoutPrefixProvider into RGW::Auth_S3::authorize Pass a DPP into RGWOp::verify_request that leads through RGWHandler -> RGWHandler_REST-> RGW::Auth_S3::authorize(). Change authenticate() in all the Handler classes to take a DPP Signed-off-by: Ali Maredia --- diff --git a/src/rgw/librgw.cc b/src/rgw/librgw.cc index faa0f5c23aef..00acadf7f22b 100644 --- a/src/rgw/librgw.cc +++ b/src/rgw/librgw.cc @@ -253,7 +253,7 @@ namespace rgw { /* XXX authorize does less here then in the REST path, e.g., * the user's info is cached, but still incomplete */ ldpp_dout(s, 2) << "authorizing" << dendl; - ret = req->authorize(); + ret = req->authorize(op); if (ret < 0) { dout(10) << "failed to authorize request" << dendl; abort_req(s, op, ret); @@ -368,7 +368,7 @@ namespace rgw { /* XXX authorize does less here then in the REST path, e.g., * the user's info is cached, but still incomplete */ ldpp_dout(s, 2) << "authorizing" << dendl; - ret = req->authorize(); + ret = req->authorize(op); if (ret < 0) { dout(10) << "failed to authorize request" << dendl; abort_req(s, op, ret); @@ -645,7 +645,7 @@ namespace rgw { return ret; } /* RGWLibRequest::read_permissions */ - int RGWHandler_Lib::authorize() + int RGWHandler_Lib::authorize(const DoutPrefixProvider *dpp) { /* TODO: handle * 1. subusers diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index 22511b46c5e3..70c043403880 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -266,7 +266,7 @@ rgw::auth::Strategy::authenticate(const req_state* const s) const } int -rgw::auth::Strategy::apply(const rgw::auth::Strategy& auth_strategy, +rgw::auth::Strategy::apply(const DoutPrefixProvider *dpp, const rgw::auth::Strategy& auth_strategy, req_state* const s) noexcept { try { @@ -274,7 +274,7 @@ rgw::auth::Strategy::apply(const rgw::auth::Strategy& auth_strategy, if (result.get_status() != decltype(result)::Status::GRANTED) { /* Access denied is acknowledged by returning a std::unique_ptr with * nullptr inside. */ - ldout(s->cct, 5) << "Failed the auth strategy, reason=" + ldpp_dout(dpp, 5) << "Failed the auth strategy, reason=" << result.get_reason() << dendl; return result.get_reason(); } @@ -301,11 +301,11 @@ rgw::auth::Strategy::apply(const rgw::auth::Strategy& auth_strategy, return 0; } catch (const int err) { - ldout(s->cct, 5) << "applier throwed err=" << err << dendl; + ldpp_dout(dpp, 5) << "applier throwed err=" << err << dendl; return err; } } catch (const int err) { - ldout(s->cct, 5) << "auth engine throwed err=" << err << dendl; + ldpp_dout(dpp, 5) << "auth engine throwed err=" << err << dendl; return err; } diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index 4fe791f95ba7..3d702cacd571 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -219,7 +219,7 @@ public: /* Engine doesn't grant the access but also doesn't reject it. */ DENIED, - /* Engine successfully authenticated requester. */ + /* Engine successfully authenicated requester. */ GRANTED, /* Engine strictly indicates that a request should be rejected @@ -329,7 +329,7 @@ public: return auth_stack.empty(); } - static int apply(const Strategy& auth_strategy, req_state* s) noexcept; + static int apply(const DoutPrefixProvider* dpp, const Strategy& auth_strategy, req_state* s) noexcept; private: /* Using the reference wrapper here to explicitly point out we are not diff --git a/src/rgw/rgw_lib.h b/src/rgw/rgw_lib.h index bf69abe05939..94b51ac4f10c 100644 --- a/src/rgw/rgw_lib.h +++ b/src/rgw/rgw_lib.h @@ -115,7 +115,7 @@ namespace rgw { friend class RGWRESTMgr_Lib; public: - int authorize() override; + int authorize(const DoutPrefixProvider *dpp) override; RGWHandler_Lib() {} ~RGWHandler_Lib() override {} diff --git a/src/rgw/rgw_op.h b/src/rgw/rgw_op.h index 9ef8c49cc350..f4d59455af06 100644 --- a/src/rgw/rgw_op.h +++ b/src/rgw/rgw_op.h @@ -92,7 +92,7 @@ public: } virtual int read_permissions(RGWOp* op) = 0; - virtual int authorize() = 0; + virtual int authorize(const DoutPrefixProvider* dpp) = 0; virtual int postauth_init() = 0; virtual int error_handler(int err_no, std::string* error_content); virtual void dump(const string& code, const string& message) const {} @@ -162,7 +162,7 @@ public: * of special cases. */ virtual int verify_requester(const rgw::auth::StrategyRegistry& auth_registry) { /* TODO(rzarzynski): rename RGWHandler::authorize to generic_authenticate. */ - return dialect_handler->authorize(); + return dialect_handler->authorize(this); } virtual int verify_permission() = 0; virtual int verify_op_mask(); diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index 5c0b77b3dd78..c42f21b95eec 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -1832,7 +1832,7 @@ int RGWPostObj_ObjStore_S3::get_policy() /* FIXME: this is a makeshift solution. The browser upload authentication will be * handled by an instance of rgw::auth::Completer spawned in Handler's authorize() * method. */ - const int ret = rgw::auth::Strategy::apply(auth_registry_ptr->get_s3_post(), s); + const int ret = rgw::auth::Strategy::apply(this, auth_registry_ptr->get_s3_post(), s); if (ret != 0) { return -EACCES; } else { @@ -3470,7 +3470,8 @@ discover_aws_flavour(const req_info& info) * * it tries AWS v4 before AWS v2 */ -int RGW_Auth_S3::authorize(RGWRados* const store, +int RGW_Auth_S3::authorize(const DoutPrefixProvider *dpp, + RGWRados* const store, const rgw::auth::StrategyRegistry& auth_registry, struct req_state* const s) { @@ -3479,11 +3480,11 @@ int RGW_Auth_S3::authorize(RGWRados* const store, if (!store->ctx()->_conf->rgw_s3_auth_use_rados && !store->ctx()->_conf->rgw_s3_auth_use_keystone && !store->ctx()->_conf->rgw_s3_auth_use_ldap) { - dout(0) << "WARNING: no authorization backend enabled! Users will never authenticate." << dendl; + ldpp_dout(dpp, 0) << "WARNING: no authorization backend enabled! Users will never authenticate." << dendl; return -EPERM; } - const auto ret = rgw::auth::Strategy::apply(auth_registry.get_s3_main(), s); + const auto ret = rgw::auth::Strategy::apply(dpp, auth_registry.get_s3_main(), s); if (ret == 0) { /* Populate the owner info. */ s->owner.set_id(s->user->user_id); @@ -4301,7 +4302,7 @@ rgw::auth::s3::LocalEngine::authenticate( /* TODO(rzarzynski): we need to have string-view taking variant. */ const std::string access_key_id = _access_key_id.to_string(); if (rgw_get_user_info_by_access_key(store, access_key_id, user_info) < 0) { - ldout(cct, 5) << "error reading user info, uid=" << access_key_id + ldpp_dout(s, 5) << "error reading user info, uid=" << access_key_id << " can't authenticate" << dendl; return result_t::deny(-ERR_INVALID_ACCESS_KEY); } @@ -4316,7 +4317,7 @@ rgw::auth::s3::LocalEngine::authenticate( const auto iter = user_info.access_keys.find(access_key_id); if (iter == std::end(user_info.access_keys)) { - ldout(cct, 0) << "ERROR: access key not encoded in user info" << dendl; + ldpp_dout(s, 0) << "ERROR: access key not encoded in user info" << dendl; return result_t::deny(-EPERM); } const RGWAccessKey& k = iter->second; diff --git a/src/rgw/rgw_rest_s3.h b/src/rgw/rgw_rest_s3.h index f535ad82fb10..18a6a5684b86 100644 --- a/src/rgw/rgw_rest_s3.h +++ b/src/rgw/rgw_rest_s3.h @@ -468,7 +468,8 @@ public: class RGW_Auth_S3 { public: - static int authorize(RGWRados *store, + static int authorize(const DoutPrefixProvider *dpp, + RGWRados *store, const rgw::auth::StrategyRegistry& auth_registry, struct req_state *s); }; @@ -491,8 +492,8 @@ public: int init(RGWRados *store, struct req_state *s, rgw::io::BasicClient *cio) override; - int authorize() override { - return RGW_Auth_S3::authorize(store, auth_registry, s); + int authorize(const DoutPrefixProvider *dpp) override { + return RGW_Auth_S3::authorize(dpp, store, auth_registry, s); } int postauth_init() override { return 0; } }; @@ -513,8 +514,8 @@ public: int init(RGWRados *store, struct req_state *s, rgw::io::BasicClient *cio) override; - int authorize() override { - return RGW_Auth_S3::authorize(store, auth_registry, s); + int authorize(const DoutPrefixProvider *dpp) override { + return RGW_Auth_S3::authorize(dpp, store, auth_registry, s); } int postauth_init() override; }; diff --git a/src/rgw/rgw_rest_swift.cc b/src/rgw/rgw_rest_swift.cc index 5d11edd8f947..76d02b248447 100644 --- a/src/rgw/rgw_rest_swift.cc +++ b/src/rgw/rgw_rest_swift.cc @@ -2772,9 +2772,9 @@ RGWOp *RGWHandler_REST_Obj_SWIFT::op_options() } -int RGWHandler_REST_SWIFT::authorize() +int RGWHandler_REST_SWIFT::authorize(const DoutPrefixProvider *dpp) { - return rgw::auth::Strategy::apply(auth_strategy, s); + return rgw::auth::Strategy::apply(dpp, auth_strategy, s); } int RGWHandler_REST_SWIFT::postauth_init() diff --git a/src/rgw/rgw_rest_swift.h b/src/rgw/rgw_rest_swift.h index 0e85751f6de9..2f902c46ba30 100644 --- a/src/rgw/rgw_rest_swift.h +++ b/src/rgw/rgw_rest_swift.h @@ -395,7 +395,7 @@ public: int validate_bucket_name(const string& bucket); int init(RGWRados *store, struct req_state *s, rgw::io::BasicClient *cio) override; - int authorize() override; + int authorize(const DoutPrefixProvider *dpp) override; int postauth_init() override; RGWAccessControlPolicy *alloc_policy() { return nullptr; /* return new RGWAccessControlPolicy_SWIFT; */ } @@ -543,7 +543,7 @@ public: return RGWHandler::init(store, state, cio); } - int authorize() override { + int authorize(const DoutPrefixProvider *dpp) override { return 0; } @@ -599,7 +599,7 @@ public: return RGWHandler::init(store, state, cio); } - int authorize() override { + int authorize(const DoutPrefixProvider *dpp) override { return 0; } @@ -655,7 +655,7 @@ public: return RGWHandler::init(store, state, cio); } - int authorize() override { + int authorize(const DoutPrefixProvider *dpp) override { return 0; } diff --git a/src/rgw/rgw_swift_auth.cc b/src/rgw/rgw_swift_auth.cc index 4fd2d37196d9..5c4371da908e 100644 --- a/src/rgw/rgw_swift_auth.cc +++ b/src/rgw/rgw_swift_auth.cc @@ -709,7 +709,7 @@ int RGWHandler_SWIFT_Auth::init(RGWRados *store, struct req_state *state, return RGWHandler::init(store, state, cio); } -int RGWHandler_SWIFT_Auth::authorize() +int RGWHandler_SWIFT_Auth::authorize(const DoutPrefixProvider *dpp) { return 0; } diff --git a/src/rgw/rgw_swift_auth.h b/src/rgw/rgw_swift_auth.h index 008366b4ef2a..2677c4c853a8 100644 --- a/src/rgw/rgw_swift_auth.h +++ b/src/rgw/rgw_swift_auth.h @@ -290,7 +290,7 @@ public: RGWOp *op_get() override; int init(RGWRados *store, struct req_state *state, rgw::io::BasicClient *cio) override; - int authorize() override; + int authorize(const DoutPrefixProvider *dpp) override; int postauth_init() override { return 0; } int read_permissions(RGWOp *op) override { return 0; }