From: Casey Bodley Date: Sun, 11 Feb 2024 17:24:05 +0000 (-0500) Subject: rgw/iam: load and evaluate group policies X-Git-Tag: v20.0.0~2159^2~69 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=f660d8b48a2b773e11c2e72a122d1255a889749d;p=ceph.git rgw/iam: load and evaluate group policies Signed-off-by: Casey Bodley --- diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index efc18003a5ede..9991ec57e3659 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -353,27 +353,72 @@ get_public_access_conf_from_attr(const map& attrs) return boost::none; } -vector get_iam_user_policy_from_attr(CephContext* cct, - const map& attrs, - const string& tenant) { - vector policies; - if (auto bl = attrs.find(RGW_ATTR_USER_POLICY); bl != attrs.end()) { - map policy_map; - decode(policy_map, bl->second); - for (const auto& [name, policy] : policy_map) { - policies.emplace_back(cct, tenant, policy, false); +static void load_inline_policy(CephContext* cct, const bufferlist& bl, + const string& tenant, + std::vector& policies) +{ + map policy_map; + decode(policy_map, bl); + for (const auto& [name, policy] : policy_map) { + policies.emplace_back(cct, tenant, policy, false); + } +} + +static void load_managed_policy(CephContext* cct, const bufferlist& bl, + const string& tenant, + std::vector& policies) +{ + rgw::IAM::ManagedPolicies policy_set; + decode(policy_set, bl); + for (const auto& arn : policy_set.arns) { + if (auto p = rgw::IAM::get_managed_policy(cct, arn); p) { + policies.push_back(std::move(*p)); } } - if (auto bl = attrs.find(RGW_ATTR_MANAGED_POLICY); bl != attrs.end()) { - rgw::IAM::ManagedPolicies policy_set; - decode(policy_set, bl->second); - for (const auto& arn : policy_set.arns) { - if (auto p = rgw::IAM::get_managed_policy(cct, arn); p) { - policies.push_back(std::move(*p)); - } +} + +static void load_iam_group_policies(const DoutPrefixProvider* dpp, + optional_yield y, + rgw::sal::Driver* driver, + const std::string& tenant, + std::string_view group_id, + std::vector& policies) +{ + RGWGroupInfo info; + rgw::sal::Attrs attrs; + RGWObjVersionTracker objv; + int r = driver->load_group_by_id(dpp, y, group_id, info, attrs, objv); + if (r >= 0) { + CephContext* cct = dpp->get_cct(); + if (auto bl = attrs.find(RGW_ATTR_IAM_POLICY); bl != attrs.end()) { + load_inline_policy(cct, bl->second, tenant, policies); } + if (auto bl = attrs.find(RGW_ATTR_MANAGED_POLICY); bl != attrs.end()) { + load_managed_policy(cct, bl->second, tenant, policies); + } + } +} + +void load_iam_identity_policies(const DoutPrefixProvider* dpp, + optional_yield y, + rgw::sal::Driver* driver, + const RGWUserInfo& info, + const rgw::sal::Attrs& attrs, + std::vector& policies) +{ + // load user policies from user attrs + CephContext* cct = dpp->get_cct(); + if (auto bl = attrs.find(RGW_ATTR_USER_POLICY); bl != attrs.end()) { + load_inline_policy(cct, bl->second, info.user_id.tenant, policies); + } + if (auto bl = attrs.find(RGW_ATTR_MANAGED_POLICY); bl != attrs.end()) { + load_managed_policy(cct, bl->second, info.user_id.tenant, policies); + } + + // load each group and its policies + for (const auto& id : info.group_ids) { + load_iam_group_policies(dpp, y, driver, info.user_id.tenant, id, policies); } - return policies; } static int read_bucket_policy(const DoutPrefixProvider *dpp, @@ -639,12 +684,11 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d try { ret = s->user->read_attrs(dpp, y); if (ret == 0) { - auto user_policies = get_iam_user_policy_from_attr(s->cct, - s->user->get_attrs(), - s->user->get_tenant()); - s->iam_identity_policies.insert(s->iam_identity_policies.end(), - std::make_move_iterator(user_policies.begin()), - std::make_move_iterator(user_policies.end())); + // load all user and group policies + load_iam_identity_policies(dpp, y, driver, + s->user->get_info(), + s->user->get_attrs(), + s->iam_identity_policies); } else { if (ret == -ENOENT) ret = 0; diff --git a/src/rgw/rgw_op.h b/src/rgw/rgw_op.h index dd30734b68209..ac2f0ba98cba4 100644 --- a/src/rgw/rgw_op.h +++ b/src/rgw/rgw_op.h @@ -2070,9 +2070,14 @@ extern int rgw_build_object_policies(const DoutPrefixProvider *dpp, rgw::sal::Dr req_state *s, bool prefetch_data, optional_yield y); extern void rgw_build_iam_environment(rgw::sal::Driver* driver, req_state* s); -extern std::vector get_iam_user_policy_from_attr(CephContext* cct, - const std::map& attrs, - const std::string& tenant); + +// load all user/group policies +void load_iam_identity_policies(const DoutPrefixProvider* dpp, + optional_yield y, + rgw::sal::Driver* driver, + const RGWUserInfo& info, + const rgw::sal::Attrs& attrs, + std::vector& policies); inline int get_system_versioning_params(req_state *s, uint64_t *olh_epoch, diff --git a/src/rgw/rgw_rest.cc b/src/rgw/rgw_rest.cc index 4185dee4e20e6..b44baf35dfe50 100644 --- a/src/rgw/rgw_rest.cc +++ b/src/rgw/rgw_rest.cc @@ -1878,11 +1878,11 @@ int RGWHandler_REST::init_permissions(RGWOp* op, optional_yield y) if (! s->user->get_id().empty() && s->auth.identity->get_identity_type() != TYPE_ROLE) { try { if (auto ret = s->user->read_attrs(s, y); ! ret) { - auto user_policies = get_iam_user_policy_from_attr(s->cct, s->user->get_attrs(), s->user->get_tenant()); - s->iam_identity_policies.insert(s->iam_identity_policies.end(), - std::make_move_iterator(user_policies.begin()), - std::make_move_iterator(user_policies.end())); - + // load all user and group policies + load_iam_identity_policies(op, y, driver, + s->user->get_info(), + s->user->get_attrs(), + s->iam_identity_policies); } } catch (const std::exception& e) { ldpp_dout(op, -1) << "Error reading IAM User Policy: " << e.what() << dendl;