From 272a7660ca4ed9b535aaf4607aeaaa46a20e75c7 Mon Sep 17 00:00:00 2001
From: Casey Bodley <cbodley@redhat.com>
Date: Thu, 29 Feb 2024 11:12:51 -0500
Subject: [PATCH] rgw/auth: add account_id and role_id to ops log

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---
 src/rgw/rgw_auth.cc | 28 ++++++++++++++++++++++++++++
 src/rgw/rgw_auth.h  |  2 ++
 src/rgw/rgw_log.cc  |  8 ++++++++
 src/rgw/rgw_log.h   | 12 ++++++++++--
 4 files changed, 48 insertions(+), 2 deletions(-)

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index a357d15a9dfd0..75464d3b63931 100644
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -280,6 +280,12 @@ static auto transform_old_authinfo(const RGWUserInfo& user,
       return id.tenant;
     }
 
+    void write_ops_log_entry(rgw_log_entry& entry) const override {
+      if (account) {
+        entry.account_id = account->id;
+      }
+    }
+
     void to_str(std::ostream& out) const override {
       out << "RGWDummyIdentityApplier(auth_id=" << id
           << ", is_admin=" << is_admin << ")";
@@ -585,6 +591,14 @@ void rgw::auth::WebIdentityApplier::to_str(std::ostream& out) const
       << ", provider_id =" << iss << ")";
 }
 
+void rgw::auth::WebIdentityApplier::write_ops_log_entry(rgw_log_entry& entry) const
+{
+  if (account) {
+    entry.account_id = account->id;
+  }
+  entry.role_id = role_id;
+}
+
 string rgw::auth::WebIdentityApplier::get_idp_url() const
 {
   string idp_url = this->iss;
@@ -913,6 +927,9 @@ void rgw::auth::RemoteApplier::write_ops_log_entry(rgw_log_entry& entry) const
 {
   entry.access_key_id = info.access_key_id;
   entry.subuser = info.subuser;
+  if (account) {
+    entry.account_id = account->id;
+  }
 }
 
 /* TODO(rzarzynski): we need to handle display_name changes. */
@@ -1094,6 +1111,9 @@ void rgw::auth::LocalApplier::write_ops_log_entry(rgw_log_entry& entry) const
 {
   entry.access_key_id = access_key_id;
   entry.subuser = subuser;
+  if (account) {
+    entry.account_id = account->id;
+  }
 }
 
 ACLOwner rgw::auth::RoleApplier::get_aclowner() const
@@ -1164,6 +1184,14 @@ void rgw::auth::RoleApplier::load_acct_info(const DoutPrefixProvider* dpp, RGWUs
   user_info.user_id = this->token_attrs.user_id;
 }
 
+void rgw::auth::RoleApplier::write_ops_log_entry(rgw_log_entry& entry) const
+{
+  if (role.account) {
+    entry.account_id = role.account->id;
+  }
+  entry.role_id = role.id;
+}
+
 void rgw::auth::RoleApplier::modify_request_state(const DoutPrefixProvider *dpp, req_state* s) const
 {
   // non-account identity policy is restricted to the current tenant
diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
index 90e60374550a1..9fc92277dbb88 100644
--- a/src/rgw/rgw_auth.h
+++ b/src/rgw/rgw_auth.h
@@ -497,6 +497,7 @@ public:
   const std::string& get_tenant() const override {
     return role_tenant;
   }
+  void write_ops_log_entry(rgw_log_entry& entry) const override;
 
   struct Factory {
     virtual ~Factory() {}
@@ -792,6 +793,7 @@ public:
   std::string get_acct_name() const override { return {}; }
   std::string get_subuser() const override { return {}; }
   const std::string& get_tenant() const override { return role.tenant; }
+  void write_ops_log_entry(rgw_log_entry& entry) const override;
 
   void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override;
 
diff --git a/src/rgw/rgw_log.cc b/src/rgw/rgw_log.cc
index 3cf2060e7ed6e..5d7e3678f8fd3 100644
--- a/src/rgw/rgw_log.cc
+++ b/src/rgw/rgw_log.cc
@@ -697,6 +697,8 @@ void rgw_log_entry::generate_test_instances(list<rgw_log_entry*>& o)
   e->bucket_id = "10";
   e->trans_id = "trans_id";
   e->identity_type = TYPE_RGW;
+  e->account_id = "account_id";
+  e->role_id = "role_id";
   o.push_back(e);
   o.push_back(new rgw_log_entry);
 }
@@ -723,4 +725,10 @@ void rgw_log_entry::dump(Formatter *f) const
   f->dump_string("bucket_id", bucket_id);
   f->dump_string("trans_id", trans_id);
   f->dump_unsigned("identity_type", identity_type);
+  if (!account_id.empty()) {
+    f->dump_string("account_id", account_id);
+  }
+  if (!role_id.empty()) {
+    f->dump_string("role_id", role_id);
+  }
 }
diff --git a/src/rgw/rgw_log.h b/src/rgw/rgw_log.h
index d8303f65d9dcf..828124aa758dc 100644
--- a/src/rgw/rgw_log.h
+++ b/src/rgw/rgw_log.h
@@ -102,9 +102,11 @@ struct rgw_log_entry {
   std::string subuser;
   bool temp_url {false};
   delete_multi_obj_op_meta delete_multi_obj_meta;
+  rgw_account_id account_id;
+  std::string role_id;
 
   void encode(bufferlist &bl) const {
-    ENCODE_START(14, 5, bl);
+    ENCODE_START(15, 5, bl);
     // old object/bucket owner ids, encoded in full in v8
     std::string empty_owner_id;
     encode(empty_owner_id, bl);
@@ -138,10 +140,12 @@ struct rgw_log_entry {
     encode(subuser, bl);
     encode(temp_url, bl);
     encode(delete_multi_obj_meta, bl);
+    encode(account_id, bl);
+    encode(role_id, bl);
     ENCODE_FINISH(bl);
   }
   void decode(bufferlist::const_iterator &p) {
-    DECODE_START_LEGACY_COMPAT_LEN(14, 5, 5, p);
+    DECODE_START_LEGACY_COMPAT_LEN(15, 5, 5, p);
     std::string object_owner_id;
     std::string bucket_owner_id;
     decode(object_owner_id, p);
@@ -210,6 +214,10 @@ struct rgw_log_entry {
     if (struct_v >= 14) {
       decode(delete_multi_obj_meta, p);
     }
+    if (struct_v >= 15) {
+      decode(account_id, p);
+      decode(role_id, p);
+    }
     DECODE_FINISH(p);
   }
   void dump(ceph::Formatter *f) const;
-- 
2.39.5