From: Krunal Chheda Date: Wed, 25 Feb 2026 20:32:20 +0000 (-0500) Subject: rgw/rest-oidc: Forward all oidc mutation request to master zone. X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=fdf10845fea5b02a9eaa29bf404caccb1496b6ab;p=ceph.git rgw/rest-oidc: Forward all oidc mutation request to master zone. Signed-off-by: Krunal Chheda --- diff --git a/src/rgw/rgw_rest_iam.cc b/src/rgw/rgw_rest_iam.cc index be4e1c56eb61..08f969e3d5a7 100644 --- a/src/rgw/rgw_rest_iam.cc +++ b/src/rgw/rgw_rest_iam.cc @@ -43,15 +43,38 @@ static const std::unordered_map op_generators = {"AttachUserPolicy", make_iam_attach_user_policy_op}, {"DetachUserPolicy", make_iam_detach_user_policy_op}, {"ListAttachedUserPolicies", make_iam_list_attached_user_policies_op}, - {"CreateOpenIDConnectProvider", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWCreateOIDCProvider;}}, - {"ListOpenIDConnectProviders", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWListOIDCProviders;}}, - {"GetOpenIDConnectProvider", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWGetOIDCProvider;}}, - {"DeleteOpenIDConnectProvider", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWDeleteOIDCProvider;}}, - {"AddClientIDToOpenIDConnectProvider", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWAddClientIdToOIDCProvider;}}, - {"RemoveClientIDFromOpenIDConnectProvider", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWRemoveCientIdFromOIDCProvider;}}, - {"UpdateOpenIDConnectProviderThumbprint", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWUpdateOIDCProviderThumbprint;}}, - {"TagRole", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWTagRole(bl_post_body);}}, - {"ListRoleTags", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWListRoleTags;}}, + {"CreateOpenIDConnectProvider", + [](const bufferlist& bl_post_body) -> RGWOp* { + return new RGWCreateOIDCProvider(bl_post_body); + }}, + {"ListOpenIDConnectProviders", + [](const bufferlist& bl_post_body) -> RGWOp* { + return new RGWListOIDCProviders; + }}, + {"GetOpenIDConnectProvider", [](const bufferlist& bl_post_body) -> RGWOp* { + return new RGWGetOIDCProvider; + }}, + {"DeleteOpenIDConnectProvider", + [](const bufferlist& bl_post_body) -> RGWOp* { + return new RGWDeleteOIDCProvider(bl_post_body); + }}, + {"AddClientIDToOpenIDConnectProvider", + [](const bufferlist& bl_post_body) -> RGWOp* { + return new RGWAddClientIdToOIDCProvider(bl_post_body); + }}, + {"RemoveClientIDFromOpenIDConnectProvider", + [](const bufferlist& bl_post_body) -> RGWOp* { + return new RGWRemoveClientIdFromOIDCProvider(bl_post_body); + }}, + {"UpdateOpenIDConnectProviderThumbprint", + [](const bufferlist& bl_post_body) -> RGWOp* { + return new RGWUpdateOIDCProviderThumbprint(bl_post_body); + }}, + {"TagRole", + [](const bufferlist& bl_post_body) -> RGWOp* { + return new RGWTagRole(bl_post_body); + }}, + {"ListRoleTags", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWListRoleTags;}}, {"UntagRole", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWUntagRole(bl_post_body);}}, {"UpdateRole", [](const bufferlist& bl_post_body) -> RGWOp* {return new RGWUpdateRole(bl_post_body);}}, {"CreateUser", make_iam_create_user_op}, diff --git a/src/rgw/rgw_rest_oidc_provider.cc b/src/rgw/rgw_rest_oidc_provider.cc index f4b49de96276..4a8539285b66 100644 --- a/src/rgw/rgw_rest_oidc_provider.cc +++ b/src/rgw/rgw_rest_oidc_provider.cc @@ -16,12 +16,30 @@ #include "rgw_rest_iam.h" #include "rgw_rest_oidc_provider.h" #include "rgw_oidc_provider.h" +#include "rgw_process_env.h" #include "rgw_sal.h" #define dout_subsys ceph_subsys_rgw using namespace std; +static int +forward_oidc_iam_request( + RGWRESTOp* op, + req_state* s, + bufferlist& bl_post_body, + optional_yield y) +{ + const rgw::SiteConfig& site = *s->penv.site; + RGWXMLDecoder::XMLParser parser; + if (!parser.init()) { + ldpp_dout(op, 0) << "ERROR: failed to initialize xml parser" << dendl; + return -EINVAL; + } + return forward_iam_request_to_master( + op, site, s->user->get_info(), bl_post_body, parser, s->info, s->err, y); +} + int RGWRestOIDCProvider::verify_permission(optional_yield y) { if (verify_user_permission(this, s, resource, action)) { @@ -60,10 +78,6 @@ static std::string format_creation_date(ceph::real_time now) } -RGWCreateOIDCProvider::RGWCreateOIDCProvider() - : RGWRestOIDCProvider(rgw::IAM::iamCreateOIDCProvider, RGW_CAP_WRITE) -{ -} inline constexpr int MAX_OIDC_NUM_CLIENT_IDS = 100; inline constexpr int MAX_OIDC_CLIENT_ID_LEN = 255; @@ -135,6 +149,17 @@ int RGWCreateOIDCProvider::init_processing(optional_yield y) void RGWCreateOIDCProvider::execute(optional_yield y) { + const rgw::SiteConfig& site = *s->penv.site; + if (!site.is_meta_master()) { + op_ret = forward_oidc_iam_request(this, s, bl_post_body, y); + if (op_ret < 0) { + ldpp_dout(this, -1) + << "ERROR: forward_iam_request_to_master failed with error code: " + << op_ret << dendl; + return; + } + } + constexpr bool exclusive = true; op_ret = driver->store_oidc_provider(this, y, info, exclusive); if (op_ret == 0) { @@ -209,11 +234,6 @@ static int validate_provider_arn(const std::string& provider_arn, } -RGWDeleteOIDCProvider::RGWDeleteOIDCProvider() - : RGWRestOIDCProvider(rgw::IAM::iamDeleteOIDCProvider, RGW_CAP_WRITE) -{ -} - int RGWDeleteOIDCProvider::init_processing(optional_yield y) { std::string_view account; @@ -229,6 +249,16 @@ int RGWDeleteOIDCProvider::init_processing(optional_yield y) void RGWDeleteOIDCProvider::execute(optional_yield y) { + const rgw::SiteConfig& site = *s->penv.site; + if (!site.is_meta_master()) { + op_ret = forward_oidc_iam_request(this, s, bl_post_body, y); + if (op_ret < 0) { + ldpp_dout(this, -1) + << "ERROR: forward_iam_request_to_master failed with error code: " + << op_ret << dendl; + return; + } + } op_ret = driver->delete_oidc_provider(this, y, resource.account, url); if (op_ret < 0 && op_ret != -ENOENT && op_ret != -EINVAL) { @@ -244,10 +274,6 @@ void RGWDeleteOIDCProvider::execute(optional_yield y) } } -RGWGetOIDCProvider::RGWGetOIDCProvider() - : RGWRestOIDCProvider(rgw::IAM::iamGetOIDCProvider, RGW_CAP_READ) -{ -} int RGWGetOIDCProvider::init_processing(optional_yield y) { @@ -300,10 +326,6 @@ void RGWGetOIDCProvider::execute(optional_yield y) } -RGWListOIDCProviders::RGWListOIDCProviders() - : RGWRestOIDCProvider(rgw::IAM::iamListOIDCProviders, RGW_CAP_READ) -{ -} void RGWListOIDCProviders::execute(optional_yield y) { @@ -334,11 +356,6 @@ void RGWListOIDCProviders::execute(optional_yield y) } } -RGWAddClientIdToOIDCProvider::RGWAddClientIdToOIDCProvider() - : RGWRestOIDCProvider(rgw::IAM::iamAddClientIdToOIDCProvider, RGW_CAP_WRITE) -{ -} - int RGWAddClientIdToOIDCProvider::init_processing(optional_yield y) { std::string_view account; @@ -383,6 +400,16 @@ void RGWAddClientIdToOIDCProvider::execute(optional_yield y) } return; } + const rgw::SiteConfig& site = *s->penv.site; + if (!site.is_meta_master()) { + op_ret = forward_oidc_iam_request(this, s, bl_post_body, y); + if (op_ret < 0) { + ldpp_dout(this, -1) + << "ERROR: forward_iam_request_to_master failed with error code: " + << op_ret << dendl; + return; + } + } if(std::find(info.client_ids.begin(), info.client_ids.end(), client_id) != info.client_ids.end()) { op_ret = -EEXIST; @@ -406,12 +433,8 @@ void RGWAddClientIdToOIDCProvider::execute(optional_yield y) } } -RGWRemoveCientIdFromOIDCProvider::RGWRemoveCientIdFromOIDCProvider() - : RGWRestOIDCProvider(rgw::IAM::iamRemoveClientIdFromOIDCProvider, RGW_CAP_WRITE) -{ -} - -int RGWRemoveCientIdFromOIDCProvider::init_processing(optional_yield y) +int +RGWRemoveClientIdFromOIDCProvider::init_processing(optional_yield y) { std::string_view account; if (const auto& acc = s->auth.identity->get_account(); acc) { @@ -444,7 +467,8 @@ int RGWRemoveCientIdFromOIDCProvider::init_processing(optional_yield y) return 0; } -void RGWRemoveCientIdFromOIDCProvider::execute(optional_yield y) +void +RGWRemoveClientIdFromOIDCProvider::execute(optional_yield y) { RGWOIDCProviderInfo info; op_ret = driver->load_oidc_provider(this, y, resource.account, url, info); @@ -455,6 +479,16 @@ void RGWRemoveCientIdFromOIDCProvider::execute(optional_yield y) } return; } + const rgw::SiteConfig& site = *s->penv.site; + if (!site.is_meta_master()) { + op_ret = forward_oidc_iam_request(this, s, bl_post_body, y); + if (op_ret < 0) { + ldpp_dout(this, -1) + << "ERROR: forward_iam_request_to_master failed with error code: " + << op_ret << dendl; + return; + } + } auto position = std::find(info.client_ids.begin(), info.client_ids.end(), client_id); @@ -477,11 +511,6 @@ void RGWRemoveCientIdFromOIDCProvider::execute(optional_yield y) } } -RGWUpdateOIDCProviderThumbprint::RGWUpdateOIDCProviderThumbprint() - : RGWRestOIDCProvider(rgw::IAM::iamUpdateOIDCProviderThumbprint, RGW_CAP_WRITE) -{ -} - int RGWUpdateOIDCProviderThumbprint::init_processing(optional_yield y) { std::string_view account; @@ -532,6 +561,16 @@ void RGWUpdateOIDCProviderThumbprint::execute(optional_yield y) } return; } + const rgw::SiteConfig& site = *s->penv.site; + if (!site.is_meta_master()) { + op_ret = forward_oidc_iam_request(this, s, bl_post_body, y); + if (op_ret < 0) { + ldpp_dout(this, -1) + << "ERROR: forward_iam_request_to_master failed with error code: " + << op_ret << dendl; + return; + } + } info.thumbprints = std::move(thumbprints); diff --git a/src/rgw/rgw_rest_oidc_provider.h b/src/rgw/rgw_rest_oidc_provider.h index 2d7369833e89..b31f03fb7801 100644 --- a/src/rgw/rgw_rest_oidc_provider.h +++ b/src/rgw/rgw_rest_oidc_provider.h @@ -3,6 +3,7 @@ #pragma once +#include "rgw_arn.h" #include "rgw_rest.h" #include "rgw_oidc_provider.h" @@ -22,9 +23,15 @@ public: }; class RGWCreateOIDCProvider : public RGWRestOIDCProvider { + bufferlist bl_post_body; RGWOIDCProviderInfo info; public: - RGWCreateOIDCProvider(); + explicit + RGWCreateOIDCProvider(const bufferlist& bl_post_body) + : RGWRestOIDCProvider(rgw::IAM::iamCreateOIDCProvider, RGW_CAP_WRITE), + bl_post_body(bl_post_body) + { + } int init_processing(optional_yield y) override; void execute(optional_yield y) override; @@ -33,9 +40,15 @@ class RGWCreateOIDCProvider : public RGWRestOIDCProvider { }; class RGWDeleteOIDCProvider : public RGWRestOIDCProvider { + bufferlist bl_post_body; std::string url; public: - RGWDeleteOIDCProvider(); + explicit + RGWDeleteOIDCProvider(const bufferlist& bl_post_body) + : RGWRestOIDCProvider(rgw::IAM::iamDeleteOIDCProvider, RGW_CAP_WRITE), + bl_post_body(bl_post_body) + { + } int init_processing(optional_yield y) override; void execute(optional_yield y) override; @@ -45,8 +58,12 @@ class RGWDeleteOIDCProvider : public RGWRestOIDCProvider { class RGWGetOIDCProvider : public RGWRestOIDCProvider { std::string url; - public: - RGWGetOIDCProvider(); + +public: + RGWGetOIDCProvider() + : RGWRestOIDCProvider(rgw::IAM::iamGetOIDCProvider, RGW_CAP_READ) + { + } int init_processing(optional_yield y) override; void execute(optional_yield y) override; @@ -55,8 +72,9 @@ class RGWGetOIDCProvider : public RGWRestOIDCProvider { }; class RGWListOIDCProviders : public RGWRestOIDCProvider { - public: - RGWListOIDCProviders(); +public: + RGWListOIDCProviders() + : RGWRestOIDCProvider(rgw::IAM::iamListOIDCProviders, RGW_CAP_READ) {} void execute(optional_yield y) override; const char* name() const override { return "list_oidc_providers"; } @@ -64,36 +82,60 @@ class RGWListOIDCProviders : public RGWRestOIDCProvider { }; class RGWAddClientIdToOIDCProvider : public RGWRestOIDCProvider { + bufferlist bl_post_body; std::string url; std::string client_id; + public: - RGWAddClientIdToOIDCProvider(); + explicit + RGWAddClientIdToOIDCProvider(const bufferlist& bl_post_body) + : RGWRestOIDCProvider( + rgw::IAM::iamAddClientIdToOIDCProvider, RGW_CAP_WRITE), + bl_post_body(bl_post_body) + { + } - int init_processing(optional_yield y); + int init_processing(optional_yield y) override; void execute(optional_yield y) override; const char* name() const override { return "add_client_id_to_oidc_provider"; } RGWOpType get_type() override { return RGW_OP_ADD_CLIENTID_TO_OIDC_PROVIDER; } }; -class RGWRemoveCientIdFromOIDCProvider : public RGWRestOIDCProvider { +class RGWRemoveClientIdFromOIDCProvider : public RGWRestOIDCProvider { + bufferlist bl_post_body; std::string url; std::string client_id; + public: - RGWRemoveCientIdFromOIDCProvider(); + explicit + RGWRemoveClientIdFromOIDCProvider(const bufferlist& bl_post_body) + : RGWRestOIDCProvider( + rgw::IAM::iamRemoveClientIdFromOIDCProvider, RGW_CAP_WRITE), + bl_post_body(bl_post_body) + { + } - int init_processing(optional_yield y); + int init_processing(optional_yield y) override; void execute(optional_yield y) override; const char* name() const override { return "remove_client_id_from_oidc_provider"; } RGWOpType get_type() override { return RGW_OP_REMOVE_CLIENTID_FROM_OIDC_PROVIDER; } }; class RGWUpdateOIDCProviderThumbprint : public RGWRestOIDCProvider { + bufferlist bl_post_body; std::string url; std::vector thumbprints; + public: - RGWUpdateOIDCProviderThumbprint(); + explicit + RGWUpdateOIDCProviderThumbprint(const bufferlist& bl_post_body) + : RGWRestOIDCProvider( + rgw::IAM::iamUpdateOIDCProviderThumbprint, RGW_CAP_WRITE), + bl_post_body(bl_post_body) + { + } - int init_processing(optional_yield y); + int init_processing(optional_yield y) override; void execute(optional_yield y) override; const char* name() const override { return "update_oidc_provider_thumbprint"; } RGWOpType get_type() override { return RGW_OP_UPDATE_OIDC_PROVIDER_THUMBPRINT; }