From 7086ccccfb2b2163f17f96dfa63e01c2e00fa64e Mon Sep 17 00:00:00 2001 From: Kalpesh Pandya Date: Mon, 21 Jun 2021 13:50:25 +0530 Subject: [PATCH] src/rgw: DPP addition to rgw_keystone.cc Signed-off-by: Kalpesh Pandya --- src/rgw/rgw_auth_keystone.cc | 10 +++++----- src/rgw/rgw_keystone.cc | 34 +++++++++++++++++++--------------- src/rgw/rgw_keystone.h | 13 ++++++++----- src/rgw/rgw_kms.cc | 17 ++++++++--------- src/rgw/rgw_kms.h | 6 ++---- 5 files changed, 42 insertions(+), 38 deletions(-) diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc index f0b29d5ca34..71de604362b 100644 --- a/src/rgw/rgw_auth_keystone.cc +++ b/src/rgw/rgw_auth_keystone.cc @@ -64,7 +64,7 @@ TokenEngine::get_from_keystone(const DoutPrefixProvider* dpp, const std::string& } std::string admin_token; - if (rgw::keystone::Service::get_admin_token(cct, token_cache, config, + if (rgw::keystone::Service::get_admin_token(dpp, cct, token_cache, config, admin_token) < 0) { throw -EINVAL; } @@ -101,7 +101,7 @@ TokenEngine::get_from_keystone(const DoutPrefixProvider* dpp, const std::string& << ", body=" << token_body_bl.c_str() << dendl; TokenEngine::token_envelope_t token_body; - ret = token_body.parse(cct, token, token_body_bl, config.get_api_version()); + ret = token_body.parse(dpp, cct, token, token_body_bl, config.get_api_version()); if (ret < 0) { throw ret; } @@ -286,7 +286,7 @@ EC2Engine::get_from_keystone(const DoutPrefixProvider* dpp, const std::string_vi /* get authentication token for Keystone. */ std::string admin_token; - int ret = rgw::keystone::Service::get_admin_token(cct, token_cache, config, + int ret = rgw::keystone::Service::get_admin_token(dpp, cct, token_cache, config, admin_token); if (ret < 0) { ldpp_dout(dpp, 2) << "s3 keystone: cannot get token for keystone access" @@ -343,7 +343,7 @@ EC2Engine::get_from_keystone(const DoutPrefixProvider* dpp, const std::string_vi /* now parse response */ rgw::keystone::TokenEnvelope token_envelope; - ret = token_envelope.parse(cct, std::string(), token_body_bl, api_version); + ret = token_envelope.parse(dpp, cct, std::string(), token_body_bl, api_version); if (ret < 0) { ldpp_dout(dpp, 2) << "s3 keystone: token parsing failed, ret=0" << ret << dendl; @@ -379,7 +379,7 @@ std::pair, int> EC2Engine::get_secret_from_keystone /* get authentication token for Keystone. */ std::string admin_token; - int ret = rgw::keystone::Service::get_admin_token(cct, token_cache, config, + int ret = rgw::keystone::Service::get_admin_token(dpp, cct, token_cache, config, admin_token); if (ret < 0) { ldpp_dout(dpp, 2) << "s3 keystone: cannot get token for keystone access" diff --git a/src/rgw/rgw_keystone.cc b/src/rgw/rgw_keystone.cc index 32502bec06f..37b86602292 100644 --- a/src/rgw/rgw_keystone.cc +++ b/src/rgw/rgw_keystone.cc @@ -134,7 +134,8 @@ std::string CephCtxConfig::get_admin_password() const noexcept { return empty; } -int Service::get_admin_token(CephContext* const cct, +int Service::get_admin_token(const DoutPrefixProvider *dpp, + CephContext* const cct, TokenCache& token_cache, const Config& config, std::string& token) @@ -151,13 +152,13 @@ int Service::get_admin_token(CephContext* const cct, /* Try cache first before calling Keystone for a new admin token. */ if (token_cache.find_admin(t)) { - ldout(cct, 20) << "found cached admin token" << dendl; + ldpp_dout(dpp, 20) << "found cached admin token" << dendl; token = t.token.id; return 0; } /* Call Keystone now. */ - const auto ret = issue_admin_token_request(cct, config, t); + const auto ret = issue_admin_token_request(dpp, cct, config, t); if (! ret) { token_cache.add_admin(t); token = t.token.id; @@ -166,7 +167,8 @@ int Service::get_admin_token(CephContext* const cct, return ret; } -int Service::issue_admin_token_request(CephContext* const cct, +int Service::issue_admin_token_request(const DoutPrefixProvider *dpp, + CephContext* const cct, const Config& config, TokenEnvelope& t) { @@ -217,7 +219,7 @@ int Service::issue_admin_token_request(CephContext* const cct, return -EACCES; } - if (t.parse(cct, token_req.get_subject_token(), token_bl, + if (t.parse(dpp, cct, token_req.get_subject_token(), token_bl, keystone_version) != 0) { return -EINVAL; } @@ -225,7 +227,8 @@ int Service::issue_admin_token_request(CephContext* const cct, return 0; } -int Service::get_keystone_barbican_token(CephContext * const cct, +int Service::get_keystone_barbican_token(const DoutPrefixProvider *dpp, + CephContext * const cct, std::string& token) { using keystone_config_t = rgw::keystone::CephCtxConfig; @@ -243,7 +246,7 @@ int Service::get_keystone_barbican_token(CephContext * const cct, /* Try cache first. */ if (token_cache.find_barbican(t)) { - ldout(cct, 20) << "found cached barbican token" << dendl; + ldpp_dout(dpp, 20) << "found cached barbican token" << dendl; token = t.token.id; return 0; } @@ -279,10 +282,10 @@ int Service::get_keystone_barbican_token(CephContext * const cct, token_req.set_url(token_url); - ldout(cct, 20) << "Requesting secret from barbican url=" << token_url << dendl; + ldpp_dout(dpp, 20) << "Requesting secret from barbican url=" << token_url << dendl; const int ret = token_req.process(null_yield); if (ret < 0) { - ldout(cct, 20) << "Barbican process error:" << token_bl.c_str() << dendl; + ldpp_dout(dpp, 20) << "Barbican process error:" << token_bl.c_str() << dendl; return ret; } @@ -292,7 +295,7 @@ int Service::get_keystone_barbican_token(CephContext * const cct, return -EACCES; } - if (t.parse(cct, token_req.get_subject_token(), token_bl, + if (t.parse(dpp, cct, token_req.get_subject_token(), token_bl, keystone_version) != 0) { return -EINVAL; } @@ -314,14 +317,15 @@ bool TokenEnvelope::has_role(const std::string& r) const return false; } -int TokenEnvelope::parse(CephContext* const cct, +int TokenEnvelope::parse(const DoutPrefixProvider *dpp, + CephContext* const cct, const std::string& token_str, ceph::bufferlist& bl, const ApiVersion version) { JSONParser parser; if (! parser.parse(bl.c_str(), bl.length())) { - ldout(cct, 0) << "Keystone token parse error: malformed json" << dendl; + ldpp_dout(dpp, 0) << "Keystone token parse error: malformed json" << dendl; return -EINVAL; } @@ -362,7 +366,7 @@ int TokenEnvelope::parse(CephContext* const cct, return -ENOTSUP; } } catch (const JSONDecoder::err& err) { - ldout(cct, 0) << "Keystone token parse error: " << err.what() << dendl; + ldpp_dout(dpp, 0) << "Keystone token parse error: " << err.what() << dendl; return -EINVAL; } @@ -465,14 +469,14 @@ void TokenCache::add_barbican(const rgw::keystone::TokenEnvelope& token) add_locked(barbican_token_id, token); } -void TokenCache::invalidate(const std::string& token_id) +void TokenCache::invalidate(const DoutPrefixProvider *dpp, const std::string& token_id) { std::lock_guard l{lock}; map::iterator iter = tokens.find(token_id); if (iter == tokens.end()) return; - ldout(cct, 20) << "invalidating revoked token id=" << token_id << dendl; + ldpp_dout(dpp, 20) << "invalidating revoked token id=" << token_id << dendl; token_entry& e = iter->second; tokens_lru.erase(e.lru_iter); tokens.erase(iter); diff --git a/src/rgw/rgw_keystone.h b/src/rgw/rgw_keystone.h index c5707b6a7f4..eb4657d4477 100644 --- a/src/rgw/rgw_keystone.h +++ b/src/rgw/rgw_keystone.h @@ -119,14 +119,17 @@ public: typedef RGWKeystoneHTTPTransceiver RGWValidateKeystoneToken; typedef RGWKeystoneHTTPTransceiver RGWGetKeystoneAdminToken; - static int get_admin_token(CephContext* const cct, + static int get_admin_token(const DoutPrefixProvider *dpp, + CephContext* const cct, TokenCache& token_cache, const Config& config, std::string& token); - static int issue_admin_token_request(CephContext* const cct, + static int issue_admin_token_request(const DoutPrefixProvider *dpp, + CephContext* const cct, const Config& config, TokenEnvelope& token); - static int get_keystone_barbican_token(CephContext * const cct, + static int get_keystone_barbican_token(const DoutPrefixProvider *dpp, + CephContext * const cct, std::string& token); }; @@ -196,7 +199,7 @@ public: const uint64_t now = ceph_clock_now().sec(); return now >= static_cast(get_expires()); } - int parse(CephContext* cct, + int parse(const DoutPrefixProvider *dpp, CephContext* cct, const std::string& token_str, ceph::buffer::list& bl /* in */, ApiVersion version); @@ -257,7 +260,7 @@ public: void add(const std::string& token_id, const TokenEnvelope& token); void add_admin(const TokenEnvelope& token); void add_barbican(const TokenEnvelope& token); - void invalidate(const std::string& token_id); + void invalidate(const DoutPrefixProvider *dpp, const std::string& token_id); bool going_down() const; private: void add_locked(const std::string& token_id, const TokenEnvelope& token); diff --git a/src/rgw/rgw_kms.cc b/src/rgw/rgw_kms.cc index fb2573af2c2..4d024641620 100644 --- a/src/rgw/rgw_kms.cc +++ b/src/rgw/rgw_kms.cc @@ -824,21 +824,22 @@ static int request_key_from_barbican(CephContext *cct, return res; } -static int get_actual_key_from_barbican(CephContext *cct, +static int get_actual_key_from_barbican(const DoutPrefixProvider *dpp, + CephContext *cct, std::string_view key_id, std::string& actual_key) { int res = 0; std::string token; - if (rgw::keystone::Service::get_keystone_barbican_token(cct, token) < 0) { - ldout(cct, 5) << "Failed to retrieve token for Barbican" << dendl; + if (rgw::keystone::Service::get_keystone_barbican_token(dpp, cct, token) < 0) { + ldpp_dout(dpp, 5) << "Failed to retrieve token for Barbican" << dendl; return -EINVAL; } res = request_key_from_barbican(cct, key_id, token, actual_key); if (res != 0) { - ldout(cct, 5) << "Failed to retrieve secret from Barbican:" << key_id << dendl; + ldpp_dout(dpp, 5) << "Failed to retrieve secret from Barbican:" << key_id << dendl; } return res; } @@ -944,8 +945,7 @@ static int get_actual_key_from_kmip(CephContext *cct, } -int reconstitute_actual_key_from_kms(const DoutPrefixProvider* dpp, - CephContext *cct, +int reconstitute_actual_key_from_kms(const DoutPrefixProvider *dpp, CephContext *cct, map& attrs, std::string& actual_key) { @@ -956,7 +956,7 @@ int reconstitute_actual_key_from_kms(const DoutPrefixProvider* dpp, ldpp_dout(dpp, 20) << "SSE-KMS backend is " << kms_backend << dendl; if (RGW_SSE_KMS_BACKEND_BARBICAN == kms_backend) { - return get_actual_key_from_barbican(cct, key_id, actual_key); + return get_actual_key_from_barbican(dpp, cct, key_id, actual_key); } if (RGW_SSE_KMS_BACKEND_VAULT == kms_backend) { @@ -976,8 +976,7 @@ int reconstitute_actual_key_from_kms(const DoutPrefixProvider* dpp, return -EINVAL; } -int make_actual_key_from_kms(const DoutPrefixProvider* dpp, - CephContext *cct, +int make_actual_key_from_kms(const DoutPrefixProvider *dpp, CephContext *cct, map& attrs, std::string& actual_key) { diff --git a/src/rgw/rgw_kms.h b/src/rgw/rgw_kms.h index 3ce03e83ab9..60d0e2113e1 100644 --- a/src/rgw/rgw_kms.h +++ b/src/rgw/rgw_kms.h @@ -31,12 +31,10 @@ static const std::string RGW_SSE_KMS_KMIP_SE_KV = "kv"; * TODO * \return */ -int make_actual_key_from_kms(const DoutPrefixProvider* dpp, - CephContext *cct, +int make_actual_key_from_kms(const DoutPrefixProvider *dpp, CephContext *cct, std::map& attrs, std::string& actual_key); -int reconstitute_actual_key_from_kms(const DoutPrefixProvider* dpp, - CephContext *cct, +int reconstitute_actual_key_from_kms(const DoutPrefixProvider *dpp, CephContext *cct, std::map& attrs, std::string& actual_key); -- 2.39.5