From: Pritha Srivastava Date: Mon, 14 May 2018 05:29:12 +0000 (+0530) Subject: rgw: Added max_session_duration and policy parsing to RGW Roles. X-Git-Tag: v14.0.1~113^2~23 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=f0ae9cff67d4b55384c5ef935d44819182ab64e8;p=ceph.git rgw: Added max_session_duration and policy parsing to RGW Roles. Signed-off-by: Pritha Srivastava --- diff --git a/src/rgw/rgw_admin.cc b/src/rgw/rgw_admin.cc index d146fdb4c16..77306f8a2c1 100644 --- a/src/rgw/rgw_admin.cc +++ b/src/rgw/rgw_admin.cc @@ -4997,21 +4997,14 @@ int main(int argc, const char **argv) cerr << "ERROR: assume role policy document is empty" << std::endl; return -EINVAL; } - /* The following two calls will be replaced by read_decode_json or something - similar when the code for AWS Policies is in places */ - bufferlist bl; - int ret = read_input(assume_role_doc, bl); - if (ret < 0) { - cerr << "ERROR: failed to read input: " << cpp_strerror(-ret) << std::endl; - return ret; - } - JSONParser p; - if (!p.parse(bl.c_str(), bl.length())) { - cout << "ERROR: failed to parse JSON: " << assume_role_doc << std::endl; + bufferlist bl = bufferlist::static_from_string(assume_role_doc); + try { + const rgw::IAM::Policy p(g_ceph_context, tenant, bl); + } catch (rgw::IAM::PolicyParseException& e) { + cerr << "failed to parse policy: " << e.what() << std::endl; return -EINVAL; } - string trust_policy = bl.to_str(); - RGWRole role(g_ceph_context, store, role_name, path, trust_policy, tenant); + RGWRole role(g_ceph_context, store, role_name, path, assume_role_doc, tenant); ret = role.create(true); if (ret < 0) { return -ret; @@ -5113,28 +5106,20 @@ int main(int argc, const char **argv) return -EINVAL; } - /* The following two calls will be replaced by read_decode_json or something - similar, when code for AWS Policies is in place.*/ - bufferlist bl; - int ret = read_input(perm_policy_doc, bl); - if (ret < 0) { - cerr << "ERROR: failed to read input: " << cpp_strerror(-ret) << std::endl; - return ret; - } - JSONParser p; - if (!p.parse(bl.c_str(), bl.length())) { - cout << "ERROR: failed to parse JSON: " << std::endl; + bufferlist bl = bufferlist::static_from_string(perm_policy_doc); + try { + const rgw::IAM::Policy p(g_ceph_context, tenant, bl); + } catch (rgw::IAM::PolicyParseException& e) { + cerr << "failed to parse perm policy: " << e.what() << std::endl; return -EINVAL; } - string perm_policy; - perm_policy = bl.c_str(); RGWRole role(g_ceph_context, store, role_name, tenant); ret = role.get(); if (ret < 0) { return -ret; } - role.set_perm_policy(policy_name, perm_policy); + role.set_perm_policy(policy_name, perm_policy_doc); ret = role.update(); if (ret < 0) { return -ret; diff --git a/src/rgw/rgw_rest_role.cc b/src/rgw/rgw_rest_role.cc index 4b11af695a4..d328727ad64 100644 --- a/src/rgw/rgw_rest_role.cc +++ b/src/rgw/rgw_rest_role.cc @@ -100,17 +100,23 @@ int RGWCreateRole::get_params() role_name = s->info.args.get("RoleName"); role_path = s->info.args.get("Path"); trust_policy = s->info.args.get("AssumeRolePolicyDocument"); + max_session_duration = s->info.args.get("MaxSessionDuration"); if (role_name.empty() || trust_policy.empty()) { ldout(s->cct, 20) << "ERROR: one of role name or assume role policy document is empty" << dendl; return -EINVAL; } - JSONParser p; - if (!p.parse(trust_policy.c_str(), trust_policy.length())) { - ldout(s->cct, 20) << "ERROR: failed to parse assume role policy doc" << dendl; + + bufferlist bl = bufferlist::static_from_string(trust_policy); + try { + const rgw::IAM::Policy p(s->cct, s->user->user_id.tenant, bl); + } + catch (rgw::IAM::PolicyParseException& e) { + ldout(s->cct, 20) << "failed to parse policy: " << e.what() << dendl; return -ERR_MALFORMED_DOC; } + return 0; } @@ -120,7 +126,8 @@ void RGWCreateRole::execute() if (op_ret < 0) { return; } - RGWRole role(s->cct, store, role_name, role_path, trust_policy, s->user->user_id.tenant); + RGWRole role(s->cct, store, role_name, role_path, trust_policy, + s->user->user_id.tenant, max_session_duration); op_ret = role.create(true); if (op_ret == -EEXIST) { @@ -307,12 +314,14 @@ int RGWPutRolePolicy::get_params() ldout(s->cct, 20) << "ERROR: One of role name, policy name or perm policy is empty"<< dendl; return -EINVAL; } - JSONParser p; - if (!p.parse(perm_policy.c_str(), perm_policy.length())) { - ldout(s->cct, 20) << "ERROR: failed to parse perm role policy doc" << dendl; + bufferlist bl = bufferlist::static_from_string(perm_policy); + try { + const rgw::IAM::Policy p(s->cct, s->user->user_id.tenant, bl); + } + catch (rgw::IAM::PolicyParseException& e) { + ldout(s->cct, 20) << "failed to parse policy: " << e.what() << dendl; return -ERR_MALFORMED_DOC; } - return 0; } diff --git a/src/rgw/rgw_rest_role.h b/src/rgw/rgw_rest_role.h index 6153c6b21de..3834c75cf5d 100644 --- a/src/rgw/rgw_rest_role.h +++ b/src/rgw/rgw_rest_role.h @@ -13,6 +13,7 @@ protected: string policy_name; string perm_policy; string path_prefix; + string max_session_duration; RGWRole _role; public: int verify_permission() override; diff --git a/src/rgw/rgw_role.cc b/src/rgw/rgw_role.cc index 525da75bbb2..8ca41b78d82 100644 --- a/src/rgw/rgw_role.cc +++ b/src/rgw/rgw_role.cc @@ -276,6 +276,7 @@ void RGWRole::dump(Formatter *f) const encode_json("path", path, f); encode_json("arn", arn, f); encode_json("create_date", creation_date, f); + encode_json("max_session_duration", max_session_duration, f); encode_json("assume_role_policy_document", trust_policy, f); } @@ -286,6 +287,7 @@ void RGWRole::decode_json(JSONObj *obj) JSONDecoder::decode_json("path", path, obj); JSONDecoder::decode_json("arn", arn, obj); JSONDecoder::decode_json("create_date", creation_date, obj); + JSONDecoder::decode_json("max_session_duration", max_session_duration, obj); JSONDecoder::decode_json("assume_role_policy_document", trust_policy, obj); } @@ -394,6 +396,11 @@ bool RGWRole::validate_input() return false; } + if (max_session_duration < SESSION_DURATION_MIN || + max_session_duration > SESSION_DURATION_MAX) { + ldout(cct, 0) << "ERROR: Invalid session duration, should be between 3600 and 43200 seconds " << dendl; + return false; + } return true; } diff --git a/src/rgw/rgw_role.h b/src/rgw/rgw_role.h index fa2b382eeee..3124d59877f 100644 --- a/src/rgw/rgw_role.h +++ b/src/rgw/rgw_role.h @@ -16,6 +16,8 @@ class RGWRole static const string role_arn_prefix; static constexpr int MAX_ROLE_NAME_LEN = 64; static constexpr int MAX_PATH_NAME_LEN = 512; + static constexpr uint64_t SESSION_DURATION_MIN = 3600; // in seconds + static constexpr uint64_t SESSION_DURATION_MAX = 43200; // in seconds CephContext *cct; RGWRados *store; @@ -27,6 +29,7 @@ class RGWRole string trust_policy; map perm_policy_map; string tenant; + uint64_t max_session_duration; int store_info(bool exclusive); int store_name(bool exclusive); @@ -44,7 +47,8 @@ public: string name, string path, string trust_policy, - string tenant) + string tenant, + string max_session_duration_str="") : cct(cct), store(store), name(std::move(name)), @@ -54,6 +58,11 @@ public: if (this->path.empty()) this->path = "/"; extract_name_tenant(this->name); + if (! max_session_duration_str.empty()) { + max_session_duration = SESSION_DURATION_MIN; + } else { + max_session_duration = std::stoull(max_session_duration_str); + } } RGWRole(CephContext *cct, @@ -84,7 +93,7 @@ public: ~RGWRole() = default; void encode(bufferlist& bl) const { - ENCODE_START(2, 1, bl); + ENCODE_START(3, 1, bl); encode(id, bl); encode(name, bl); encode(path, bl); @@ -93,6 +102,7 @@ public: encode(trust_policy, bl); encode(perm_policy_map, bl); encode(tenant, bl); + encode(max_session_duration, bl); ENCODE_FINISH(bl); } @@ -108,6 +118,9 @@ public: if (struct_v >= 2) { decode(tenant, bl); } + if (struct_v >= 3) { + decode(max_session_duration, bl); + } DECODE_FINISH(bl); } @@ -116,6 +129,7 @@ public: const string& get_path() const { return path; } const string& get_create_date() const { return creation_date; } const string& get_assume_role_policy() const { return trust_policy;} + const uint64_t& get_max_session_duration() const { return max_session_duration; } int create(bool exclusive); int delete_obj();