From: Seena Fallah Date: Wed, 8 Apr 2020 19:45:20 +0000 (+0430) Subject: rgw: Add subuser to OPA request X-Git-Tag: v14.2.11~48^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F36187%2Fhead;p=ceph.git rgw: Add subuser to OPA request Signed-off-by: Seena Fallah (cherry picked from commit 793aaaaed9029e032128b50767a5faf1bb7f6d81) Conflicts: src/rgw/rgw_opa.cc - jf.dump_object("user_info", ...) line looks different in nautilus --- diff --git a/doc/radosgw/opa.rst b/doc/radosgw/opa.rst index 89f9300b94e9d..74eeb918b9587 100644 --- a/doc/radosgw/opa.rst +++ b/doc/radosgw/opa.rst @@ -46,6 +46,7 @@ Example request:: { "input": { "method": "GET", + "subuser": "subuser", "user_info": { "used_id": "john", "display_name": "John" diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index b03d5b280106b..078c16e6f67e0 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -87,6 +87,10 @@ transform_old_authinfo(const req_state* const s) return {}; } + string get_subuser() const override { + return {}; + } + void to_str(std::ostream& out) const override { out << "RGWDummyIdentityApplier(auth_id=" << id << ", perm_mask=" << perm_mask diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index 2aaa1a5ac1f87..dad0897697f00 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -75,6 +75,9 @@ public: /* Name of Account */ virtual string get_acct_name() const = 0; + + /* Subuser of Account */ + virtual string get_subuser() const = 0; }; inline std::ostream& operator<<(std::ostream& out, @@ -403,6 +406,10 @@ public: return token_claims.user_name; } + string get_subuser() const override { + return {}; + } + struct Factory { virtual ~Factory() {} @@ -535,6 +542,7 @@ public: void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */ uint32_t get_identity_type() const override { return info.acct_type; } string get_acct_name() const override { return info.acct_name; } + string get_subuser() const override { return {}; } struct Factory { virtual ~Factory() {} @@ -596,6 +604,7 @@ public: void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */ uint32_t get_identity_type() const override { return TYPE_RGW; } string get_acct_name() const override { return {}; } + string get_subuser() const override { return subuser; } struct Factory { virtual ~Factory() {} @@ -640,6 +649,7 @@ public: void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */ uint32_t get_identity_type() const override { return TYPE_ROLE; } string get_acct_name() const override { return {}; } + string get_subuser() const override { return {}; } void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override; struct Factory { diff --git a/src/rgw/rgw_auth_filters.h b/src/rgw/rgw_auth_filters.h index ff0a33eaae6a1..a2b62e2cff58e 100644 --- a/src/rgw/rgw_auth_filters.h +++ b/src/rgw/rgw_auth_filters.h @@ -88,6 +88,10 @@ public: return get_decoratee().get_acct_name(); } + string get_subuser() const override { + return get_decoratee().get_subuser(); + } + bool is_identity( const boost::container::flat_set& ids) const override { return get_decoratee().is_identity(ids); diff --git a/src/rgw/rgw_opa.cc b/src/rgw/rgw_opa.cc index 08abf5a174fc4..2331beb69a412 100644 --- a/src/rgw/rgw_opa.cc +++ b/src/rgw/rgw_opa.cc @@ -44,6 +44,7 @@ int rgw_opa_authorize(RGWOp *& op, jf.dump_string("params", s->info.request_params.c_str()); jf.dump_string("request_uri_aws4", s->info.request_uri_aws4.c_str()); jf.dump_string("object_name", s->object.name.c_str()); + jf.dump_string("subuser", s->auth.identity->get_subuser().c_str()); jf.dump_object("user_info", *s->user); jf.dump_object("bucket_info", s->bucket_info); jf.close_section(); diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc index a0a6ac4fdd1b8..b12ab7fd978c8 100644 --- a/src/test/rgw/test_rgw_iam_policy.cc +++ b/src/test/rgw/test_rgw_iam_policy.cc @@ -124,6 +124,11 @@ public: return 0; } + string get_subuser() const override { + abort(); + return 0; + } + void to_str(std::ostream& out) const override { out << id; }