From 8703b7aaf556846b144a23bf74c1621309ff7192 Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Mon, 15 Jan 2024 11:11:35 -0500 Subject: [PATCH] rgw/iam: enable Role apis against account users Signed-off-by: Casey Bodley --- src/rgw/rgw_rest_role.cc | 85 +++++++++++++++++++++++++++------------- src/rgw/rgw_rest_role.h | 1 + 2 files changed, 59 insertions(+), 27 deletions(-) diff --git a/src/rgw/rgw_rest_role.cc b/src/rgw/rgw_rest_role.cc index b44634e83b615..4ee5707e0b05a 100644 --- a/src/rgw/rgw_rest_role.cc +++ b/src/rgw/rgw_rest_role.cc @@ -96,13 +96,27 @@ static rgw::ARN make_role_arn(const std::string& path, } static int load_role(const DoutPrefixProvider* dpp, optional_yield y, - rgw::sal::Driver* driver, - const std::string& tenant, + rgw::sal::Driver* driver, const rgw_owner& owner, + rgw_account_id& account_id, const std::string& tenant, const std::string& name, std::unique_ptr& role, - rgw::ARN& resource, - std::string& message) + rgw::ARN& resource, std::string& message) { + if (const auto* id = std::get_if(&owner); id) { + account_id = *id; + + // look up account role by RoleName + int r = driver->load_account_role_by_name(dpp, y, account_id, name, &role); + if (r == -ENOENT) { + message = "No such RoleName in the account"; + return -ERR_NO_ROLE_FOUND; + } + if (r >= 0) { + resource = make_role_arn(role->get_path(), role->get_name(), account_id); + } + return r; + } + role = driver->get_role(name, tenant); const int r = role->get(dpp, y); if (r == -ENOENT) { @@ -161,7 +175,12 @@ int RGWCreateRole::init_processing(optional_yield y) return -ERR_LIMIT_EXCEEDED; } - resource = make_role_arn(role_path, role_name, s->user->get_tenant()); + + if (const auto* id = std::get_if(&s->owner.id); id) { + resource = make_role_arn(role_path, role_name, *id); + } else { + resource = make_role_arn(role_path, role_name, s->user->get_tenant()); + } return 0; } @@ -276,8 +295,9 @@ int RGWDeleteRole::init_processing(optional_yield y) return -EINVAL; } - return load_role(this, y, driver, s->user->get_tenant(), role_name, - role, resource, s->err.message); + return load_role(this, y, driver, s->owner.id, account_id, + s->user->get_tenant(), role_name, role, resource, + s->err.message); } void RGWDeleteRole::execute(optional_yield y) @@ -333,8 +353,9 @@ int RGWGetRole::init_processing(optional_yield y) return -EINVAL; } - return load_role(this, y, driver, s->user->get_tenant(), role_name, - role, resource, s->err.message); + return load_role(this, y, driver, s->owner.id, account_id, + s->user->get_tenant(), role_name, role, resource, + s->err.message); } void RGWGetRole::execute(optional_yield y) @@ -370,8 +391,9 @@ int RGWModifyRoleTrustPolicy::init_processing(optional_yield y) return -ERR_MALFORMED_DOC; } - return load_role(this, y, driver, s->user->get_tenant(), role_name, - role, resource, s->err.message); + return load_role(this, y, driver, s->owner.id, account_id, + s->user->get_tenant(), role_name, role, resource, + s->err.message); } void RGWModifyRoleTrustPolicy::execute(optional_yield y) @@ -418,6 +440,7 @@ int RGWListRoles::init_processing(optional_yield y) void RGWListRoles::execute(optional_yield y) { + // TODO: list_account_roles() for account owner vector> result; op_ret = driver->get_roles(s, y, path_prefix, s->user->get_tenant(), result); @@ -469,8 +492,9 @@ int RGWPutRolePolicy::init_processing(optional_yield y) return -ERR_MALFORMED_DOC; } - return load_role(this, y, driver, s->user->get_tenant(), role_name, - role, resource, s->err.message); + return load_role(this, y, driver, s->owner.id, account_id, + s->user->get_tenant(), role_name, role, resource, + s->err.message); } void RGWPutRolePolicy::execute(optional_yield y) @@ -524,8 +548,9 @@ int RGWGetRolePolicy::init_processing(optional_yield y) return -EINVAL; } - return load_role(this, y, driver, s->user->get_tenant(), role_name, - role, resource, s->err.message); + return load_role(this, y, driver, s->owner.id, account_id, + s->user->get_tenant(), role_name, role, resource, + s->err.message); } void RGWGetRolePolicy::execute(optional_yield y) @@ -557,8 +582,9 @@ int RGWListRolePolicies::init_processing(optional_yield y) return -EINVAL; } - return load_role(this, y, driver, s->user->get_tenant(), role_name, - role, resource, s->err.message); + return load_role(this, y, driver, s->owner.id, account_id, + s->user->get_tenant(), role_name, role, resource, + s->err.message); } void RGWListRolePolicies::execute(optional_yield y) @@ -591,8 +617,9 @@ int RGWDeleteRolePolicy::init_processing(optional_yield y) return -EINVAL; } - return load_role(this, y, driver, s->user->get_tenant(), role_name, - role, resource, s->err.message); + return load_role(this, y, driver, s->owner.id, account_id, + s->user->get_tenant(), role_name, role, resource, + s->err.message); } void RGWDeleteRolePolicy::execute(optional_yield y) @@ -649,8 +676,9 @@ int RGWTagRole::init_processing(optional_yield y) return r; } - return load_role(this, y, driver, s->user->get_tenant(), role_name, - role, resource, s->err.message); + return load_role(this, y, driver, s->owner.id, account_id, + s->user->get_tenant(), role_name, role, resource, + s->err.message); } void RGWTagRole::execute(optional_yield y) @@ -704,8 +732,9 @@ int RGWListRoleTags::init_processing(optional_yield y) return -EINVAL; } - return load_role(this, y, driver, s->user->get_tenant(), role_name, - role, resource, s->err.message); + return load_role(this, y, driver, s->owner.id, account_id, + s->user->get_tenant(), role_name, role, resource, + s->err.message); } void RGWListRoleTags::execute(optional_yield y) @@ -749,8 +778,9 @@ int RGWUntagRole::init_processing(optional_yield y) }); } - return load_role(this, y, driver, s->user->get_tenant(), role_name, - role, resource, s->err.message); + return load_role(this, y, driver, s->owner.id, account_id, + s->user->get_tenant(), role_name, role, resource, + s->err.message); } void RGWUntagRole::execute(optional_yield y) @@ -802,8 +832,9 @@ int RGWUpdateRole::init_processing(optional_yield y) max_session_duration = s->info.args.get("MaxSessionDuration"); - return load_role(this, y, driver, s->user->get_tenant(), role_name, - role, resource, s->err.message); + return load_role(this, y, driver, s->owner.id, account_id, + s->user->get_tenant(), role_name, role, resource, + s->err.message); } void RGWUpdateRole::execute(optional_yield y) diff --git a/src/rgw/rgw_rest_role.h b/src/rgw/rgw_rest_role.h index d26fbe125753a..fff9406227b32 100644 --- a/src/rgw/rgw_rest_role.h +++ b/src/rgw/rgw_rest_role.h @@ -13,6 +13,7 @@ class RGWRestRole : public RGWRESTOp { const uint64_t action; const uint32_t perm; protected: + rgw_account_id account_id; rgw::ARN resource; // must be initialized before verify_permission() int check_caps(const RGWUserCaps& caps) override; -- 2.39.5