From e7b7e1afc7a81c3f97976f7442fbdc5118b532b5 Mon Sep 17 00:00:00 2001 From: Sangdi Xu Date: Wed, 16 Dec 2015 09:09:16 +0800 Subject: [PATCH] rgw: add a method to purge all associate keys when removing a subuser Fixes: #12890 When removing a subuser, make sure all of its keys, including the swift key and possible s3 keys, are also deleted. Signed-off-by: Sangdi Xu --- src/rgw/rgw_user.cc | 65 +++++++++++++++++++++++++++++++++++++++++---- src/rgw/rgw_user.h | 1 + 2 files changed, 61 insertions(+), 5 deletions(-) diff --git a/src/rgw/rgw_user.cc b/src/rgw/rgw_user.cc index 47475c3d8b5ea..e4f7da7558ab8 100644 --- a/src/rgw/rgw_user.cc +++ b/src/rgw/rgw_user.cc @@ -1158,6 +1158,63 @@ int RGWAccessKeyPool::remove(RGWUserAdminOpState& op_state, std::string *err_msg return 0; } +// remove all keys associated with a subuser +int RGWAccessKeyPool::remove_subuser_keys(RGWUserAdminOpState& op_state, + std::string *err_msg, bool defer_user_update) +{ + int ret = 0; + + if (!op_state.is_populated()) { + set_err_msg(err_msg, "user info was not populated"); + return -EINVAL; + } + + if (!op_state.has_subuser()) { + set_err_msg(err_msg, "no subuser specified"); + return -EINVAL; + } + + std::string swift_kid = op_state.build_default_swift_kid(); + if (swift_kid.empty()) { + set_err_msg(err_msg, "empty swift access key"); + return -EINVAL; + } + + map::iterator kiter; + map *keys_map; + + // a subuser can have at most one swift key + keys_map = swift_keys; + kiter = keys_map->find(swift_kid); + if (kiter != keys_map->end()) { + rgw_remove_key_index(store, kiter->second); + keys_map->erase(kiter); + } + + // a subuser may have multiple s3 key pairs + std::string subuser_str = op_state.get_subuser(); + keys_map = access_keys; + RGWUserInfo user_info = op_state.get_user_info(); + map::iterator user_kiter = user_info.access_keys.begin(); + for (; user_kiter != user_info.access_keys.end(); ++user_kiter) { + if (user_kiter->second.subuser == subuser_str) { + kiter = keys_map->find(user_kiter->first); + if (kiter != keys_map->end()) { + rgw_remove_key_index(store, kiter->second); + keys_map->erase(kiter); + } + } + } + + if (!defer_user_update) + ret = user->update(op_state, err_msg); + + if (ret < 0) + return ret; + + return 0; +} + RGWSubUserPool::RGWSubUserPool(RGWUser *usr) { subusers_allowed = (usr != NULL); @@ -1333,12 +1390,10 @@ int RGWSubUserPool::execute_remove(RGWUserAdminOpState& op_state, return -EINVAL; } - if (op_state.will_purge_keys()) { - // error would be non-existance so don't check - user->keys.remove(op_state, &subprocess_msg, true); - } + // always purge all associate keys + user->keys.remove_subuser_keys(op_state, &subprocess_msg, defer_user_update); - //remove the subuser from the user info + // remove the subuser from the user info subuser_map->erase(siter); // attempt to save the subuser diff --git a/src/rgw/rgw_user.h b/src/rgw/rgw_user.h index 93666bd0db03b..1035d08233548 100644 --- a/src/rgw/rgw_user.h +++ b/src/rgw/rgw_user.h @@ -508,6 +508,7 @@ private: /* API Contract Fulfilment */ int execute_add(RGWUserAdminOpState& op_state, std::string *err_msg, bool defer_save); int execute_remove(RGWUserAdminOpState& op_state, std::string *err_msg, bool defer_save); + int remove_subuser_keys(RGWUserAdminOpState& op_state, std::string *err_msg, bool defer_save); int add(RGWUserAdminOpState& op_state, std::string *err_msg, bool defer_save); int remove(RGWUserAdminOpState& op_state, std::string *err_msg, bool defer_save); -- 2.39.5