rgw/iam: use retry_raced_role_write() for Role apis

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 03c30e3e25ca8ec288a01ed4a12e2b5c4226ef67)

rgw/iam: UserPolicy apis use forward_iam_request_to_master()

fix signature mismatch errors when PutUserPolicy/DeleteUserPolicy are
forwarded in multisite

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 02b90ad3ca7e93ad193483c69adf79539e720a56)

rgw/iam: use retry_raced_user_write() for User/AccessKey apis

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 91c0a628f0aadd99ae5edb10ba69d2c2bcf29cd1)

rgw/role: use CreateDate from forwarded CreateRole response

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 53c4339d7d877d6cbe863a59f0d0dab096e30707)

rgw: 'user stats' redirects to 'account stats'

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 333620c8f9ce1e3394e4a7c0d1274601d69dd943)

rgw: bucket list --uid redirects to account buckets

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 5569f381c7917f7ef139e76559696a5b23c6bf32)

doc/radosgw: add awscli examples

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 9b3d18917dcb0375371a603b71aa95e525650137)

doc/radosgw: document iam managed policies

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit be4ba49ee6e8667db2c6ef499ae3f6c23f058ff6)

doc/radosgw: start on iam/account docs

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 019f1a83cbcf08b2ba3894ef6d64a14146ba6293)

rgw/iam: load and evaluate group policies

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit f660d8b48a2b773e11c2e72a122d1255a889749d)

rgw: rename iam_user_policies to iam_identity_policies

identity policies can come from iam groups and roles too

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 27fb7178509e1fb8dde132044a0446149ccb6e17)

rgw/iam: add Group/GroupPolicy APIs

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 386276ed00e3619e119bdd18d6fe20b656d2f05d)

rgw/iam: ListUserPolicies supports Marker/MaxItems

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 6284745661f25c6db0ba5077237c035002153948)

rgw/sal: add backend interfaces for group metadata

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 3683a4097fc42f514c5310fc2078d7ef8e0561eb)

rgw: add struct RGWGroupInfo

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit b0a1fd07ba27ef93e50571ba5dae9abad6c6db72)

rgw/iam: OpenIDConnectProvider apis support account users

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 0a28af9f433b39c99d7343c3cc73ee4862036c70)

rgw/sal: remove virtual class RGWOIDCProvider

class RGWOIDCProvider was doing a lot of different things, so i've split
out its responsibilities:

* move data members and encoding into new struct RGWOIDCProviderInfo,
  and add ceph-dencoder hooks for regression testing
* remove RGWOIDCProvider class and add load/store/delete/list functions
  to the sal::Driver interface
* rgw_rest_oidc_provider.cc handles most of the parameter validation,
  ARN parsing, and json formatting

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 8c328aa1c7d0f4b934daa08f5361a2fe83d091a6)

rgw/iam: refactor OIDC ops

rearrange the RGWRESTOp subclasses so that the base RGWRestOIDCProvider
can provide a simple verify_permission() that works the same for all
derived ops

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit fcbc684e44abc0b336682a8f1d3b2ed072a9a359)

vstart/rgw: add account users for s3-tests

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit d704540d630f6a8b1e1287e9593139661d95164d)

radosgw-admin: add commands for managed policy

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 93522666a0d0ea6f6840107254344fcdf3d89dfc)

rgw/iam: AttachRolePolicy adds managed role policy

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 390cdaa45ee923dde2de3e5b8077537c741fe5d9)

rgw/iam: AttachUserPolicy adds managed user policy

implement iam apis AttachUserPolicy, DetachUserPolicy, and
ListAttachedUserPolicies to manipulate managed user policy

the set of managed policy ARNs is stored in the user attr
RGW_ATTR_MANAGED_POLICY

for incoming requests, the policies from RGW_ATTR_MANAGED_POLICY are
added to s->iam_user_policies at the same time as RGW_ATTR_USER_POLICY

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit bf64bc624dff5200964cd9763a4d6466edfe07e7)

rgw/iam: add get_managed_policy() factory function

add definitions for the following managed policy ARNs:

* arn:aws:iam::aws:policy/IAMFullAccess
* arn:aws:iam::aws:policy/IAMReadOnlyAccess
* arn:aws:iam::aws:policy/AmazonSNSFullAccess
* arn:aws:iam::aws:policy/AmazonSNSReadOnlyAccess
* arn:aws:iam::aws:policy/AmazonS3FullAccess
* arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess

factory function get_managed_policy() returns a parsed Policy for the
requested ARN if available

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit ccb6c38d8ea28d337430efc6e660b24896e75f17)

rgw/iam: add lots of actions needed for managed policies

in order to parse managed policies, we have to recognize all of the
actions and wildcards they use

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 0fb3ac33937b5873a6cd4c0baadebc1a07f9a218)

rgw/iam: Policy() takes string instead of bufferlist

the constructor immediately called bufferlist::to_str() to convert it
into a string; just take string so callers don't have to convert it

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit db09c0956a531ad8c026e9b5f924ab32bfb95514)

rgw: evaluate_iam_policies() handles account root user

> By default, all requests are implicitly denied with the exception of
> the AWS account root user, which has full access.

the account root user turns an implicit deny from identity policy into
an allow, though other policies can still deny explicitly

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 180f0b7b66a37e4aa5221e68882d009bed686b58)

rgw/auth: account users match account arns

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 8ce9c0769f0de31ac4a827684aef4f6f441a369f)

rgw: add cross-account policy evaluation

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 9b3507c95be6128f348ca0b482646dbd7e709b3c)

rgw: add generic evaluate_iam_policies()

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 2a5abafaeee9c3ebe8776db1e6b91031a5b8e088)

rgw: verify_permission logs acl grants

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit be35990b85c6b486434d022c77d87fe49db05f12)

rgw: adapt verify_user_permission() for account users

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit cb81a429fdeca31c3ae28d85d331f2a3052baaa1)

vstart/rgw: add default config for sts

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 50411a9bcc90b4dae94ea5f1180c48659e0042ab)

rgw/role: support Description for Create/Get/UpdateRole

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 44804b1d27c8cd3c0ec57cdd7be0a0deb3f89280)

rgw/iam: add s3:Get/PutBucketOwnershipControls

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit f473d28ef0979d535ff1c1d71a880849821cc42b)

rgw/sal: remove load_account_role_by_name()

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit e03e7b2cdc242cd386446b80d5c1d9271868fff5)

rgw/role: role APIs support account users

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 0571ca82d4c243922389a850d08ed052a6cb66fd)

rgw/role: separate dump_iam_role() for iam api

create a new dump_iam_role() for iam api responses that dumps the subset
of role information presented by the apis

RGWRoleInfo::dump() and decode_json() are used by metadata sync to
transfer role metadata between zones, so must contain all information
about the role

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit bf204e982ea5b9e1ad0b6f7a1433404245b2137e)

rgw/iam: add pagination to ListRoles

rename sal::Driver::get_roles() to list_roles() and add pagination
support for the RGWListRoles op and 'radosgw-admin role list'

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 70d63dac461ee3d31d8420ed0628b8a94851f85f)

rgw/iam: enable Role apis against account users

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 8703b7aaf556846b144a23bf74c1621309ff7192)

rgw/iam: role apis override init_processing/verify_permission

replace get_params() with init_processing() override which runs before
verify_permission(). use this to validate request parameters and load
the existing role if necessary. simplify verify_permission() by
forwarding to RGWRESTOp::verify_permission() which calls check_caps()

simplify inheritence hierarchy by taking cap perm and iam action as
constructor arguments

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 46053028cabc8e089401363b15d81890dc9fb8e8)

rgw/iam: split RGWRestRole member variables

move member variables into the subclasses they're needed for

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 5b8fcf776cfc6dff0845bc4571304fe3b4dd3e7b)

rgw/iam: RGWUntagRole uses lower/upper bounds for iteration

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit fd96b15e478855e5950248fbdc9a7736488a6bf5)

rgw/iam: RGWRestRole::parse_tags() as free function

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit b61169e031604e861c852dc8d2bb24d7d7efef1b)

rgw/iam: AccessKey apis call forward_iam_request_to_master()

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 896681fcd020636bd70c8fc718575a6a2805f738)

rgw/iam: User apis call forward_iam_request_to_master()

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit c2364c17ec5c2afc033cd39de9b9b3bd68083d18)

rgw: move forward_iam_request_to_master() to rgw_rest_iam.*

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit df8758f723905f3fa7434f547ba44bc495bcf214)

rgw/rest: enable iam UserPolicy apis against account users

when the authenticated user belongs to an account:
* operate only on that account's users
* match UserName to user's display_name instead of user_id

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 3841906eeb2e64a07c74b746ffe79649627b8d55)

rgw/rest: simplify RGWRestUserPolicy hierarchy

base class constructor takes `uint64_t action` instead of overriding
the virtual `get_op()` on each subclass

constructor takes `uint32_t perm` instead of deriving separate base
classes RGWUserPolicyRead/Write for check_caps() permission

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 6d61c397a84efde7e99ed7c00d2216990f0d9884)

rgw/rest: iam user policy api cleanup

make get_params() virtual and protected. base class always validates
UserName

add common init_processing() function that calls get_params() and loads
the user by UserName. this step happens before verify_permission()

set s->err.message in several error paths

add the xmlns="https://iam.amazonaws.com/doc/2010-05-08/" part to the
responses

return ERR_LIMIT_EXCEEDED instead of ERR_INVALID_REQUEST when
RGWPutUserPolicy exceeds the policy limit

where RGW_ATTR_USER_POLICY is missing, treat it the same way we treat an
empty map of policies. this avoids separate error paths

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 93428aa6e49da8cdd602d761eaff693449bf57f2)

rgw/auth: Identity matches account user principals

when a user belongs to an account, they match Principal ARNs by account
id instead of tenant name, and by user name instead user id

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 8e24a611db7a951c2523503e922c9fda4fb68f2e)

rgw/auth: Identity matches paths in user principals

when RGWUserInfo::path is present, use it when matching user principals

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit ea33bfb784c72cbc4d198c9f5139e54504466f54)

rgw/auth: Identity::is_identity() takes one Principal

take a single Principal instead flat_set<Principal>, and iterate over
calls to is_identity() instead

why?
* it simplifies the logic of each is_identity() function because they
  can use early returns to avoid visiting all of the cases
* Statement::eval_principal() no longer has to allocate a flat_set
  with a single element when the Identity is a role
* rgw::auth::Identity no longer depends on rgw::iam's choice of
  container type

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 05c15502e8cd7f8a7d279d562e2c7abadcaaeafa)

rgw/iam: rename rgw::auth::Principal::Tenant to Account

just changes the name to match its use in AWS, without changing any
behavior in rgw policy parsing/evaluation

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 2cc488e9847afafa1e6b7dc283eca3cc6d74d156)

rgw/sal: add interfaces for account roles

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit e47d08efa84bbb9cd99cfdd53b814786d9025bdd)

rgw/rados: add rgwrados::roles namespace abstraction for cls_user

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 02702b26bdf6859949bb16c3b9da97ff4250b09c)

rgw: init_quota() loads owner quota unconditionally

now that owners can be accounts, don't default to s->user when s->owner
matches s->bucket_owner

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit d4c0d615eb13356512bc31fc89e2819cf03c6cdc)

radosgw-admin: quota commands can set account quota

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit d473305b2fd8760b55c6c7e8149b3cebf49b6e7c)

rgw/iam: add IAM AccessKey apis

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 927d533308359f506eba1ee56a560692d9049d62)

rgw/user: add 'create_date' to RGWAccessKey

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit c51b910e47ce784f086714ea8179b10620d78801)

rgw/user: expose functions to generate access/secret keys

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 21d0ccb69663518d56d7d1dd9b8f983dd2225871)

rgw/iam: add initial IAM User apis

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit a9c49a5ce7a2eb74e50cde11f6a8aab32764aa89)

rgw/rest: wrap iam/sns/sts Error responses with ErrorResponse

all iam/sns/sts requests wrap the s3 <Error> xml response in another
<ErrorResponse xmlns="https://iam.amazonaws.com/doc/2010-05-08/">

without this, boto3 fails to fully parse error responses, leading to
generic Unknown ClientError exceptions of the form:
    botocore.exceptions.ClientError: An error occurred (Unknown) when calling the PutUserPolicy operation: Unknown

with the ErrorResponse part, boto3 throws more specific exceptions that
include the error Code and Message:
    botocore.errorfactory.NoSuchEntityException: An error occurred (NoSuchEntity) when calling the PutUserPolicy operation: No such UserName in the account

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 195ecb3732e0d7f78dc74cc9b7f2ac3d7ed919a0)

rgw/rados: user metadata links to account index

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 7fb80b0048279853595f160e7f2b0fb4c18b63a3)

rgw/sal: add interfaces for account users

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 8971465a35616cc9b848b7943abd167a59abdda1)

rgw/rados: add rgwrados::users namespace abstraction for cls_user

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 22c19222c484a0b8dfc157418790ab72c3d58b12)

rgw/auth: use switch for is_non_s3_op()

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 31f4c6231a6d6328570d913572b6aa6496dfef9a)

rgw/op: separate IAM ops in enum RGWOpType

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit fdf9f8b8d4e49e960a9fc2b528a3e2a9acedc652)

rgw/iam: use enum for action values

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit d48c9713abbbd074b158bb3418cd2ff4a759eeaf)

rgw/iam: add iam user metadata (path, create_date, tags)

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit de9feeb32ca71c67b29e753c3164cd778c08c280)

test/cls: add ceph_test_cls_user

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit a49757e5c3e7580399802345babd2dde4e3e661b)

cls/user: add interfaces to index user account resources

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit b56fc946eac20d982cd0743305a630948d5b12d6)

cmake: move WITH_RADOSGW checks up to test/CMakeLists.txt

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 9f0f44e17f3d810197a0dc6c628968bedb21466c)

rgw/multisite: RGWBucketMetadataHandler updates linkage on owner change

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit d304285d21590908f385bda2b3177ca2b7024ef8)

rgw: update bucket ownership when adding user to account

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit ac8226ad64f4c03bc9ce7d37f1d2aa7d9afa9e24)

rgw/rados: Bucket::chown() updates owner on bucket instance

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit c44c493aed60d22950e17e71024e74c5fcc4e2e1)

rgw: add RGWIdentityType::TYPE_ROOT for account root user

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 828aa90a2b0070d043c67464a03529105d835db2)

qa/rgw: create accounts for random s3test users

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit ff81a31ad678472e6847ad39f57e14efd89b0ead)

rgw/acl: create_policy_from_headers() can yield

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit e8f078188d22c3ceb55fb6893f314bb651ba4829)

rgw/acl: s3 CanonicalUser grants support account ids

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit d083e946d376a946854a4a49278f5e1d64393f8e)

rgw/sal: add load_aclowner_by_email()

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 01e51d8240db17b45c5325df601f14cb647cc0e1)

rgw/sal: move list_buckets() to Driver

move User::list_buckets() to Driver and take rgw_owner to serve bucket
listings for account owners

also unifies the user/account stats interfaces around rgw_owner in
Driver

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit d76ef3294735a42253a3718dd519f55283bdd3b4)

rgw: use rgw_owner in RGWBucketInfo

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 65c80d7e63f12a76857726bab929261717adb75b)

rgw/acl: use rgw_owner for ACLOwner

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit e88859e81a36b2b0a21d6e469adcb3c97b51f6c4)

rgw/pubsub: use rgw_owner for topic ownership

allow topics to be owned by accounts instead of users. radosgw-admin
topic list can now filter by --account-id

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 13d1c803f6a90ad1747f21faa7a6e89d7e8af8c1)

rgw: use rgw_owner in RGWBucketEntryPoint

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 469b7e83d723021555886dc7c46d178190f59829)

rgw/rados: add rgwrados::buckets namespace abstraction for cls_user

move cls_user stuff out of RGWSI_User_RADOS into namespace
rgwrados::buckets that doesn't depend on rgw_user, so it can also be
used for account bucket owners

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 92f04d8637f78d916a3bcf955fe7cff56f053283)

rgw/rados: add account metadata handler

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit eb86cd410df93fa9edb959e9d2db9a56410dd0f3)

rgw/rados: implement account metadata operations

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 8c3fc16b3d9ef866c6b9cee558b30d78b357c8cc)

rgw/rados: generalize RGWUID for accounts

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit c72a51e08c5fb570a270efc3e1a7aff1e0383d16)

rgw/rados: add .rgw.meta:accounts pool

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit e3418a9c4f2e2e00c3c066d8f8bb2db1d149745a)

rgw/quota: generalize quota to rgw_owners

use rgw_owner instead of rgw_user as a key in the quota cache stats.
only fetch_stats_from_storage() and init_refresh() need to differentiate
between user and account ids

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit f1835cd78770ccd0d4ff84f68ecf2a9750182a65)

rgw/auth: Identity::is_owner/admin_of(rgw_owner)

is_owner_of() and is_admin_of() take rgw_owner instead of rgw_user so
that identities associated with an account share ownership of that
account's resources

LocalApplier is the only Identity type that supports accounts, based on
comparison with RGWUserInfo::account_id

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit a1c675da7cf571457898d799206e911e23cdc711)

rgw/auth: account users also match ACL grants to their account id

ACL grants can now specify an account id for the CanonicalUser to
grant access to the entire account. this is implemented only for
LocalApplier

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 1698784e2eb72e99e3eaa477ae8e53b35a6ab377)

rgw: add rgw_owner variant with json encoding

existing buckets and objects use `struct rgw_user` for the owner. with
the addition of accounts, we need to be able to represent ownership by
the account rather than its users

add a `rgw_owner` variant that preserves the existing json encoding of
`rgw_user` while adding a new representation for account ids

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 87a74f8603bdeccdea3fdfa7b4e0fd344fba8aae)

rgw: enable 'user modify --account-id'

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit e69ce01774be57259bef76fb3267c607513f28e7)

rgw: add /admin/account rest apis

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit cce372dc2ebd2b0d7bdb06b930fcc35ad27147d1)

radosgw-admin: add account admin commands

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 07d5ed956275e408fc429cbef821ad01b085a2c3)

rgw: add account admin ops

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 6c834d6d38128dc03bb088f133f4bef6c0a711b9)

rgw/sal: add account interfaces to Driver

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 91a58853a6265f19175586c4543a41109dc3a791)

rgw: add account_id to RGWUserInfo

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 3f1cd1b44a8ef60c6f8fd460df5559145a059930)