From 7841890e8f8b579f04346aef0399bd838369c0c5 Mon Sep 17 00:00:00 2001 From: Radoslaw Zarzynski Date: Sat, 23 Apr 2016 16:53:25 +0200 Subject: [PATCH] rgw: infrastructure for authentication engine-dependent ACL checks. Signed-off-by: Radoslaw Zarzynski --- src/rgw/rgw_auth.cc | 6 ++++++ src/rgw/rgw_auth.h | 17 ++++++++++++++++- 2 files changed, 22 insertions(+), 1 deletion(-) diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index 1bbe1254b39e6..7a2e13f7b0e55 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -98,6 +98,12 @@ int RGWRemoteAuthApplier::get_perms_from_aclspec(const aclspec_t& aclspec) const aclspec); } + /* Now it's a time for invoking additional strategy that was supplied by + * a specific auth engine. */ + if (extra_acl_strategy) { + perm |= extra_acl_strategy(aclspec); + } + ldout(cct, 20) << "from ACL got perm=" << perm << dendl; return perm; } diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index 640a80ac09c01..1704a690ca049 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -5,6 +5,7 @@ #ifndef CEPH_RGW_AUTH_H #define CEPH_RGW_AUTH_H +#include #include #include "rgw_common.h" @@ -124,11 +125,19 @@ public: } }; + using aclspec_t = RGWIdentityApplier::aclspec_t; + typedef std::function acl_strategy_t; + protected: /* Read-write is intensional here due to RGWUserInfo creation process. */ RGWRados * const store; - const AuthInfo info; + /* Supplemental strategy for extracting permissions from ACLs. Its results + * will be combined (ORed) with a default strategy that is responsible for + * handling backward compatibility. */ + const acl_strategy_t extra_acl_strategy; + + const AuthInfo info; virtual void create_account(const rgw_user acct_user, RGWUserInfo& user_info) const; /* out */ @@ -136,9 +145,11 @@ protected: public: RGWRemoteAuthApplier(CephContext * const cct, RGWRados * const store, + acl_strategy_t&& extra_acl_strategy, const AuthInfo info) : RGWAuthApplier(cct), store(store), + extra_acl_strategy(std::move(extra_acl_strategy)), info(info) { } @@ -150,7 +161,11 @@ public: struct Factory { virtual ~Factory() {} + /* Providing r-value reference here is required intensionally. Callee is + * thus disallowed to handle std::function in a way that could inhibit + * the move behaviour (like forgetting about std::moving a l-value). */ virtual aplptr_t create_apl_remote(CephContext * const cct, + acl_strategy_t&& extra_acl_strategy, const AuthInfo info) const = 0; }; }; -- 2.39.5