From 06eec49aa72c7461c1f0bf2cf6fd10d0780aae56 Mon Sep 17 00:00:00 2001 From: Radoslaw Zarzynski Date: Sun, 17 Apr 2016 14:34:51 +0200 Subject: [PATCH] rgw: make use of RGWIdentityApplier as req_state::auth_identity. Signed-off-by: Radoslaw Zarzynski --- src/rgw/librgw.cc | 13 ++++++++ src/rgw/rgw_auth.cc | 68 ++++++++++++++++++++++++++++++++++++++++++ src/rgw/rgw_auth.h | 3 ++ src/rgw/rgw_common.h | 8 +++++ src/rgw/rgw_process.cc | 6 ++++ src/rgw/rgw_rest_s3.cc | 4 +++ 6 files changed, 102 insertions(+) create mode 100644 src/rgw/rgw_auth.cc diff --git a/src/rgw/librgw.cc b/src/rgw/librgw.cc index 37414fc831dba..572380b5c0f5d 100644 --- a/src/rgw/librgw.cc +++ b/src/rgw/librgw.cc @@ -41,6 +41,7 @@ #include "rgw_rest_user.h" #include "rgw_rest_s3.h" #include "rgw_os_lib.h" +#include "rgw_auth.h" #include "rgw_auth_s3.h" #include "rgw_lib.h" #include "rgw_lib_frontend.h" @@ -227,6 +228,12 @@ namespace rgw { goto done; } + /* FIXME: remove this after switching all handlers to the new authentication + * infrastructure. */ + if (nullptr == s->auth_identity) { + s->auth_identity = rgw_auth_transform_old_authinfo(s); + } + req->log(s, "reading op permissions"); ret = req->read_permissions(op); if (ret < 0) { @@ -331,6 +338,12 @@ namespace rgw { goto done; } + /* FIXME: remove this after switching all handlers to the new authentication + * infrastructure. */ + if (nullptr == s->auth_identity) { + s->auth_identity = rgw_auth_transform_old_authinfo(s); + } + req->log(s, "reading op permissions"); ret = req->read_permissions(op); if (ret < 0) { diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc new file mode 100644 index 0000000000000..858d3267bd6f8 --- /dev/null +++ b/src/rgw/rgw_auth.cc @@ -0,0 +1,68 @@ +// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- +// vim: ts=8 sw=2 smarttab + +#include "rgw_common.h" +#include "rgw_auth.h" + +#define dout_subsys ceph_subsys_rgw + + +std::unique_ptr +rgw_auth_transform_old_authinfo(req_state * const s) +{ + /* This class is not intended for public use. Should be removed altogether + * with this function after moving all our APIs to the new authentication + * infrastructure. */ + class RGWDummyIdentityApplier : public RGWIdentityApplier { + CephContext * const cct; + + /* For this particular case it's OK to use rgw_user structure to convey + * the identity info as this was the policy for doing that before the + * new auth. */ + const rgw_user id; + const int perm_mask; + const bool is_admin; + public: + RGWDummyIdentityApplier(CephContext * const cct, + const rgw_user& auth_id, + const int perm_mask, + const bool is_admin) + : cct(cct), + id(auth_id), + perm_mask(perm_mask), + is_admin(is_admin) { + } + + int get_perms_from_aclspec(const aclspec_t& aclspec) const { + ldout(cct, 5) << "Searching permissions for uid=" << id + << " mask=" << perm_mask << dendl; + + const auto iter = aclspec.find(id.to_str()); + if (std::end(aclspec) != iter) { + ldout(cct, 5) << "Found permission: " << iter->second << dendl; + return iter->second & perm_mask; + } + + ldout(cct, 5) << "Permissions for user not found" << dendl; + return 0; + } + + bool is_admin_of(const rgw_user& acct_id) const { + return is_admin; + } + + bool is_owner_of(const rgw_user& acct_id) const { + return id == acct_id; + } + + int get_perm_mask() const { + return perm_mask; + } + }; + + return std::unique_ptr( + new RGWDummyIdentityApplier(s->cct, + s->user->user_id, + s->perm_mask, + s->system_request)); +} diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index 6ae942dd69794..bf7310074d393 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -48,4 +48,7 @@ inline ostream& operator<<(ostream& out, const RGWIdentityApplier &id) { return out; } +std::unique_ptr +rgw_auth_transform_old_authinfo(req_state * const s); + #endif /* CEPH_RGW_AUTH_H */ diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h index d95eea4fad98a..ab597ab18a17b 100644 --- a/src/rgw/rgw_common.h +++ b/src/rgw/rgw_common.h @@ -1205,6 +1205,8 @@ struct req_init_state { /* XXX why don't RGWRequest (or descendants) hold this state? */ class RGWRequest; +#include "rgw_auth.h" + /** Store all the state necessary to complete and respond to an HTTP request*/ struct req_state { CephContext *cct; @@ -1259,6 +1261,12 @@ struct req_state { RGWUserInfo *user; + /* Object having the knowledge about an authenticated identity and allowing + * to apply it during the authorization phase (verify_permission() methods + * of a given RGWOp). Thus, it bounds authentication and authorization steps + * through a well-defined interface. For more details, see rgw_auth.h. */ + std::unique_ptr auth_identity; + RGWAccessControlPolicy *bucket_acl; RGWAccessControlPolicy *object_acl; diff --git a/src/rgw/rgw_process.cc b/src/rgw/rgw_process.cc index 6a92c49ce673c..c5fa0fe4e87d0 100644 --- a/src/rgw/rgw_process.cc +++ b/src/rgw/rgw_process.cc @@ -94,6 +94,12 @@ int process_request(RGWRados* store, RGWREST* rest, RGWRequest* req, goto done; } + /* FIXME: remove this after switching all handlers to the new authentication + * infrastructure. */ + if (nullptr == s->auth_identity) { + s->auth_identity = rgw_auth_transform_old_authinfo(s); + } + req->log(s, "normalizing buckets and tenants"); ret = handler->postauth_init(); if (ret < 0) { diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index 64d56a5f62775..56b915ebe35b3 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -1704,6 +1704,10 @@ int RGWPostObj_ObjStore_S3::get_policy() *(s->user) = user_info; s->owner.set_id(user_info.user_id); s->owner.set_name(user_info.display_name); + + /* FIXME: remove this after switching S3 to the new authentication + * infrastructure. */ + s->auth_identity = rgw_auth_transform_old_authinfo(s); } else { ldout(s->cct, 0) << "No attached policy found!" << dendl; } -- 2.39.5