From e9d7e198bb455bb56f0b559c663fbf1e15eae254 Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Mon, 15 Jul 2024 15:39:26 -0400 Subject: [PATCH] rgw/auth: RemoteApplier respects implicit tenants RemoteApplier::load_acct_info() and create_account() decide whether to add the implicit tenant. store the resulting rgw_user for use in get_aclowner() and get_tenant() Fixes: https://tracker.ceph.com/issues/66937 Signed-off-by: Casey Bodley (cherry picked from commit ddbe2c06fd7e8f7253a17a0e88f5ead0d7958148) --- src/rgw/rgw_auth.cc | 16 +++++++++------- src/rgw/rgw_auth.h | 5 ++++- 2 files changed, 13 insertions(+), 8 deletions(-) diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index 57eded9eb6a..ba34fe81c94 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -773,7 +773,7 @@ ACLOwner rgw::auth::RemoteApplier::get_aclowner() const owner.id = account->id; owner.display_name = account->name; } else { - owner.id = info.acct_user; + owner.id = owner_acct_user; owner.display_name = info.acct_name; } return owner; @@ -848,7 +848,7 @@ bool rgw::auth::RemoteApplier::is_identity(const Principal& p) const { void rgw::auth::RemoteApplier::to_str(std::ostream& out) const { - out << "rgw::auth::RemoteApplier(acct_user=" << info.acct_user + out << "rgw::auth::RemoteApplier(acct_user=" << owner_acct_user << ", acct_name=" << info.acct_name << ", perm_mask=" << info.perm_mask << ", is_admin=" << info.is_admin << ")"; @@ -898,15 +898,15 @@ void rgw::auth::RemoteApplier::create_account(const DoutPrefixProvider* dpp, bool implicit_tenant, RGWUserInfo& user_info) const /* out */ { - rgw_user new_acct_user = acct_user; + owner_acct_user = acct_user; /* An upper layer may enforce creating new accounts within their own * tenants. */ - if (new_acct_user.tenant.empty() && implicit_tenant) { - new_acct_user.tenant = new_acct_user.id; + if (owner_acct_user.tenant.empty() && implicit_tenant) { + owner_acct_user.tenant = owner_acct_user.id; } - std::unique_ptr user = driver->get_user(new_acct_user); + std::unique_ptr user = driver->get_user(owner_acct_user); user->get_info().display_name = info.acct_name; if (info.acct_type) { //ldap/keystone for s3 users @@ -967,7 +967,7 @@ void rgw::auth::RemoteApplier::load_acct_info(const DoutPrefixProvider* dpp, RGW if (split_mode && !implicit_tenant) ; /* suppress lookup for id used by "other" protocol */ else if (acct_user.tenant.empty()) { - const rgw_user tenanted_uid(acct_user.id, acct_user.id); + rgw_user tenanted_uid(acct_user.id, acct_user.id); user = driver->get_user(tenanted_uid); if (user->load_user(dpp, null_yield) >= 0) { @@ -976,6 +976,7 @@ void rgw::auth::RemoteApplier::load_acct_info(const DoutPrefixProvider* dpp, RGW user->get_attrs(), account, policies); user_info = std::move(user->get_info()); + owner_acct_user = std::move(tenanted_uid); return; } } @@ -990,6 +991,7 @@ void rgw::auth::RemoteApplier::load_acct_info(const DoutPrefixProvider* dpp, RGW user->get_attrs(), account, policies); user_info = std::move(user->get_info()); + owner_acct_user = acct_user; return; } diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index 2029bf6ce1e..f3edbbab845 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -621,6 +621,9 @@ protected: const rgw::auth::ImplicitTenants& implicit_tenant_context; const rgw::auth::ImplicitTenants::implicit_tenant_flag_bits implicit_tenant_bit; + // AuthInfo::acct_user updated with implicit tenant if necessary + mutable rgw_user owner_acct_user; + // account and policies are loaded by load_acct_info() mutable std::optional account; mutable std::vector policies; @@ -660,7 +663,7 @@ public: std::string get_acct_name() const override { return info.acct_name; } std::string get_subuser() const override { return {}; } const std::string& get_tenant() const override { - return info.acct_user.tenant; + return owner_acct_user.tenant; } const std::optional& get_account() const override { return account; -- 2.39.5