From 2cc488e9847afafa1e6b7dc283eca3cc6d74d156 Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Tue, 2 Jan 2024 16:05:58 -0500 Subject: [PATCH] rgw/iam: rename rgw::auth::Principal::Tenant to Account just changes the name to match its use in AWS, without changing any behavior in rgw policy parsing/evaluation Signed-off-by: Casey Bodley --- src/rgw/rgw_auth.cc | 22 +++++++++++----------- src/rgw/rgw_basic_types.cc | 4 ++-- src/rgw/rgw_basic_types.h | 12 ++++++------ src/rgw/rgw_iam_policy.cc | 4 ++-- src/test/rgw/test_rgw_iam_policy.cc | 10 +++++----- 5 files changed, 26 insertions(+), 26 deletions(-) diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index 6f0cb5d80a2..5075894e4f4 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -102,10 +102,10 @@ transform_old_authinfo(CephContext* const cct, for (auto& p : ids) { if (p.is_wildcard()) { return true; - } else if (p.is_tenant() && p.get_tenant() == id.tenant) { + } else if (p.is_account() && p.get_account() == id.tenant) { return true; } else if (p.is_user() && - (p.get_tenant() == id.tenant) && + (p.get_account() == id.tenant) && (p.get_id() == id.id)) { return true; } @@ -632,16 +632,16 @@ bool rgw::auth::RemoteApplier::is_identity(const idset_t& ids) const { // We also need to cover cases where rgw_keystone_implicit_tenants // was enabled. */ - } else if (id.is_tenant() && + } else if (id.is_account() && (info.acct_user.tenant.empty() ? info.acct_user.id : - info.acct_user.tenant) == id.get_tenant()) { + info.acct_user.tenant) == id.get_account()) { return true; } else if (id.is_user() && info.acct_user.id == id.get_id() && (info.acct_user.tenant.empty() ? info.acct_user.id : - info.acct_user.tenant) == id.get_tenant()) { + info.acct_user.tenant) == id.get_account()) { return true; } } @@ -840,11 +840,11 @@ bool rgw::auth::LocalApplier::is_identity(const idset_t& ids) const { for (auto& id : ids) { if (id.is_wildcard()) { return true; - } else if (id.is_tenant() && - id.get_tenant() == user_info.user_id.tenant) { + } else if (id.is_account() && + id.get_account() == user_info.user_id.tenant) { return true; } else if (id.is_user() && - (id.get_tenant() == user_info.user_id.tenant)) { + (id.get_account() == user_info.user_id.tenant)) { if (id.get_id() == user_info.user_id.id) { return true; } @@ -927,19 +927,19 @@ bool rgw::auth::RoleApplier::is_identity(const idset_t& ids) const { return true; } else if (p.is_role()) { string name = p.get_id(); - string tenant = p.get_tenant(); + string tenant = p.get_account(); if (name == role.name && tenant == role.tenant) { return true; } } else if (p.is_assumed_role()) { - string tenant = p.get_tenant(); + string tenant = p.get_account(); string role_session = role.name + "/" + token_attrs.role_session_name; //role/role-session if (role.tenant == tenant && role_session == p.get_role_session()) { return true; } } else { string id = p.get_id(); - string tenant = p.get_tenant(); + string tenant = p.get_account(); string oidc_id; if (token_attrs.user_id.ns.empty()) { oidc_id = token_attrs.user_id.id; diff --git a/src/rgw/rgw_basic_types.cc b/src/rgw/rgw_basic_types.cc index e6e94f48dc0..f82694683a0 100644 --- a/src/rgw/rgw_basic_types.cc +++ b/src/rgw/rgw_basic_types.cc @@ -171,8 +171,8 @@ ostream& operator <<(ostream& m, const Principal& p) { return m << "*"; } - m << "arn:aws:iam:" << p.get_tenant() << ":"; - if (p.is_tenant()) { + m << "arn:aws:iam:" << p.get_account() << ":"; + if (p.is_account()) { return m << "root"; } return m << (p.is_user() ? "user/" : "role/") << p.get_id(); diff --git a/src/rgw/rgw_basic_types.h b/src/rgw/rgw_basic_types.h index a8190aa35ad..cd56db1081b 100644 --- a/src/rgw/rgw_basic_types.h +++ b/src/rgw/rgw_basic_types.h @@ -141,7 +141,7 @@ extern void decode_json_obj(rgw_placement_rule& v, JSONObj *obj); namespace rgw { namespace auth { class Principal { - enum types { User, Role, Tenant, Wildcard, OidcProvider, AssumedRole }; + enum types { User, Role, Account, Wildcard, OidcProvider, AssumedRole }; types t; rgw_user u; std::string idp_url; @@ -169,8 +169,8 @@ public: return Principal(Role, std::move(t), std::move(u)); } - static Principal tenant(std::string&& t) { - return Principal(Tenant, std::move(t), {}); + static Principal account(std::string&& t) { + return Principal(Account, std::move(t), {}); } static Principal oidc_provider(std::string&& idp_url) { @@ -193,8 +193,8 @@ public: return t == Role; } - bool is_tenant() const { - return t == Tenant; + bool is_account() const { + return t == Account; } bool is_oidc_provider() const { @@ -205,7 +205,7 @@ public: return t == AssumedRole; } - const std::string& get_tenant() const { + const std::string& get_account() const { return u.tenant; } diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc index 0a954a3c954..4a288fd55fa 100644 --- a/src/rgw/rgw_iam_policy.cc +++ b/src/rgw/rgw_iam_policy.cc @@ -491,7 +491,7 @@ boost::optional ParseState::parse_principal(string&& s, // AWS and Federated ARNs if (auto a = ARN::parse(s)) { if (a->resource == "root") { - return Principal::tenant(std::move(a->account)); + return Principal::account(std::move(a->account)); } static const char rx_str[] = "([^/]*)/(.*)"; @@ -524,7 +524,7 @@ boost::optional ParseState::parse_principal(string&& s, // Since tenants are simply prefixes, there's no really good // way to see if one exists or not. So we return the thing and // let them try to match against it. - return Principal::tenant(std::move(s)); + return Principal::account(std::move(s)); } if (errmsg) *errmsg = diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc index 61b2fdbe672..09dadeaacca 100644 --- a/src/test/rgw/test_rgw_iam_policy.cc +++ b/src/test/rgw/test_rgw_iam_policy.cc @@ -248,7 +248,7 @@ TEST_F(PolicyTest, Parse2) { EXPECT_FALSE(p->statements[0].princ.empty()); EXPECT_EQ(p->statements[0].princ.size(), 1U); EXPECT_EQ(*p->statements[0].princ.begin(), - Principal::tenant("ACCOUNT-ID-WITHOUT-HYPHENS")); + Principal::account("ACCOUNT-ID-WITHOUT-HYPHENS")); EXPECT_TRUE(p->statements[0].noprinc.empty()); EXPECT_EQ(p->statements[0].effect, Effect::Allow); Action_t act; @@ -282,10 +282,10 @@ TEST_F(PolicyTest, Eval2) { Environment e; auto trueacct = FakeIdentity( - Principal::tenant("ACCOUNT-ID-WITHOUT-HYPHENS")); + Principal::account("ACCOUNT-ID-WITHOUT-HYPHENS")); auto notacct = FakeIdentity( - Principal::tenant("some-other-account")); + Principal::account("some-other-account")); for (auto i = 0ULL; i < s3All; ++i) { ARN arn1(Partition::aws, Service::s3, "", arbitrary_tenant, "mybucket"); @@ -714,7 +714,7 @@ TEST_F(PolicyTest, Parse7) { EXPECT_EQ(p->statements[0].resource.begin()->resource, "mybucket/*"); EXPECT_TRUE(p->statements[0].princ.begin()->is_user()); EXPECT_FALSE(p->statements[0].princ.begin()->is_wildcard()); - EXPECT_EQ(p->statements[0].princ.begin()->get_tenant(), ""); + EXPECT_EQ(p->statements[0].princ.begin()->get_account(), ""); EXPECT_EQ(p->statements[0].princ.begin()->get_id(), "A:subA"); EXPECT_TRUE(p->statements[0].notresource.empty()); EXPECT_TRUE(p->statements[0].conditions.empty()); @@ -1044,7 +1044,7 @@ TEST_F(IPPolicyTest, EvalIPAddress) { blocklistedIPv6.emplace("aws:SourceIp", "2001:0db8:85a3:0000:0000:8a2e:0370:7334"); auto trueacct = FakeIdentity( - Principal::tenant("ACCOUNT-ID-WITHOUT-HYPHENS")); + Principal::account("ACCOUNT-ID-WITHOUT-HYPHENS")); // Without an IP address in the environment then evaluation will always pass ARN arn1(Partition::aws, Service::s3, "", arbitrary_tenant, "example_bucket"); -- 2.39.5