From 26a6dd3975fafa8830a5571aeb56efe32bb109d3 Mon Sep 17 00:00:00 2001 From: Ali Maredia Date: Mon, 8 Oct 2018 19:01:40 -0400 Subject: [PATCH] rgw: add DoutPrefixProvider to the Auth Identifier classes This caused DPP to be threaded through the verify_{objecy/bucket/user}_permissions functions in rgw_common.cc and change all of the calls to them in rgw_op.cc and in other places. The logging in STS engine authorize was changed too. Signed-off-by: Ali Maredia --- src/rgw/rgw_acl.cc | 23 ++++--- src/rgw/rgw_acl.h | 9 ++- src/rgw/rgw_auth.cc | 31 ++++----- src/rgw/rgw_auth.h | 21 +++--- src/rgw/rgw_auth_filters.h | 38 +++++------ src/rgw/rgw_auth_s3.cc | 6 +- src/rgw/rgw_auth_s3.h | 4 +- src/rgw/rgw_common.cc | 85 ++++++++++++++----------- src/rgw/rgw_common.h | 25 +++++--- src/rgw/rgw_op.cc | 99 +++++++++++++++-------------- src/rgw/rgw_op.h | 6 +- src/rgw/rgw_rest_role.cc | 12 ++-- src/rgw/rgw_rest_s3.cc | 17 ++--- src/rgw/rgw_rest_s3.h | 3 +- src/rgw/rgw_rest_sts.h | 4 +- src/rgw/rgw_rest_user_policy.cc | 4 +- src/rgw/rgw_swift_auth.cc | 4 +- src/rgw/rgw_swift_auth.h | 2 +- src/test/rgw/test_rgw_iam_policy.cc | 2 +- 19 files changed, 217 insertions(+), 178 deletions(-) diff --git a/src/rgw/rgw_acl.cc b/src/rgw/rgw_acl.cc index 01a4b786a47..8c02f8e350e 100644 --- a/src/rgw/rgw_acl.cc +++ b/src/rgw/rgw_acl.cc @@ -52,13 +52,14 @@ void RGWAccessControlList::add_grant(ACLGrant *grant) _add_grant(grant); } -uint32_t RGWAccessControlList::get_perm(const rgw::auth::Identity& auth_identity, +uint32_t RGWAccessControlList::get_perm(const DoutPrefixProvider* dpp, + const rgw::auth::Identity& auth_identity, const uint32_t perm_mask) { - ldout(cct, 5) << "Searching permissions for identity=" << auth_identity + ldpp_dout(dpp, 5) << "Searching permissions for identity=" << auth_identity << " mask=" << perm_mask << dendl; - return perm_mask & auth_identity.get_perms_from_aclspec(acl_user_map); + return perm_mask & auth_identity.get_perms_from_aclspec(dpp, acl_user_map); } uint32_t RGWAccessControlList::get_group_perm(ACLGroupTypeEnum group, @@ -98,14 +99,15 @@ uint32_t RGWAccessControlList::get_referer_perm(const uint32_t current_perm, return referer_perm & perm_mask; } -uint32_t RGWAccessControlPolicy::get_perm(const rgw::auth::Identity& auth_identity, +uint32_t RGWAccessControlPolicy::get_perm(const DoutPrefixProvider* dpp, + const rgw::auth::Identity& auth_identity, const uint32_t perm_mask, const char * const http_referer) { - ldout(cct, 20) << "-- Getting permissions begin with perm_mask=" << perm_mask + ldpp_dout(dpp, 20) << "-- Getting permissions begin with perm_mask=" << perm_mask << dendl; - uint32_t perm = acl.get_perm(auth_identity, perm_mask); + uint32_t perm = acl.get_perm(dpp, auth_identity, perm_mask); if (auth_identity.is_owner_of(owner.get_id())) { perm |= perm_mask & (RGW_PERM_READ_ACP | RGW_PERM_WRITE_ACP); @@ -130,21 +132,22 @@ uint32_t RGWAccessControlPolicy::get_perm(const rgw::auth::Identity& auth_identi perm = acl.get_referer_perm(perm, http_referer, perm_mask); } - ldout(cct, 5) << "-- Getting permissions done for identity=" << auth_identity + ldpp_dout(dpp, 5) << "-- Getting permissions done for identity=" << auth_identity << ", owner=" << owner.get_id() << ", perm=" << perm << dendl; return perm; } -bool RGWAccessControlPolicy::verify_permission(const rgw::auth::Identity& auth_identity, +bool RGWAccessControlPolicy::verify_permission(const DoutPrefixProvider* dpp, + const rgw::auth::Identity& auth_identity, const uint32_t user_perm_mask, const uint32_t perm, const char * const http_referer) { uint32_t test_perm = perm | RGW_PERM_READ_OBJS | RGW_PERM_WRITE_OBJS; - uint32_t policy_perm = get_perm(auth_identity, test_perm, http_referer); + uint32_t policy_perm = get_perm(dpp, auth_identity, test_perm, http_referer); /* the swift WRITE_OBJS perm is equivalent to the WRITE obj, just convert those bits. Note that these bits will only be set on @@ -159,7 +162,7 @@ bool RGWAccessControlPolicy::verify_permission(const rgw::auth::Identity& auth_i uint32_t acl_perm = policy_perm & perm & user_perm_mask; - ldout(cct, 10) << " identity=" << auth_identity + ldpp_dout(dpp, 10) << " identity=" << auth_identity << " requested perm (type)=" << perm << ", policy perm=" << policy_perm << ", user_perm_mask=" << user_perm_mask diff --git a/src/rgw/rgw_acl.h b/src/rgw/rgw_acl.h index 32736663965..0e84d75eef8 100644 --- a/src/rgw/rgw_acl.h +++ b/src/rgw/rgw_acl.h @@ -303,7 +303,8 @@ public: virtual ~RGWAccessControlList() {} - uint32_t get_perm(const rgw::auth::Identity& auth_identity, + uint32_t get_perm(const DoutPrefixProvider* dpp, + const rgw::auth::Identity& auth_identity, uint32_t perm_mask); uint32_t get_group_perm(ACLGroupTypeEnum group, uint32_t perm_mask); uint32_t get_referer_perm(uint32_t current_perm, @@ -413,11 +414,13 @@ public: acl.set_ctx(ctx); } - uint32_t get_perm(const rgw::auth::Identity& auth_identity, + uint32_t get_perm(const DoutPrefixProvider* dpp, + const rgw::auth::Identity& auth_identity, uint32_t perm_mask, const char * http_referer); uint32_t get_group_perm(ACLGroupTypeEnum group, uint32_t perm_mask); - bool verify_permission(const rgw::auth::Identity& auth_identity, + bool verify_permission(const DoutPrefixProvider* dpp, + const rgw::auth::Identity& auth_identity, uint32_t user_perm_mask, uint32_t perm, const char * http_referer = nullptr); diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index 4c855b53158..e8799c44945 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -48,7 +48,7 @@ transform_old_authinfo(const req_state* const s) type(type) { } - uint32_t get_perms_from_aclspec(const aclspec_t& aclspec) const override { + uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override { return rgw_perms_from_aclspec_default_strategy(id, aclspec); } @@ -285,15 +285,15 @@ rgw::auth::Strategy::apply(const DoutPrefixProvider *dpp, const rgw::auth::Strat /* Account used by a given RGWOp is decoupled from identity employed * in the authorization phase (RGWOp::verify_permissions). */ - applier->load_acct_info(*s->user); + applier->load_acct_info(dpp, *s->user); s->perm_mask = applier->get_perm_mask(); /* This is the single place where we pass req_state as a pointer * to non-const and thus its modification is allowed. In the time * of writing only RGWTempURLEngine needed that feature. */ - applier->modify_request_state(s); + applier->modify_request_state(dpp, s); if (completer) { - completer->modify_request_state(s); + completer->modify_request_state(dpp, s); } s->auth.identity = std::move(applier); @@ -322,7 +322,7 @@ rgw::auth::Strategy::add_engine(const Control ctrl_flag, /* rgw::auth::RemoteAuthApplier */ -uint32_t rgw::auth::RemoteApplier::get_perms_from_aclspec(const aclspec_t& aclspec) const +uint32_t rgw::auth::RemoteApplier::get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const { uint32_t perm = 0; @@ -345,7 +345,7 @@ uint32_t rgw::auth::RemoteApplier::get_perms_from_aclspec(const aclspec_t& aclsp perm |= extra_acl_strategy(aclspec); } - ldout(cct, 20) << "from ACL got perm=" << perm << dendl; + ldpp_dout(dpp, 20) << "from ACL got perm=" << perm << dendl; return perm; } @@ -398,7 +398,8 @@ void rgw::auth::RemoteApplier::to_str(std::ostream& out) const << ", is_admin=" << info.is_admin << ")"; } -void rgw::auth::RemoteApplier::create_account(const rgw_user& acct_user, +void rgw::auth::RemoteApplier::create_account(const DoutPrefixProvider* dpp, + const rgw_user& acct_user, RGWUserInfo& user_info) const /* out */ { rgw_user new_acct_user = acct_user; @@ -424,14 +425,14 @@ void rgw::auth::RemoteApplier::create_account(const rgw_user& acct_user, int ret = rgw_store_user_info(store, user_info, nullptr, nullptr, real_time(), true); if (ret < 0) { - ldout(cct, 0) << "ERROR: failed to store new user info: user=" + ldpp_dout(dpp, 0) << "ERROR: failed to store new user info: user=" << user_info.user_id << " ret=" << ret << dendl; throw ret; } } /* TODO(rzarzynski): we need to handle display_name changes. */ -void rgw::auth::RemoteApplier::load_acct_info(RGWUserInfo& user_info) const /* out */ +void rgw::auth::RemoteApplier::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const /* out */ { /* It's supposed that RGWRemoteAuthApplier tries to load account info * that belongs to the authenticated identity. Another policy may be @@ -459,8 +460,8 @@ void rgw::auth::RemoteApplier::load_acct_info(RGWUserInfo& user_info) const } if (rgw_get_user_info_by_uid(store, acct_user, user_info) < 0) { - ldout(cct, 0) << "NOTICE: couldn't map swift user " << acct_user << dendl; - create_account(acct_user, user_info); + ldpp_dout(dpp, 0) << "NOTICE: couldn't map swift user " << acct_user << dendl; + create_account(dpp, acct_user, user_info); } /* Succeeded if we are here (create_account() hasn't throwed). */ @@ -470,7 +471,7 @@ void rgw::auth::RemoteApplier::load_acct_info(RGWUserInfo& user_info) const /* static declaration */ const std::string rgw::auth::LocalApplier::NO_SUBUSER; -uint32_t rgw::auth::LocalApplier::get_perms_from_aclspec(const aclspec_t& aclspec) const +uint32_t rgw::auth::LocalApplier::get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const { return rgw_perms_from_aclspec_default_strategy(user_info.user_id, aclspec); } @@ -527,14 +528,14 @@ uint32_t rgw::auth::LocalApplier::get_perm_mask(const std::string& subuser_name, } } -void rgw::auth::LocalApplier::load_acct_info(RGWUserInfo& user_info) const /* out */ +void rgw::auth::LocalApplier::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const /* out */ { /* Load the account that belongs to the authenticated identity. An extra call * to RADOS may be safely skipped in this case. */ user_info = this->user_info; } -void rgw::auth::LocalApplier::modify_request_state(req_state* s) const +void rgw::auth::LocalApplier::modify_request_state(const DoutPrefixProvider *dpp, req_state* s) const { for (auto it : role_policies) { try { @@ -544,7 +545,7 @@ void rgw::auth::LocalApplier::modify_request_state(req_state* s) const } catch (rgw::IAM::PolicyParseException& e) { //Control shouldn't reach here as the policy has already been //verified earlier - ldout(s->cct, 20) << "failed to parse policy: " << e.what() << dendl; + ldpp_dout(dpp, 20) << "failed to parse policy: " << e.what() << dendl; } } } diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index 0a7896774a7..194ce53ddba 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -38,7 +38,7 @@ public: * NOTE: an implementation is responsible for giving the real semantic to * the items in @aclspec. That is, their meaning may depend on particular * applier that is being used. */ - virtual uint32_t get_perms_from_aclspec(const aclspec_t& aclspec) const = 0; + virtual uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const = 0; /* Verify whether a given identity *can be treated as* an admin of rgw_user * (account in Swift's terminology) specified in @uid. On error throws @@ -106,11 +106,11 @@ public: * * XXX: be aware that the "account" term refers to rgw_user. The naming * is legacy. */ - virtual void load_acct_info(RGWUserInfo& user_info) const = 0; /* out */ + virtual void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const = 0; /* out */ /* Apply any changes to request state. This method will be most useful for * TempURL of Swift API. */ - virtual void modify_request_state(req_state* s) const {} /* in/out */ + virtual void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const {} /* in/out */ }; @@ -146,7 +146,7 @@ public: /* Apply any changes to request state. The initial use case was injecting * the AWSv4 filter over rgw::io::RestfulClient in req_state. */ - virtual void modify_request_state(req_state* s) = 0; /* in/out */ + virtual void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) = 0; /* in/out */ }; @@ -404,7 +404,8 @@ protected: const AuthInfo info; const bool implicit_tenants; - virtual void create_account(const rgw_user& acct_user, + virtual void create_account(const DoutPrefixProvider* dpp, + const rgw_user& acct_user, RGWUserInfo& user_info) const; /* out */ public: @@ -420,14 +421,14 @@ public: implicit_tenants(implicit_tenants) { } - uint32_t get_perms_from_aclspec(const aclspec_t& aclspec) const override; + uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override; bool is_admin_of(const rgw_user& uid) const override; bool is_owner_of(const rgw_user& uid) const override; bool is_identity(const idset_t& ids) const override; uint32_t get_perm_mask() const override { return info.perm_mask; } void to_str(std::ostream& out) const override; - void load_acct_info(RGWUserInfo& user_info) const override; /* out */ + void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */ uint32_t get_identity_type() const override { return info.acct_type; } string get_acct_name() const override { return info.acct_name; } @@ -481,7 +482,7 @@ public: } - uint32_t get_perms_from_aclspec(const aclspec_t& aclspec) const override; + uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override; bool is_admin_of(const rgw_user& uid) const override; bool is_owner_of(const rgw_user& uid) const override; bool is_identity(const idset_t& ids) const override; @@ -493,10 +494,10 @@ public: } } void to_str(std::ostream& out) const override; - void load_acct_info(RGWUserInfo& user_info) const override; /* out */ + void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */ uint32_t get_identity_type() const override { return TYPE_RGW; } string get_acct_name() const override { return {}; } - void modify_request_state(req_state* s) const override; + void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override; struct Factory { virtual ~Factory() {} diff --git a/src/rgw/rgw_auth_filters.h b/src/rgw/rgw_auth_filters.h index cc6101bd8df..ff0a33eaae6 100644 --- a/src/rgw/rgw_auth_filters.h +++ b/src/rgw/rgw_auth_filters.h @@ -64,8 +64,8 @@ public: : decoratee(std::forward(decoratee)) { } - uint32_t get_perms_from_aclspec(const aclspec_t& aclspec) const override { - return get_decoratee().get_perms_from_aclspec(aclspec); + uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override { + return get_decoratee().get_perms_from_aclspec(dpp, aclspec); } bool is_admin_of(const rgw_user& uid) const override { @@ -97,12 +97,12 @@ public: get_decoratee().to_str(out); } - void load_acct_info(RGWUserInfo& user_info) const override { /* out */ - return get_decoratee().load_acct_info(user_info); + void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override { /* out */ + return get_decoratee().load_acct_info(dpp, user_info); } - void modify_request_state(req_state * s) const override { /* in/out */ - return get_decoratee().modify_request_state(s); + void modify_request_state(const DoutPrefixProvider* dpp, req_state * s) const override { /* in/out */ + return get_decoratee().modify_request_state(dpp, s); } }; @@ -128,7 +128,7 @@ public: } void to_str(std::ostream& out) const override; - void load_acct_info(RGWUserInfo& user_info) const override; /* out */ + void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */ }; /* static declaration: UNKNOWN_ACCT will be an empty rgw_user that is a result @@ -145,16 +145,16 @@ void ThirdPartyAccountApplier::to_str(std::ostream& out) const } template -void ThirdPartyAccountApplier::load_acct_info(RGWUserInfo& user_info) const +void ThirdPartyAccountApplier::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const { if (UNKNOWN_ACCT == acct_user_override) { /* There is no override specified by the upper layer. This means that we'll * load the account owned by the authenticated identity (aka auth_user). */ - DecoratedApplier::load_acct_info(user_info); + DecoratedApplier::load_acct_info(dpp, user_info); } else if (DecoratedApplier::is_owner_of(acct_user_override)) { /* The override has been specified but the account belongs to the authenticated * identity. We may safely forward the call to a next stage. */ - DecoratedApplier::load_acct_info(user_info); + DecoratedApplier::load_acct_info(dpp, user_info); } else { /* Compatibility mechanism for multi-tenancy. For more details refer to * load_acct_info method of rgw::auth::RemoteApplier. */ @@ -211,8 +211,8 @@ public: } void to_str(std::ostream& out) const override; - void load_acct_info(RGWUserInfo& user_info) const override; /* out */ - void modify_request_state(req_state* s) const override; /* in/out */ + void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */ + void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override; /* in/out */ }; template @@ -223,13 +223,13 @@ void SysReqApplier::to_str(std::ostream& out) const } template -void SysReqApplier::load_acct_info(RGWUserInfo& user_info) const +void SysReqApplier::load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const { - DecoratedApplier::load_acct_info(user_info); + DecoratedApplier::load_acct_info(dpp, user_info); is_system = user_info.system; if (is_system) { - //dout(20) << "system request" << dendl; + //ldpp_dout(dpp, 20) << "system request" << dendl; rgw_user effective_uid(args.sys_get(RGW_SYS_PARAM_PREFIX "uid")); if (! effective_uid.empty()) { @@ -238,7 +238,7 @@ void SysReqApplier::load_acct_info(RGWUserInfo& user_info) const * calls ::decode instead. */ RGWUserInfo euser_info; if (rgw_get_user_info_by_uid(store, effective_uid, euser_info) < 0) { - //ldout(s->cct, 0) << "User lookup failed!" << dendl; + //ldpp_dout(dpp, 0) << "User lookup failed!" << dendl; throw -EACCES; } user_info = euser_info; @@ -247,18 +247,18 @@ void SysReqApplier::load_acct_info(RGWUserInfo& user_info) const } template -void SysReqApplier::modify_request_state(req_state* const s) const +void SysReqApplier::modify_request_state(const DoutPrefixProvider* dpp, req_state* const s) const { if (boost::logic::indeterminate(is_system)) { RGWUserInfo unused_info; - load_acct_info(unused_info); + load_acct_info(dpp, unused_info); } if (is_system) { s->info.args.set_system(); s->system_request = true; } - DecoratedApplier::modify_request_state(s); + DecoratedApplier::modify_request_state(dpp, s); } template static inline diff --git a/src/rgw/rgw_auth_s3.cc b/src/rgw/rgw_auth_s3.cc index d34e6164dc2..2662db2de1d 100644 --- a/src/rgw/rgw_auth_s3.cc +++ b/src/rgw/rgw_auth_s3.cc @@ -1009,7 +1009,7 @@ size_t AWSv4ComplMulti::recv_body(char* const buf, const size_t buf_max) return buf_pos; } -void AWSv4ComplMulti::modify_request_state(req_state* const s_rw) +void AWSv4ComplMulti::modify_request_state(const DoutPrefixProvider* dpp, req_state* const s_rw) { const char* const decoded_length = \ s_rw->info.env->get("HTTP_X_AMZ_DECODED_CONTENT_LENGTH"); @@ -1021,7 +1021,7 @@ void AWSv4ComplMulti::modify_request_state(req_state* const s_rw) s_rw->content_length = parse_content_length(decoded_length); if (s_rw->content_length < 0) { - ldout(cct, 10) << "negative AWSv4's content length, aborting" << dendl; + ldpp_dout(dpp, 10) << "negative AWSv4's content length, aborting" << dendl; throw -EINVAL; } } @@ -1075,7 +1075,7 @@ size_t AWSv4ComplSingle::recv_body(char* const buf, const size_t max) return received; } -void AWSv4ComplSingle::modify_request_state(req_state* const s_rw) +void AWSv4ComplSingle::modify_request_state(const DoutPrefixProvider* dpp, req_state* const s_rw) { /* Install the filter over rgw::io::RestfulClient. */ AWS_AUTHv4_IO(s_rw)->add_filter( diff --git a/src/rgw/rgw_auth_s3.h b/src/rgw/rgw_auth_s3.h index 7b2853aaf8c..f8ea7480be6 100644 --- a/src/rgw/rgw_auth_s3.h +++ b/src/rgw/rgw_auth_s3.h @@ -348,7 +348,7 @@ public: size_t recv_body(char* buf, size_t max) override; /* rgw::auth::Completer. */ - void modify_request_state(req_state* s_rw) override; + void modify_request_state(const DoutPrefixProvider* dpp, req_state* s_rw) override; bool complete() override; /* Factories. */ @@ -385,7 +385,7 @@ public: size_t recv_body(char* buf, size_t max) override; /* rgw::auth::Completer. */ - void modify_request_state(req_state* s_rw) override; + void modify_request_state(const DoutPrefixProvider* dpp, req_state* s_rw) override; bool complete() override; /* Factories. */ diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index 9efa225034f..4ce812f1397 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -1075,7 +1075,8 @@ Effect eval_user_policies(const vector& user_policies, return usr_policy_res; } -bool verify_user_permission(struct req_state * const s, +bool verify_user_permission(const DoutPrefixProvider* dpp, + struct req_state * const s, RGWAccessControlPolicy * const user_acl, const vector& user_policies, const rgw::IAM::ARN& res, @@ -1089,7 +1090,7 @@ bool verify_user_permission(struct req_state * const s, if (op == rgw::IAM::s3CreateBucket || op == rgw::IAM::s3ListAllMyBuckets) { auto perm = op_to_perm(op); - return verify_user_permission_no_policy(s, user_acl, perm); + return verify_user_permission_no_policy(dpp, s, user_acl, perm); } if (usr_policy_res == Effect::Pass) { @@ -1101,7 +1102,7 @@ bool verify_user_permission(struct req_state * const s, return false; } -bool verify_user_permission_no_policy(struct req_state * const s, +bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp, struct req_state * const s, RGWAccessControlPolicy * const user_acl, const int perm) { @@ -1112,20 +1113,22 @@ bool verify_user_permission_no_policy(struct req_state * const s, if ((perm & (int)s->perm_mask) != perm) return false; - return user_acl->verify_permission(*s->auth.identity, perm, perm); + return user_acl->verify_permission(dpp, *s->auth.identity, perm, perm); } -bool verify_user_permission(struct req_state * const s, +bool verify_user_permission(const DoutPrefixProvider* dpp, + struct req_state * const s, const rgw::IAM::ARN& res, const uint64_t op) { - return verify_user_permission(s, s->user_acl.get(), s->iam_user_policies, res, op); + return verify_user_permission(dpp, s, s->user_acl.get(), s->iam_user_policies, res, op); } -bool verify_user_permission_no_policy(struct req_state * const s, +bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp, + struct req_state * const s, const int perm) { - return verify_user_permission_no_policy(s, s->user_acl.get(), perm); + return verify_user_permission_no_policy(dpp, s, s->user_acl.get(), perm); } bool verify_requester_payer_permission(struct req_state *s) @@ -1156,7 +1159,8 @@ bool verify_requester_payer_permission(struct req_state *s) return false; } -bool verify_bucket_permission(struct req_state * const s, +bool verify_bucket_permission(const DoutPrefixProvider* dpp, + struct req_state * const s, const rgw_bucket& bucket, RGWAccessControlPolicy * const user_acl, RGWAccessControlPolicy * const bucket_acl, @@ -1184,10 +1188,10 @@ bool verify_bucket_permission(struct req_state * const s, const auto perm = op_to_perm(op); - return verify_bucket_permission_no_policy(s, user_acl, bucket_acl, perm); + return verify_bucket_permission_no_policy(dpp, s, user_acl, bucket_acl, perm); } -bool verify_bucket_permission_no_policy(struct req_state * const s, +bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp, struct req_state * const s, RGWAccessControlPolicy * const user_acl, RGWAccessControlPolicy * const bucket_acl, const int perm) @@ -1198,30 +1202,32 @@ bool verify_bucket_permission_no_policy(struct req_state * const s, if ((perm & (int)s->perm_mask) != perm) return false; - if (bucket_acl->verify_permission(*s->auth.identity, perm, perm, + if (bucket_acl->verify_permission(dpp, *s->auth.identity, perm, perm, s->info.env->get("HTTP_REFERER"))) return true; if (!user_acl) return false; - return user_acl->verify_permission(*s->auth.identity, perm, perm); + return user_acl->verify_permission(dpp, *s->auth.identity, perm, perm); } -bool verify_bucket_permission_no_policy(struct req_state * const s, const int perm) +bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp, struct req_state * const s, const int perm) { if (!verify_requester_payer_permission(s)) return false; - return verify_bucket_permission_no_policy(s, + return verify_bucket_permission_no_policy(dpp, + s, s->user_acl.get(), s->bucket_acl.get(), perm); } -bool verify_bucket_permission(struct req_state * const s, const uint64_t op) +bool verify_bucket_permission(const DoutPrefixProvider* dpp, struct req_state * const s, const uint64_t op) { - return verify_bucket_permission(s, + return verify_bucket_permission(dpp, + s, s->bucket, s->user_acl.get(), s->bucket_acl.get(), @@ -1249,7 +1255,8 @@ int verify_bucket_owner_or_policy(struct req_state* const s, } -static inline bool check_deferred_bucket_perms(struct req_state * const s, +static inline bool check_deferred_bucket_perms(const DoutPrefixProvider* dpp, + struct req_state * const s, const rgw_bucket& bucket, RGWAccessControlPolicy * const user_acl, RGWAccessControlPolicy * const bucket_acl, @@ -1259,20 +1266,21 @@ static inline bool check_deferred_bucket_perms(struct req_state * const s, const uint64_t op) { return (s->defer_to_bucket_acls == deferred_check \ - && verify_bucket_permission(s, bucket, user_acl, bucket_acl, bucket_policy, user_policies,op)); + && verify_bucket_permission(dpp, s, bucket, user_acl, bucket_acl, bucket_policy, user_policies,op)); } -static inline bool check_deferred_bucket_only_acl(struct req_state * const s, +static inline bool check_deferred_bucket_only_acl(const DoutPrefixProvider* dpp, + struct req_state * const s, RGWAccessControlPolicy * const user_acl, RGWAccessControlPolicy * const bucket_acl, const uint8_t deferred_check, const int perm) { return (s->defer_to_bucket_acls == deferred_check \ - && verify_bucket_permission_no_policy(s, user_acl, bucket_acl, perm)); + && verify_bucket_permission_no_policy(dpp, s, user_acl, bucket_acl, perm)); } -bool verify_object_permission(struct req_state * const s, +bool verify_object_permission(const DoutPrefixProvider* dpp, struct req_state * const s, const rgw_obj& obj, RGWAccessControlPolicy * const user_acl, RGWAccessControlPolicy * const bucket_acl, @@ -1300,9 +1308,9 @@ bool verify_object_permission(struct req_state * const s, const auto perm = op_to_perm(op); - if (check_deferred_bucket_perms(s, obj.bucket, user_acl, bucket_acl, bucket_policy, + if (check_deferred_bucket_perms(dpp, s, obj.bucket, user_acl, bucket_acl, bucket_policy, user_policies, RGW_DEFER_TO_BUCKET_ACLS_RECURSE, op) || - check_deferred_bucket_perms(s, obj.bucket, user_acl, bucket_acl, bucket_policy, + check_deferred_bucket_perms(dpp, s, obj.bucket, user_acl, bucket_acl, bucket_policy, user_policies, RGW_DEFER_TO_BUCKET_ACLS_FULL_CONTROL, rgw::IAM::s3All)) { return true; } @@ -1311,7 +1319,7 @@ bool verify_object_permission(struct req_state * const s, return false; } - bool ret = object_acl->verify_permission(*s->auth.identity, s->perm_mask, perm); + bool ret = object_acl->verify_permission(dpp, *s->auth.identity, s->perm_mask, perm); if (ret) { return true; } @@ -1333,24 +1341,25 @@ bool verify_object_permission(struct req_state * const s, /* we already verified the user mask above, so we pass swift_perm as the mask here, otherwise the mask might not cover the swift permissions bits */ - if (bucket_acl->verify_permission(*s->auth.identity, swift_perm, swift_perm, + if (bucket_acl->verify_permission(dpp, *s->auth.identity, swift_perm, swift_perm, s->info.env->get("HTTP_REFERER"))) return true; if (!user_acl) return false; - return user_acl->verify_permission(*s->auth.identity, swift_perm, swift_perm); + return user_acl->verify_permission(dpp, *s->auth.identity, swift_perm, swift_perm); } -bool verify_object_permission_no_policy(struct req_state * const s, +bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, + struct req_state * const s, RGWAccessControlPolicy * const user_acl, RGWAccessControlPolicy * const bucket_acl, RGWAccessControlPolicy * const object_acl, const int perm) { - if (check_deferred_bucket_only_acl(s, user_acl, bucket_acl, RGW_DEFER_TO_BUCKET_ACLS_RECURSE, perm) || - check_deferred_bucket_only_acl(s, user_acl, bucket_acl, RGW_DEFER_TO_BUCKET_ACLS_FULL_CONTROL, RGW_PERM_FULL_CONTROL)) { + if (check_deferred_bucket_only_acl(dpp, s, user_acl, bucket_acl, RGW_DEFER_TO_BUCKET_ACLS_RECURSE, perm) || + check_deferred_bucket_only_acl(dpp, s, user_acl, bucket_acl, RGW_DEFER_TO_BUCKET_ACLS_FULL_CONTROL, RGW_PERM_FULL_CONTROL)) { return true; } @@ -1358,7 +1367,7 @@ bool verify_object_permission_no_policy(struct req_state * const s, return false; } - bool ret = object_acl->verify_permission(*s->auth.identity, s->perm_mask, perm); + bool ret = object_acl->verify_permission(dpp, *s->auth.identity, s->perm_mask, perm); if (ret) { return true; } @@ -1380,31 +1389,33 @@ bool verify_object_permission_no_policy(struct req_state * const s, /* we already verified the user mask above, so we pass swift_perm as the mask here, otherwise the mask might not cover the swift permissions bits */ - if (bucket_acl->verify_permission(*s->auth.identity, swift_perm, swift_perm, + if (bucket_acl->verify_permission(dpp, *s->auth.identity, swift_perm, swift_perm, s->info.env->get("HTTP_REFERER"))) return true; if (!user_acl) return false; - return user_acl->verify_permission(*s->auth.identity, swift_perm, swift_perm); + return user_acl->verify_permission(dpp, *s->auth.identity, swift_perm, swift_perm); } -bool verify_object_permission_no_policy(struct req_state *s, int perm) +bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, struct req_state *s, int perm) { if (!verify_requester_payer_permission(s)) return false; - return verify_object_permission_no_policy(s, + return verify_object_permission_no_policy(dpp, + s, s->user_acl.get(), s->bucket_acl.get(), s->object_acl.get(), perm); } -bool verify_object_permission(struct req_state *s, uint64_t op) +bool verify_object_permission(const DoutPrefixProvider* dpp, struct req_state *s, uint64_t op) { - return verify_object_permission(s, + return verify_object_permission(dpp, + s, rgw_obj(s->bucket, s->object), s->user_acl.get(), s->bucket_acl.get(), diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h index 40c55a9cd30..db45f2abb65 100644 --- a/src/rgw/rgw_common.h +++ b/src/rgw/rgw_common.h @@ -2294,20 +2294,25 @@ rgw::IAM::Effect eval_user_policies(const vector& user_policie boost::optional id, const uint64_t op, const rgw::IAM::ARN& arn); -bool verify_user_permission(struct req_state * const s, +bool verify_user_permission(const DoutPrefixProvider* dpp, + struct req_state * const s, RGWAccessControlPolicy * const user_acl, const vector& user_policies, const rgw::IAM::ARN& res, const uint64_t op); -bool verify_user_permission_no_policy(struct req_state * const s, +bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp, + struct req_state * const s, RGWAccessControlPolicy * const user_acl, const int perm); -bool verify_user_permission(struct req_state * const s, +bool verify_user_permission(const DoutPrefixProvider* dpp, + struct req_state * const s, const rgw::IAM::ARN& res, const uint64_t op); -bool verify_user_permission_no_policy(struct req_state * const s, +bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp, + struct req_state * const s, int perm); bool verify_bucket_permission( + const DoutPrefixProvider* dpp, struct req_state * const s, const rgw_bucket& bucket, RGWAccessControlPolicy * const user_acl, @@ -2315,17 +2320,20 @@ bool verify_bucket_permission( const boost::optional& bucket_policy, const vector& user_policies, const uint64_t op); -bool verify_bucket_permission(struct req_state * const s, const uint64_t op); +bool verify_bucket_permission(const DoutPrefixProvider* dpp, struct req_state * const s, const uint64_t op); bool verify_bucket_permission_no_policy( + const DoutPrefixProvider* dpp, struct req_state * const s, RGWAccessControlPolicy * const user_acl, RGWAccessControlPolicy * const bucket_acl, const int perm); -bool verify_bucket_permission_no_policy(struct req_state * const s, +bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp, + struct req_state * const s, const int perm); int verify_bucket_owner_or_policy(struct req_state* const s, const uint64_t op); extern bool verify_object_permission( + const DoutPrefixProvider* dpp, struct req_state * const s, const rgw_obj& obj, RGWAccessControlPolicy * const user_acl, @@ -2334,14 +2342,15 @@ extern bool verify_object_permission( const boost::optional& bucket_policy, const vector& user_policies, const uint64_t op); -extern bool verify_object_permission(struct req_state *s, uint64_t op); +extern bool verify_object_permission(const DoutPrefixProvider* dpp, struct req_state *s, uint64_t op); extern bool verify_object_permission_no_policy( + const DoutPrefixProvider* dpp, struct req_state * const s, RGWAccessControlPolicy * const user_acl, RGWAccessControlPolicy * const bucket_acl, RGWAccessControlPolicy * const object_acl, int perm); -extern bool verify_object_permission_no_policy(struct req_state *s, +extern bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, struct req_state *s, int perm); /** Convert an input URL into a sane object name * by converting %-escaped strings into characters, etc*/ diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index 3fef96bad5a..dd564b26302 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -393,7 +393,7 @@ static int read_obj_policy(RGWRados *store, const rgw_user& bucket_owner = bucket_policy.get_owner().get_id(); if (bucket_owner.compare(s->user->user_id) != 0 && ! s->auth.identity->is_admin_of(bucket_owner) && - ! bucket_policy.verify_permission(*s->auth.identity, s->perm_mask, + ! bucket_policy.verify_permission(s, *s->auth.identity, s->perm_mask, RGW_PERM_READ)) { ret = -EACCES; } else { @@ -809,7 +809,7 @@ int RGWGetObj::verify_permission() } } - if (!verify_object_permission(s, action)) { + if (!verify_object_permission(this, s, action)) { return -EACCES; } @@ -856,7 +856,7 @@ int RGWGetObjTags::verify_permission() } } } - if (!verify_object_permission(s,iam_action)) + if (!verify_object_permission(this, s,iam_action)) return -EACCES; return 0; @@ -902,7 +902,7 @@ int RGWPutObjTags::verify_permission() rgw_iam_add_existing_objtags(store, s, obj, iam_action); } - if (!verify_object_permission(s,iam_action)) + if (!verify_object_permission(this, s,iam_action)) return -EACCES; return 0; } @@ -952,7 +952,7 @@ int RGWDeleteObjTags::verify_permission() } } } - if (!verify_object_permission(s, iam_action)) + if (!verify_object_permission(this, s, iam_action)) return -EACCES; } return 0; @@ -1278,7 +1278,7 @@ int RGWGetObj::read_user_manifest_part(rgw_bucket& bucket, ldpp_dout(this, 2) << "overriding permissions due to system operation" << dendl; } else if (s->auth.identity->is_admin_of(s->user->user_id)) { ldpp_dout(this, 2) << "overriding permissions due to admin operation" << dendl; - } else if (!verify_object_permission(s, part, s->user_acl.get(), bucket_acl, + } else if (!verify_object_permission(this, s, part, s->user_acl.get(), bucket_acl, &obj_policy, bucket_policy, s->iam_user_policies, action)) { return -EPERM; } @@ -1983,7 +1983,7 @@ int RGWGetObj::init_common() int RGWListBuckets::verify_permission() { - if (!verify_user_permission(s, ARN(), rgw::IAM::s3ListAllMyBuckets)) { + if (!verify_user_permission(this, s, ARN(), rgw::IAM::s3ListAllMyBuckets)) { return -EACCES; } @@ -2158,7 +2158,7 @@ void RGWGetUsage::execute() int RGWStatAccount::verify_permission() { - if (!verify_user_permission_no_policy(s, RGW_PERM_READ)) { + if (!verify_user_permission_no_policy(this, s, RGW_PERM_READ)) { return -EACCES; } @@ -2386,7 +2386,7 @@ void RGWDeleteBucketWebsite::execute() int RGWStatBucket::verify_permission() { // This (a HEAD request on a bucket) is governed by the s3:ListBucket permission. - if (!verify_bucket_permission(s, rgw::IAM::s3ListBucket)) { + if (!verify_bucket_permission(this, s, rgw::IAM::s3ListBucket)) { return -EACCES; } @@ -2437,7 +2437,8 @@ int RGWListBucket::verify_permission() s->env.emplace("s3:max-keys", std::to_string(max)); - if (!verify_bucket_permission(s, + if (!verify_bucket_permission(this, + s, list_versions ? rgw::IAM::s3ListBucketVersions : rgw::IAM::s3ListBucket)) { @@ -2534,7 +2535,7 @@ int RGWCreateBucket::verify_permission() return -EACCES; } - if (!verify_user_permission(s, ARN(s->bucket), rgw::IAM::s3CreateBucket)) { + if (!verify_user_permission(this, s, ARN(s->bucket), rgw::IAM::s3CreateBucket)) { return -EACCES; } @@ -3031,7 +3032,7 @@ void RGWCreateBucket::execute() int RGWDeleteBucket::verify_permission() { - if (!verify_bucket_permission(s, rgw::IAM::s3DeleteBucket)) { + if (!verify_bucket_permission(this, s, rgw::IAM::s3DeleteBucket)) { return -EACCES; } @@ -3181,11 +3182,11 @@ int RGWPutObj::verify_permission() if (e == Effect::Deny) { return -EACCES; } else if (usr_policy_res == Effect::Pass && e == Effect::Pass && - !cs_acl.verify_permission(*s->auth.identity, s->perm_mask, + !cs_acl.verify_permission(this, *s->auth.identity, s->perm_mask, RGW_PERM_READ)) { return -EACCES; } - } else if (!cs_acl.verify_permission(*s->auth.identity, s->perm_mask, + } else if (!cs_acl.verify_permission(this, *s->auth.identity, s->perm_mask, RGW_PERM_READ)) { return -EACCES; } @@ -3243,7 +3244,7 @@ int RGWPutObj::verify_permission() } } - if (!verify_bucket_permission_no_policy(s, RGW_PERM_WRITE)) { + if (!verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE)) { return -EACCES; } @@ -3945,11 +3946,11 @@ void RGWPostObj::execute() if (e == Effect::Deny) { op_ret = -EACCES; return; - } else if (usr_policy_res == Effect::Pass && e == Effect::Pass && !verify_bucket_permission_no_policy(s, RGW_PERM_WRITE)) { + } else if (usr_policy_res == Effect::Pass && e == Effect::Pass && !verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE)) { op_ret = -EACCES; return; } - } else if (!verify_bucket_permission_no_policy(s, RGW_PERM_WRITE)) { + } else if (!verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE)) { op_ret = -EACCES; return; } @@ -4201,7 +4202,7 @@ int RGWPutMetadataAccount::verify_permission() return -EACCES; } - if (!verify_user_permission_no_policy(s, RGW_PERM_WRITE)) { + if (!verify_user_permission_no_policy(this, s, RGW_PERM_WRITE)) { return -EACCES; } @@ -4250,7 +4251,7 @@ void RGWPutMetadataAccount::execute() int RGWPutMetadataBucket::verify_permission() { - if (!verify_bucket_permission_no_policy(s, RGW_PERM_WRITE)) { + if (!verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE)) { return -EACCES; } @@ -4341,7 +4342,7 @@ int RGWPutMetadataObject::verify_permission() { // This looks to be something specific to Swift. We could add // operations like swift:PutMetadataObject to the Policy Engine. - if (!verify_object_permission_no_policy(s, RGW_PERM_WRITE)) { + if (!verify_object_permission_no_policy(this, s, RGW_PERM_WRITE)) { return -EACCES; } @@ -4412,7 +4413,7 @@ int RGWDeleteObj::handle_slo_manifest(bufferlist& bl) try { deleter = std::unique_ptr(\ - new RGWBulkDelete::Deleter(store, s)); + new RGWBulkDelete::Deleter(this, store, s)); } catch (const std::bad_alloc&) { return -ENOMEM; } @@ -4473,7 +4474,7 @@ int RGWDeleteObj::verify_permission() return true; } - if (!verify_bucket_permission_no_policy(s, RGW_PERM_WRITE)) { + if (!verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE)) { return -EACCES; } @@ -4685,11 +4686,11 @@ int RGWCopyObj::verify_permission() if (e == Effect::Deny) { return -EACCES; } else if (e == Effect::Pass && - !src_acl.verify_permission(*s->auth.identity, s->perm_mask, + !src_acl.verify_permission(this, *s->auth.identity, s->perm_mask, RGW_PERM_READ)) { return -EACCES; } - } else if (!src_acl.verify_permission(*s->auth.identity, + } else if (!src_acl.verify_permission(this, *s->auth.identity, s->perm_mask, RGW_PERM_READ)) { return -EACCES; @@ -4739,13 +4740,14 @@ int RGWCopyObj::verify_permission() if (e == Effect::Deny) { return -EACCES; } else if (e == Effect::Pass && - ! dest_bucket_policy.verify_permission(*s->auth.identity, + ! dest_bucket_policy.verify_permission(this, + *s->auth.identity, s->perm_mask, RGW_PERM_WRITE)){ return -EACCES; } } - } else if (! dest_bucket_policy.verify_permission(*s->auth.identity, s->perm_mask, + } else if (! dest_bucket_policy.verify_permission(this, *s->auth.identity, s->perm_mask, RGW_PERM_WRITE)) { return -EACCES; } @@ -4887,9 +4889,9 @@ int RGWGetACLs::verify_permission() } } } - perm = verify_object_permission(s, iam_action); + perm = verify_object_permission(this, s, iam_action); } else { - perm = verify_bucket_permission(s, rgw::IAM::s3GetBucketAcl); + perm = verify_bucket_permission(this, s, rgw::IAM::s3GetBucketAcl); } if (!perm) return -EACCES; @@ -4926,9 +4928,9 @@ int RGWPutACLs::verify_permission() auto iam_action = s->object.instance.empty() ? rgw::IAM::s3PutObjectAcl : rgw::IAM::s3PutObjectVersionAcl; auto obj = rgw_obj(s->bucket, s->object); op_ret = rgw_iam_add_existing_objtags(store, s, obj, iam_action); - perm = verify_object_permission(s, iam_action); + perm = verify_object_permission(this, s, iam_action); } else { - perm = verify_bucket_permission(s, rgw::IAM::s3PutBucketAcl); + perm = verify_bucket_permission(this, s, rgw::IAM::s3PutBucketAcl); } if (!perm) return -EACCES; @@ -4939,7 +4941,7 @@ int RGWPutACLs::verify_permission() int RGWGetLC::verify_permission() { bool perm; - perm = verify_bucket_permission(s, rgw::IAM::s3GetLifecycleConfiguration); + perm = verify_bucket_permission(this, s, rgw::IAM::s3GetLifecycleConfiguration); if (!perm) return -EACCES; @@ -4949,7 +4951,7 @@ int RGWGetLC::verify_permission() int RGWPutLC::verify_permission() { bool perm; - perm = verify_bucket_permission(s, rgw::IAM::s3PutLifecycleConfiguration); + perm = verify_bucket_permission(this, s, rgw::IAM::s3PutLifecycleConfiguration); if (!perm) return -EACCES; @@ -4959,7 +4961,7 @@ int RGWPutLC::verify_permission() int RGWDeleteLC::verify_permission() { bool perm; - perm = verify_bucket_permission(s, rgw::IAM::s3PutLifecycleConfiguration); + perm = verify_bucket_permission(this, s, rgw::IAM::s3PutLifecycleConfiguration); if (!perm) return -EACCES; @@ -5483,7 +5485,7 @@ int RGWInitMultipart::verify_permission() } } - if (!verify_bucket_permission_no_policy(s, RGW_PERM_WRITE)) { + if (!verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE)) { return -EACCES; } @@ -5612,7 +5614,7 @@ int RGWCompleteMultipart::verify_permission() } } - if (!verify_bucket_permission_no_policy(s, RGW_PERM_WRITE)) { + if (!verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE)) { return -EACCES; } @@ -5941,7 +5943,7 @@ int RGWAbortMultipart::verify_permission() return 0; } - if (!verify_bucket_permission_no_policy(s, RGW_PERM_WRITE)) { + if (!verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE)) { return -EACCES; } @@ -5979,7 +5981,7 @@ void RGWAbortMultipart::execute() int RGWListMultipart::verify_permission() { - if (!verify_object_permission(s, rgw::IAM::s3ListMultipartUploadParts)) + if (!verify_object_permission(this, s, rgw::IAM::s3ListMultipartUploadParts)) return -EACCES; return 0; @@ -6013,7 +6015,8 @@ void RGWListMultipart::execute() int RGWListBucketMultiparts::verify_permission() { - if (!verify_bucket_permission(s, + if (!verify_bucket_permission(this, + s, rgw::IAM::s3ListBucketMultipartUploads)) return -EACCES; @@ -6081,7 +6084,7 @@ void RGWGetHealthCheck::execute() int RGWDeleteMultiObj::verify_permission() { - acl_allowed = verify_bucket_permission_no_policy(s, RGW_PERM_WRITE); + acl_allowed = verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE); if (!acl_allowed && !s->iam_policy && s->iam_user_policies.empty()) return -EACCES; @@ -6239,7 +6242,7 @@ bool RGWBulkDelete::Deleter::verify_permission(RGWBucketInfo& binfo, /* We can use global user_acl because each BulkDelete request is allowed * to work on entities from a single account only. */ - return verify_bucket_permission(s, binfo.bucket, s->user_acl.get(), + return verify_bucket_permission(dpp, s, binfo.bucket, s->user_acl.get(), &bacl, policy, s->iam_user_policies, rgw::IAM::s3DeleteBucket); } @@ -6376,7 +6379,7 @@ void RGWBulkDelete::pre_exec() void RGWBulkDelete::execute() { - deleter = std::unique_ptr(new Deleter(store, s)); + deleter = std::unique_ptr(new Deleter(this, store, s)); bool is_truncated = false; do { @@ -6402,7 +6405,7 @@ int RGWBulkUploadOp::verify_permission() return -EACCES; } - if (! verify_user_permission_no_policy(s, RGW_PERM_WRITE)) { + if (! verify_user_permission_no_policy(this, s, RGW_PERM_WRITE)) { return -EACCES; } @@ -6699,7 +6702,7 @@ bool RGWBulkUploadOp::handle_file_verify_permission(RGWBucketInfo& binfo, } } - return verify_bucket_permission_no_policy(s, s->user_acl.get(), + return verify_bucket_permission_no_policy(this, s, s->user_acl.get(), &bacl, RGW_PERM_WRITE); } @@ -6994,9 +6997,9 @@ int RGWSetAttrs::verify_permission() // Swift equivalent. bool perm; if (!s->object.empty()) { - perm = verify_object_permission_no_policy(s, RGW_PERM_WRITE); + perm = verify_object_permission_no_policy(this, s, RGW_PERM_WRITE); } else { - perm = verify_bucket_permission_no_policy(s, RGW_PERM_WRITE); + perm = verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE); } if (!perm) return -EACCES; @@ -7199,7 +7202,7 @@ void RGWPutBucketPolicy::send_response() int RGWPutBucketPolicy::verify_permission() { - if (!verify_bucket_permission(s, rgw::IAM::s3PutBucketPolicy)) { + if (!verify_bucket_permission(this, s, rgw::IAM::s3PutBucketPolicy)) { return -EACCES; } @@ -7261,7 +7264,7 @@ void RGWGetBucketPolicy::send_response() int RGWGetBucketPolicy::verify_permission() { - if (!verify_bucket_permission(s, rgw::IAM::s3GetBucketPolicy)) { + if (!verify_bucket_permission(this, s, rgw::IAM::s3GetBucketPolicy)) { return -EACCES; } @@ -7302,7 +7305,7 @@ void RGWDeleteBucketPolicy::send_response() int RGWDeleteBucketPolicy::verify_permission() { - if (!verify_bucket_permission(s, rgw::IAM::s3DeleteBucketPolicy)) { + if (!verify_bucket_permission(this, s, rgw::IAM::s3DeleteBucketPolicy)) { return -EACCES; } diff --git a/src/rgw/rgw_op.h b/src/rgw/rgw_op.h index f4d59455af0..f22c207558a 100644 --- a/src/rgw/rgw_op.h +++ b/src/rgw/rgw_op.h @@ -404,6 +404,7 @@ public: class Deleter { protected: + const DoutPrefixProvider * dpp; unsigned int num_deleted; unsigned int num_unfound; std::list failures; @@ -412,8 +413,9 @@ public: req_state * const s; public: - Deleter(RGWRados * const str, req_state * const s) - : num_deleted(0), + Deleter(const DoutPrefixProvider* dpp, RGWRados * const str, req_state * const s) + : dpp(dpp), + num_deleted(0), num_unfound(0), store(str), s(s) { diff --git a/src/rgw/rgw_rest_role.cc b/src/rgw/rgw_rest_role.cc index d328727ad64..7df943d1178 100644 --- a/src/rgw/rgw_rest_role.cc +++ b/src/rgw/rgw_rest_role.cc @@ -39,7 +39,8 @@ int RGWRestRole::verify_permission() string resource_name = role.get_path() + role_name; uint64_t op = get_op(); - if (!verify_user_permission(s, + if (!verify_user_permission(this, + s, rgw::IAM::ARN(resource_name, "role", s->user->user_id.tenant, true), @@ -85,7 +86,8 @@ int RGWCreateRole::verify_permission() string role_path = s->info.args.get("Path"); string resource_name = role_path + role_name; - if (!verify_user_permission(s, + if (!verify_user_permission(this, + s, rgw::IAM::ARN(resource_name, "role", s->user->user_id.tenant, true), @@ -183,7 +185,8 @@ int RGWGetRole::_verify_permission(const RGWRole& role) } string resource_name = role.get_path() + role.get_name(); - if (!verify_user_permission(s, + if (!verify_user_permission(this, + s, rgw::IAM::ARN(resource_name, "role", s->user->user_id.tenant, true), @@ -268,7 +271,8 @@ int RGWListRoles::verify_permission() return ret; } - if (!verify_user_permission(s, + if (!verify_user_permission(this, + s, rgw::IAM::ARN(), get_op())) { return -EACCES; diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index 5875ef5ecb7..b98613da522 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -4401,6 +4401,7 @@ rgw::auth::s3::STSEngine::get_session_token(const boost::string_view& session_to rgw::auth::Engine::result_t rgw::auth::s3::STSEngine::authenticate( + const DoutPrefixProvider* dpp, const boost::string_view& _access_key_id, const boost::string_view& signature, const boost::string_view& session_token, @@ -4421,7 +4422,7 @@ rgw::auth::s3::STSEngine::authenticate( //Authentication //Check if access key is not the same passed in by client if (token.access_key_id != _access_key_id) { - ldout(cct, 0) << "Invalid access key" << dendl; + ldpp_dout(dpp, 0) << "Invalid access key" << dendl; return result_t::reject(-EPERM); } //Check if the token has expired @@ -4432,11 +4433,11 @@ rgw::auth::s3::STSEngine::authenticate( if (exp) { real_clock::time_point now = real_clock::now(); if (now >= *exp) { - ldout(cct, 0) << "ERROR: Token expired" << dendl; + ldpp_dout(dpp, 0) << "ERROR: Token expired" << dendl; return result_t::reject(-EPERM); } } else { - ldout(cct, 0) << "ERROR: Invalid expiration: " << expiration << dendl; + ldpp_dout(dpp, 0) << "ERROR: Invalid expiration: " << expiration << dendl; return result_t::reject(-EPERM); } } @@ -4446,12 +4447,12 @@ rgw::auth::s3::STSEngine::authenticate( signature_factory(cct, token.secret_access_key, string_to_sign); auto compare = signature.compare(server_signature); - ldout(cct, 15) << "string_to_sign=" + ldpp_dout(dpp, 15) << "string_to_sign=" << rgw::crypt_sanitize::log_content{string_to_sign} << dendl; - ldout(cct, 15) << "server signature=" << server_signature << dendl; - ldout(cct, 15) << "client signature=" << signature << dendl; - ldout(cct, 15) << "compare=" << compare << dendl; + ldpp_dout(dpp, 15) << "server signature=" << server_signature << dendl; + ldpp_dout(dpp, 15) << "client signature=" << signature << dendl; + ldpp_dout(dpp, 15) << "compare=" << compare << dendl; if (compare != 0) { return result_t::reject(-ERR_SIGNATURE_NO_MATCH); @@ -4478,7 +4479,7 @@ rgw::auth::s3::STSEngine::authenticate( // get user info int ret = rgw_get_user_info_by_uid(store, token.user, user_info, NULL); if (ret < 0) { - ldout(cct, 5) << "ERROR: failed reading user info: uid=" << token.user << dendl; + ldpp_dout(dpp, 5) << "ERROR: failed reading user info: uid=" << token.user << dendl; return result_t::reject(-EPERM); } } diff --git a/src/rgw/rgw_rest_s3.h b/src/rgw/rgw_rest_s3.h index 8d0bc9e9ea5..7149dcb3765 100644 --- a/src/rgw/rgw_rest_s3.h +++ b/src/rgw/rgw_rest_s3.h @@ -902,7 +902,8 @@ class STSEngine : public AWSEngine { int get_session_token(const boost::string_view& session_token, STS::SessionToken& token) const; - result_t authenticate(const boost::string_view& access_key_id, + result_t authenticate(const DoutPrefixProvider* dpp, + const boost::string_view& access_key_id, const boost::string_view& signature, const boost::string_view& session_token, const string_to_sign_t& string_to_sign, diff --git a/src/rgw/rgw_rest_sts.h b/src/rgw/rgw_rest_sts.h index 37d4050fdb7..8ecf3d9c6ef 100644 --- a/src/rgw/rgw_rest_sts.h +++ b/src/rgw/rgw_rest_sts.h @@ -57,8 +57,8 @@ public: int init(RGWRados *store, struct req_state *s, rgw::io::BasicClient *cio) override; - int authorize() override { - return RGW_Auth_S3::authorize(store, auth_registry, s); + int authorize(const DoutPrefixProvider* dpp) override { + return RGW_Auth_S3::authorize(dpp, store, auth_registry, s); } int postauth_init() override { return 0; } }; diff --git a/src/rgw/rgw_rest_user_policy.cc b/src/rgw/rgw_rest_user_policy.cc index 962cb5a601d..59cfca7490d 100644 --- a/src/rgw/rgw_rest_user_policy.cc +++ b/src/rgw/rgw_rest_user_policy.cc @@ -48,7 +48,7 @@ int RGWRestUserPolicy::verify_permission() uint64_t op = get_op(); string user_name = s->info.args.get("UserName"); rgw_user user_id(user_name); - if (! verify_user_permission(s, rgw::IAM::ARN(rgw::IAM::ARN(user_id.id, + if (! verify_user_permission(this, s, rgw::IAM::ARN(rgw::IAM::ARN(user_id.id, "user", user_id.tenant)), op)) { return -EACCES; @@ -332,4 +332,4 @@ void RGWDeleteUserPolicy::execute() op_ret = -ERR_NO_SUCH_ENTITY; return; } -} \ No newline at end of file +} diff --git a/src/rgw/rgw_swift_auth.cc b/src/rgw/rgw_swift_auth.cc index 47c06e18c65..97753e37871 100644 --- a/src/rgw/rgw_swift_auth.cc +++ b/src/rgw/rgw_swift_auth.cc @@ -33,7 +33,7 @@ namespace auth { namespace swift { /* TempURL: applier */ -void TempURLApplier::modify_request_state(req_state* s) const /* in/out */ +void TempURLApplier::modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const /* in/out */ { bool inline_exists = false; const std::string& filename = s->info.args.get("filename"); @@ -51,7 +51,7 @@ void TempURLApplier::modify_request_state(req_state* s) const /* in/out */ s->content_disp.fallback = "attachment; filename=\"" + fenc + "\""; } - ldout(s->cct, 20) << "finished applying changes to req_state for TempURL: " + ldpp_dout(dpp, 20) << "finished applying changes to req_state for TempURL: " << " content_disp override " << s->content_disp.override << " content_disp fallback " << s->content_disp.fallback << dendl; diff --git a/src/rgw/rgw_swift_auth.h b/src/rgw/rgw_swift_auth.h index 39fdc842221..9f57b2985b9 100644 --- a/src/rgw/rgw_swift_auth.h +++ b/src/rgw/rgw_swift_auth.h @@ -24,7 +24,7 @@ public: : LocalApplier(cct, user_info, LocalApplier::NO_SUBUSER, boost::none, boost::none) { }; - void modify_request_state(req_state * s) const override; /* in/out */ + void modify_request_state(const DoutPrefixProvider* dpp, req_state * s) const override; /* in/out */ struct Factory { virtual ~Factory() {} diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc index 64946b33ada..acfa8f0ae30 100644 --- a/src/test/rgw/test_rgw_iam_policy.cc +++ b/src/test/rgw/test_rgw_iam_policy.cc @@ -91,7 +91,7 @@ class FakeIdentity : public Identity { public: explicit FakeIdentity(Principal&& id) : id(std::move(id)) {} - uint32_t get_perms_from_aclspec(const aclspec_t& aclspec) const override { + uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override { ceph_abort(); return 0; }; -- 2.39.5