Casey Bodley [Tue, 12 Mar 2024 20:26:44 +0000 (16:26 -0400)]
rgw/pubsub: return 404 NotFound instead of NoSuchKey
repurpose the ERR_NOT_FOUND define which was otherwise unused to
customize the error response for sns apis, which return the NotFound
error code instead of NoSuchKey from s3:
Casey Bodley [Tue, 12 Mar 2024 23:08:50 +0000 (19:08 -0400)]
rgw/pubsub: notifications can refer to topics in other accounts/tenants
accounts can use topic policy to grant sns:Publish permissions to other
accounts. the PutBucketNotification op should expect TopicArns from
other accounts. the account name from each TopicArn should be used as
the 'tenant' argument for RGWPubSub's constructor so we look for the
topic in the right namespace
Casey Bodley [Tue, 12 Mar 2024 20:25:58 +0000 (16:25 -0400)]
rgw/pubsub: when present, use account id instead of tenant
RGWPubSub provides topic namespace isolation for tenants by adding
prefixes to rados object names and topic metadata keys. accounts use
this the same way
refactor verify_topic_owner_or_policy() to share the same interface
as similar functions like verify_user/bucket/object_permission()
from rgw_common.cc
in addition to the topic resource policy, this now also consults iam
identity policies like user, group, or role policy
for account users, this now implements cross-account policy evaluation.
this only comes into play for sns:Publish permissions though, because
the topics themselves are scoped to the account
Casey Bodley [Sat, 9 Mar 2024 16:08:17 +0000 (11:08 -0500)]
rgw/pubsub: do init/validation in init_processing()
verify_permission() should do permission checks and nothing else!
admin/system users ignore errors from verify_permission() and go on to
call execute() regardless. that means that execute() can't rely on any
initialization that happened during verify_permission(), at risk of
crashing on admin/system requests. it also means that any permission
checks in execute() won't get overridden for admin/system users,
breaking their superuser access
by moving all parameter validation and initialization into
init_processing(), we can prepare all the state that verify_permission()
will need to do it's thing
Casey Bodley [Tue, 5 Mar 2024 18:57:09 +0000 (13:57 -0500)]
rgw/auth: expose Identity::get_account()
now that all identities store an optional account, expose that to the
rest of rgw with get_account(). this cleans up lots of code that
otherwise has to deal with the rgw_owner variant
Casey Bodley [Fri, 1 Mar 2024 14:36:31 +0000 (09:36 -0500)]
rgw/auth: object ops use new verify_bucket_permission() overload
several object operations like PutObject, DeleteObject, etc were handling
policy evaluation manually instead of using the helper functions like
verify_user/bucket/object_permission(), so were missing the cross-policy
evaluation rules for account users
these now call the new 'custom arn' overload of verify_bucket_permission()
for equivalent functionality
the eval_identity_or_session_policies() function is no longer exposed by
rgw_common.h to prevent other ops from adding new logic that doesn't
handle cross-account access
Casey Bodley [Mon, 4 Mar 2024 21:10:17 +0000 (16:10 -0500)]
rgw/auth: pass user policies into identities
loading user policies in rgw_build_bucket_policies() doesn't work for
PostObj requests because we haven't authenticated yet at that point
instead, auth engines load/parse policies when they load the user info.
policies are passed into the auth identities and applied to req_state
via modify_request_state() similar to how RoleApplier handles role
policy
this also moves the load_iam_identity_policies() into rgw_auth.cc for
use by transform_old_authinfo()
Casey Bodley [Sun, 25 Feb 2024 15:04:44 +0000 (10:04 -0500)]
rgw: make user email matching case-insensitive
handle user emails the same way we do account account emails. store
RGWUserInfo::user_email exactly as the user specified it, but convert
the object name to lower-case for case-insensitive matching
Casey Bodley [Thu, 22 Feb 2024 18:16:00 +0000 (13:16 -0500)]
rgw/iam: Policy takes optional tenant name
the iam policy parser takes a tenant string to reject Resource ARNs that
specify resources in other tenants, and prevent wildcards from applying
to other tenants
this is problematic for account users, because cross-account access requires
an identity policy that covers another account's resource. it's the
cross-policy evaluation rules that prevent that from granting access to
things it shouldn't. so for account users, pass a null tenant string to
allow all resource arns
for resource policies, this restriction is unnecessary in the first
place, because the resource policy can only match itself as the resource
Casey Bodley [Wed, 21 Feb 2024 23:51:44 +0000 (18:51 -0500)]
rgw/auth: replace uses of verify_bucket_owner_or_policy()
all of the s3 actions that we call verify_bucket_owner_or_policy() for
are already covered by rgw::IAM::op_to_perm(), which maps actions to
acl permissions like RGW_PERM_READ, RGW_PERM_WRITE_ACP etc
that means we can call verify_bucket_permission() as most other bucket
ops do, and rely on its call to verify_bucket_permission_no_policy() to
find the owner's acl grant
i also hadn't implemented the cross-account rules for
verify_bucket_owner_or_policy() yet, and didn't want to
Casey Bodley [Wed, 21 Feb 2024 20:55:09 +0000 (15:55 -0500)]
rgw/auth: RoleApplier matches account principals
account principals of the form ``arn:aws:iam::123456789012:root``
or ``123456789012`` delegate authority to the account, which means that
it applies to all of the account's users and roles
Casey Bodley [Sun, 18 Feb 2024 14:16:06 +0000 (09:16 -0500)]
rgw/iam: fix DeleteRolePolicyResponse
should only be written on success
was misspelled as DeleteRolePoliciesResponse which boto doesn't like:
botocore.parsers.ResponseParserError: Unable to parse response (junk after document element: line 1, column 159), invalid XML received. Further retries may su
cceed:
b'<DeleteRolePoliciesResponse><ResponseMetadata><RequestId>tx0000082c62511b240fd3d-0065d20f66-4129-a2</RequestId></ResponseMetadata></DeleteRolePoliciesResponse><?xml version="1.0" encoding="UTF-8"?><ErrorResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/"><Error><Code>NoSuchEntity</Code><Message>The requested PolicyName was not found</Message><RequestId>tx0000082c62511b240fd3d-0065d20f66-4129-a2</RequestId><HostId>4129-a2-a</HostId></Error></ErrorResponse>'
Casey Bodley [Mon, 19 Feb 2024 22:31:55 +0000 (17:31 -0500)]
rgw: forward_to_master() passes rgw_owner for effective uid header
when s3 requests get forwarded to the master zone in multisite, we sign
them as the multisite system user because we need to extend the s3
protocol. for example, CreateBucket requests issues by a system user
include an extra response body that encodes the RGWBucketInfo. this way,
the secondary zone can recreate exactly the same bucket that the master
zone did
these forwarded requests include a header like "rgwx-uid: myuserid" to
request that the system user impersonate the given uid. this isn't
necessary for authorization, because the system user overrides
permission checks already. but it's important for resource ownership -
the result of a forwarded CreateBucket request should be a bucket owned
by "myuserid", not the system user
because this "rgwx-uid" header is concerned with ownership, we pass the
string encoding of rgw_owner instead of rgw_user. on the receiving side,
we parse this header in SysReqApplier and override get_aclowner() to
expose it
Casey Bodley [Sat, 17 Feb 2024 22:53:21 +0000 (17:53 -0500)]
rgw/iam: only RGWDeleteRole returns ERR_DELETE_CONFLICT
metadata sync calls RadosRole::delete_obj() after the role is deleted on
the metadata master zone. the role was verified to be empty there, so
metadata sync needs to delete the role anyway
only the iam DeleteRole api should require policies to be removed first
Casey Bodley [Tue, 6 Feb 2024 14:32:27 +0000 (09:32 -0500)]
rgw/sal: remove virtual class RGWOIDCProvider
class RGWOIDCProvider was doing a lot of different things, so i've split
out its responsibilities:
* move data members and encoding into new struct RGWOIDCProviderInfo,
and add ceph-dencoder hooks for regression testing
* remove RGWOIDCProvider class and add load/store/delete/list functions
to the sal::Driver interface
* rgw_rest_oidc_provider.cc handles most of the parameter validation,
ARN parsing, and json formatting
Casey Bodley [Mon, 5 Feb 2024 22:49:42 +0000 (17:49 -0500)]
rgw/iam: refactor OIDC ops
rearrange the RGWRESTOp subclasses so that the base RGWRestOIDCProvider
can provide a simple verify_permission() that works the same for all
derived ops
Casey Bodley [Sat, 20 Jan 2024 20:16:00 +0000 (15:16 -0500)]
rgw/role: separate dump_iam_role() for iam api
create a new dump_iam_role() for iam api responses that dumps the subset
of role information presented by the apis
RGWRoleInfo::dump() and decode_json() are used by metadata sync to
transfer role metadata between zones, so must contain all information
about the role
Casey Bodley [Mon, 15 Jan 2024 01:36:28 +0000 (20:36 -0500)]
rgw/iam: role apis override init_processing/verify_permission
replace get_params() with init_processing() override which runs before
verify_permission(). use this to validate request parameters and load
the existing role if necessary. simplify verify_permission() by
forwarding to RGWRESTOp::verify_permission() which calls check_caps()
simplify inheritence hierarchy by taking cap perm and iam action as
constructor arguments
projects / ceph.git / log