From ce18eec649a56b62c5d0a9bb7a407e72d630b89b Mon Sep 17 00:00:00 2001 From: Seena Fallah Date: Thu, 9 Apr 2020 00:15:20 +0430 Subject: [PATCH] rgw: Add subuser to OPA request Signed-off-by: Seena Fallah (cherry picked from commit 793aaaaed9029e032128b50767a5faf1bb7f6d81) --- doc/radosgw/opa.rst | 1 + src/rgw/rgw_auth.cc | 4 ++++ src/rgw/rgw_auth.h | 10 ++++++++++ src/rgw/rgw_auth_filters.h | 4 ++++ src/rgw/rgw_opa.cc | 1 + src/test/rgw/test_rgw_iam_policy.cc | 5 +++++ 6 files changed, 25 insertions(+) diff --git a/doc/radosgw/opa.rst b/doc/radosgw/opa.rst index ef26a74ad8fcb..f1b76b5ef78b2 100644 --- a/doc/radosgw/opa.rst +++ b/doc/radosgw/opa.rst @@ -46,6 +46,7 @@ Example request:: { "input": { "method": "GET", + "subuser": "subuser", "user_info": { "user_id": "john", "display_name": "John" diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index 38d5c9091889c..f1351c06346a2 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -92,6 +92,10 @@ transform_old_authinfo(CephContext* const cct, return {}; } + string get_subuser() const override { + return {}; + } + void to_str(std::ostream& out) const override { out << "RGWDummyIdentityApplier(auth_id=" << id << ", perm_mask=" << perm_mask diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index a08a7f3024e2a..37971119be6c5 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -76,6 +76,9 @@ public: /* Name of Account */ virtual string get_acct_name() const = 0; + + /* Subuser of Account */ + virtual string get_subuser() const = 0; }; inline std::ostream& operator<<(std::ostream& out, @@ -410,6 +413,10 @@ public: return token_claims.user_name; } + string get_subuser() const override { + return {}; + } + struct Factory { virtual ~Factory() {} @@ -542,6 +549,7 @@ public: void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */ uint32_t get_identity_type() const override { return info.acct_type; } string get_acct_name() const override { return info.acct_name; } + string get_subuser() const override { return {}; } struct Factory { virtual ~Factory() {} @@ -603,6 +611,7 @@ public: void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */ uint32_t get_identity_type() const override { return TYPE_RGW; } string get_acct_name() const override { return {}; } + string get_subuser() const override { return subuser; } struct Factory { virtual ~Factory() {} @@ -647,6 +656,7 @@ public: void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */ uint32_t get_identity_type() const override { return TYPE_ROLE; } string get_acct_name() const override { return {}; } + string get_subuser() const override { return {}; } void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override; struct Factory { diff --git a/src/rgw/rgw_auth_filters.h b/src/rgw/rgw_auth_filters.h index 228d2cde697c9..8a5bf80644a72 100644 --- a/src/rgw/rgw_auth_filters.h +++ b/src/rgw/rgw_auth_filters.h @@ -88,6 +88,10 @@ public: return get_decoratee().get_acct_name(); } + string get_subuser() const override { + return get_decoratee().get_subuser(); + } + bool is_identity( const boost::container::flat_set& ids) const override { return get_decoratee().is_identity(ids); diff --git a/src/rgw/rgw_opa.cc b/src/rgw/rgw_opa.cc index 79ba8784d04ce..96cc5841c1d01 100644 --- a/src/rgw/rgw_opa.cc +++ b/src/rgw/rgw_opa.cc @@ -45,6 +45,7 @@ int rgw_opa_authorize(RGWOp *& op, jf.dump_string("params", s->info.request_params.c_str()); jf.dump_string("request_uri_aws4", s->info.request_uri_aws4.c_str()); jf.dump_string("object_name", s->object.name.c_str()); + jf.dump_string("subuser", s->auth.identity->get_subuser().c_str()); jf.dump_object("user_info", s->user->get_info()); jf.dump_object("bucket_info", s->bucket_info); jf.close_section(); diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc index 335daa6980bab..9f8e585cdf1bb 100644 --- a/src/test/rgw/test_rgw_iam_policy.cc +++ b/src/test/rgw/test_rgw_iam_policy.cc @@ -128,6 +128,11 @@ public: return 0; } + string get_subuser() const override { + abort(); + return 0; + } + void to_str(std::ostream& out) const override { out << id; } -- 2.39.5