From 88f482335d011af11a0d5f32528c72f16b3b30b5 Mon Sep 17 00:00:00 2001
From: Yehuda Sadeh <yehuda@inktank.com>
Date: Tue, 30 Oct 2012 17:34:06 -0700
Subject: [PATCH] rgw: handle keystone roles

Signed-off-by: Yehuda Sadeh <yehuda@inktank.com>
---
 src/common/config_opts.h |  1 +
 src/rgw/rgw_swift.cc     | 40 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 41 insertions(+)

diff --git a/src/common/config_opts.h b/src/common/config_opts.h
index 3e45bbf48c77f..b2fe128587ecc 100644
--- a/src/common/config_opts.h
+++ b/src/common/config_opts.h
@@ -423,6 +423,7 @@ OPTION(rgw_swift_auth_entry, OPT_STR, "auth")  // entry point for which a url is
 OPTION(rgw_swift_use_keystone, OPT_BOOL, false)  // should swift use keystone?
 OPTION(rgw_swift_keystone_url, OPT_STR, "")  // url for keystone server
 OPTION(rgw_swift_keystone_admin_token, OPT_STR, "")  // keystone admin token (shared secret)
+OPTION(rgw_swift_keystone_operator_roles, OPT_STR, "swiftoperator, admin")  // roles required to serve requests
 OPTION(rgw_admin_entry, OPT_STR, "admin")  // entry point for which a url is considered an admin request
 OPTION(rgw_enforce_swift_acls, OPT_BOOL, true)
 OPTION(rgw_print_continue, OPT_BOOL, true)  // enable if 100-Continue works
diff --git a/src/rgw/rgw_swift.cc b/src/rgw/rgw_swift.cc
index 47d67a76ceafc..14c0b958e7242 100644
--- a/src/rgw/rgw_swift.cc
+++ b/src/rgw/rgw_swift.cc
@@ -9,6 +9,8 @@
 #include "rgw_user.h"
 #include "rgw_http_client.h"
 
+#include "include/str_list.h"
+
 #define dout_subsys ceph_subsys_rgw
 
 class RGWValidateSwiftToken : public RGWHTTPClient {
@@ -102,6 +104,8 @@ public:
   string user_name;
   string expires;
 
+  map<string, bool> roles;
+
   KeystoneTokenResponseParser() {}
 
   int parse(bufferlist& bl);
@@ -134,6 +138,23 @@ int KeystoneTokenResponseParser::parse(bufferlist& bl)
     return -EINVAL;
   }
 
+  JSONObjIter riter = user->find("roles");
+  if (riter.end()) {
+    dout(0) << "token response is missing roles section" << dendl;
+    return -EINVAL;
+  }
+
+  for (; !riter.end(); ++riter) {
+    JSONObj *o = *riter;
+    JSONObj *role_name = o->find_obj("name");
+    if (!role_name) {
+      dout(0) << "token response is missing role name section" << dendl;
+      return -EINVAL;
+    }
+    string role = role_name->get_data();
+    roles[role] = true;
+  }
+
   JSONObj *token = access_obj->find_obj("token");
   if (!user) {
     dout(0) << "missing token section in response" << dendl;
@@ -173,6 +194,25 @@ static int rgw_parse_keystone_token_response(bufferlist& bl, struct rgw_swift_au
   if (ret < 0)
     return ret;
 
+  list<string> roles_list;
+
+  get_str_list(g_conf->rgw_swift_keystone_operator_roles, roles_list);
+
+  bool found = false;
+  list<string>::iterator iter;
+  for (iter = roles_list.begin(); iter != roles_list.end(); ++iter) {
+    const string& role = *iter;
+    if (p.roles.find(role) != p.roles.end()) {
+      found = true;
+      break;
+    }
+  }
+
+  if (!found) {
+    dout(0) << "user does not hold a matching role; required roles: " << g_conf->rgw_swift_keystone_operator_roles << dendl;
+    return -EPERM;
+  }
+
   dout(0) << "validated token: " << p.tenant_name << ":" << p.user_name << " expires: " << p.expires << dendl;
 
   info->user = p.tenant_name;
-- 
2.39.5