From 9ee29b5355e9ffeac76707e8d4070bfff5dc99d5 Mon Sep 17 00:00:00 2001 From: Yehuda Sadeh Date: Wed, 5 Nov 2014 14:38:46 -0800 Subject: [PATCH] rgw: update swift subuser perm masks when authenticating Fixes: #9918 Backport: firefly, giant It seems that we weren't setting the swift perm mask correctly. Signed-off-by: Yehuda Sadeh (cherry picked from commit 5d9f36f757a7272c24d2c9adc31db1ed5e712992) --- src/rgw/rgw_rest_swift.cc | 2 -- src/rgw/rgw_swift.cc | 30 +++++++++++++++++++++++++++++- src/rgw/rgw_swift.h | 1 + src/rgw/rgw_swift_auth.cc | 3 ++- src/rgw/rgw_swift_auth.h | 2 +- 5 files changed, 33 insertions(+), 5 deletions(-) diff --git a/src/rgw/rgw_rest_swift.cc b/src/rgw/rgw_rest_swift.cc index 9bdb811cd6ac6..98f3c2c202418 100644 --- a/src/rgw/rgw_rest_swift.cc +++ b/src/rgw/rgw_rest_swift.cc @@ -788,8 +788,6 @@ int RGWHandler_ObjStore_SWIFT::authorize() if (!authorized) return -EPERM; - s->perm_mask = RGW_PERM_FULL_CONTROL; - return 0; } diff --git a/src/rgw/rgw_swift.cc b/src/rgw/rgw_swift.cc index 2445e174b9d15..46c45bd9dfe76 100644 --- a/src/rgw/rgw_swift.cc +++ b/src/rgw/rgw_swift.cc @@ -610,6 +610,34 @@ int authenticate_temp_url(RGWRados *store, req_state *s) } bool RGWSwift::verify_swift_token(RGWRados *store, req_state *s) +{ + if (!do_verify_swift_token(store, s)) { + return false; + } + + if (!s->swift_user.empty()) { + string subuser; + ssize_t pos = s->swift_user.find(':'); + if (pos < 0) { + subuser = s->swift_user; + } else { + subuser = s->swift_user.substr(pos + 1); + } + s->perm_mask = 0; + map::iterator iter = s->user.subusers.find(subuser); + if (iter != s->user.subusers.end()) { + RGWSubUser& subuser = iter->second; + s->perm_mask = subuser.perm_mask; + } + } else { + s->perm_mask = RGW_PERM_FULL_CONTROL; + } + + return true; + +} + +bool RGWSwift::do_verify_swift_token(RGWRados *store, req_state *s) { if (!s->os_auth_token) { int ret = authenticate_temp_url(store, s); @@ -617,7 +645,7 @@ bool RGWSwift::verify_swift_token(RGWRados *store, req_state *s) } if (strncmp(s->os_auth_token, "AUTH_rgwtk", 10) == 0) { - int ret = rgw_swift_verify_signed_token(s->cct, store, s->os_auth_token, s->user); + int ret = rgw_swift_verify_signed_token(s->cct, store, s->os_auth_token, s->user, &s->swift_user); if (ret < 0) return false; diff --git a/src/rgw/rgw_swift.h b/src/rgw/rgw_swift.h index 97347e8069180..300b5eb7d019e 100644 --- a/src/rgw/rgw_swift.h +++ b/src/rgw/rgw_swift.h @@ -53,6 +53,7 @@ class RGWSwift { bool supports_keystone() { return !cct->_conf->rgw_keystone_url.empty(); } + bool do_verify_swift_token(RGWRados *store, req_state *s); protected: int check_revoked(); public: diff --git a/src/rgw/rgw_swift_auth.cc b/src/rgw/rgw_swift_auth.cc index 9c800c4c2c71d..553f629d6ef3a 100644 --- a/src/rgw/rgw_swift_auth.cc +++ b/src/rgw/rgw_swift_auth.cc @@ -56,7 +56,7 @@ static int encode_token(CephContext *cct, string& swift_user, string& key, buffe return ret; } -int rgw_swift_verify_signed_token(CephContext *cct, RGWRados *store, const char *token, RGWUserInfo& info) +int rgw_swift_verify_signed_token(CephContext *cct, RGWRados *store, const char *token, RGWUserInfo& info, string *pswift_user) { if (strncmp(token, "AUTH_rgwtk", 10) != 0) return -EINVAL; @@ -123,6 +123,7 @@ int rgw_swift_verify_signed_token(CephContext *cct, RGWRados *store, const char dout(0) << "NOTICE: tokens mismatch tok=" << buf << dendl; return -EPERM; } + *pswift_user = swift_user; return 0; } diff --git a/src/rgw/rgw_swift_auth.h b/src/rgw/rgw_swift_auth.h index 6d50d945641fd..61050d8a628c6 100644 --- a/src/rgw/rgw_swift_auth.h +++ b/src/rgw/rgw_swift_auth.h @@ -6,7 +6,7 @@ #define RGW_SWIFT_TOKEN_EXPIRATION (15 * 60) -extern int rgw_swift_verify_signed_token(CephContext *cct, RGWRados *store, const char *token, RGWUserInfo& info); +extern int rgw_swift_verify_signed_token(CephContext *cct, RGWRados *store, const char *token, RGWUserInfo& info, string *pswift_user); class RGW_SWIFT_Auth_Get : public RGWOp { public: -- 2.39.5