From 7ead219d726f63f55d793ebb0c059acbb310a15e Mon Sep 17 00:00:00 2001
From: Tobias Urdin <tobias.urdin@binero.se>
Date: Mon, 2 May 2022 09:48:15 +0000
Subject: [PATCH] rgw/auth: Deny request if service token does not have
 accepted roles

The default behavior should be that an invalid service token
makes the request invalid even though we have not checked the
X-Auth-Token yet.

This is not required but should reflect the same behavior as other
keystonemiddleware implemented services have.

Signed-off-by: Tobias Urdin <tobias.urdin@binero.com>
---
 src/rgw/rgw_auth_keystone.cc | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc
index 9976449f28b2..c42b0604cebb 100644
--- a/src/rgw/rgw_auth_keystone.cc
+++ b/src/rgw/rgw_auth_keystone.cc
@@ -300,6 +300,7 @@ TokenEngine::authenticate(const DoutPrefixProvider* dpp,
       if (!allow_expired) {
         ldpp_dout(dpp, 0) << "service token user does not hold a matching role; required roles: "
                   << g_conf()->rgw_keystone_service_token_accepted_roles << dendl;
+        return result_t::deny(-EPERM);
       }
     }
   }
-- 
2.47.3