From: Seena Fallah Date: Mon, 28 Apr 2025 17:44:10 +0000 (+0200) Subject: rgw: utilize is_impersonating for forwarded sts requests X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=refs%2Fpull%2F61962%2Fhead;p=ceph.git rgw: utilize is_impersonating for forwarded sts requests With the introduction of is_impersonating in SysReqApplier, RoleApplier can now use the same mechanism to mark when a request has been forwarded by a system user on behalf of another role (e.g., through STS) to mark it as a system request (s->system_request). Signed-off-by: Seena Fallah --- diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index 80dfe9c5be642..a4abe024e53df 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -1307,9 +1307,6 @@ void rgw::auth::RoleApplier::modify_request_state(const DoutPrefixProvider *dpp, for (auto& it : token_attrs.token_claims) { s->token_claims.emplace_back(it); } - if (is_system_request) { - s->system_request = true; - } } rgw::auth::Engine::result_t diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index ed80fc23e3694..87fbd47c0b109 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -798,20 +798,17 @@ protected: rgw::sal::Driver* driver; Role role; TokenAttrs token_attrs; - bool is_system_request; public: RoleApplier(CephContext* const cct, rgw::sal::Driver* driver, const Role& role, - const TokenAttrs& token_attrs, - bool is_system_request) + const TokenAttrs& token_attrs) : cct(cct), driver(driver), role(role), - token_attrs(token_attrs), - is_system_request(is_system_request) {} + token_attrs(token_attrs) {} ACLOwner get_aclowner() const override; uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override { @@ -847,7 +844,7 @@ public: const req_state* s, Role role, TokenAttrs token_attrs, - bool is_system_request) const = 0; + bool is_impersonating) const = 0; }; }; diff --git a/src/rgw/rgw_auth_s3.h b/src/rgw/rgw_auth_s3.h index edc208e956740..d2a66599eb055 100644 --- a/src/rgw/rgw_auth_s3.h +++ b/src/rgw/rgw_auth_s3.h @@ -72,9 +72,9 @@ class STSAuthStrategy : public rgw::auth::Strategy, const req_state* const s, RoleApplier::Role role, RoleApplier::TokenAttrs token_attrs, - bool is_system_request) const override { + bool is_impersonating) const override { auto apl = rgw::auth::add_sysreq(cct, driver, s, - rgw::auth::RoleApplier(cct, driver, std::move(role), std::move(token_attrs), is_system_request)); + rgw::auth::RoleApplier(cct, driver, std::move(role), std::move(token_attrs)), is_impersonating); return aplptr_t(new decltype(apl)(std::move(apl))); } diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index 6e8796ae5fb91..c1835f3efe1a9 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -7024,7 +7024,6 @@ rgw::auth::s3::STSEngine::authenticate( const req_state* const s, optional_yield y) const { - bool is_system_request{false}; if (! s->info.args.exists("x-amz-security-token") && ! s->info.env->exists("HTTP_X_AMZ_SECURITY_TOKEN") && s->auth.s3_postobj_creds.x_amz_security_token.empty()) { @@ -7036,6 +7035,7 @@ rgw::auth::s3::STSEngine::authenticate( return result_t::reject(ret); } //Authentication + bool is_impersonating = false; std::string secret_access_key; //Check if access key is not the same passed in by client if (token.access_key_id != _access_key_id) { @@ -7059,7 +7059,7 @@ rgw::auth::s3::STSEngine::authenticate( } const RGWAccessKey& k = iter->second; secret_access_key = k.key; - is_system_request = true; + is_impersonating = true; } else { ldpp_dout(dpp, 0) << "Invalid access key" << dendl; return result_t::reject(-EPERM); @@ -7150,7 +7150,7 @@ rgw::auth::s3::STSEngine::authenticate( t_attrs.token_issued_at = std::move(token.issued_at); t_attrs.principal_tags = std::move(token.principal_tags); auto apl = role_apl_factory->create_apl_role(cct, s, std::move(r), - std::move(t_attrs), is_system_request); + std::move(t_attrs), is_impersonating); return result_t::grant(std::move(apl), completer_factory(token.secret_access_key)); } else { // This is for all local users of type TYPE_RGW|ROOT|NONE if (token.user.empty()) {