From 7a029f8405f1408692ed064c24c63d7ba6ecf181 Mon Sep 17 00:00:00 2001 From: Seena Fallah Date: Thu, 9 Apr 2020 00:15:20 +0430 Subject: [PATCH] rgw: Add subuser to OPA request Signed-off-by: Seena Fallah (cherry picked from commit 793aaaaed9029e032128b50767a5faf1bb7f6d81) Conflicts: src/rgw/rgw_opa.cc - jf.dump_object("user_info", ...) line looks different in nautilus --- doc/radosgw/opa.rst | 1 + src/rgw/rgw_auth.cc | 4 ++++ src/rgw/rgw_auth.h | 10 ++++++++++ src/rgw/rgw_auth_filters.h | 4 ++++ src/rgw/rgw_opa.cc | 1 + src/test/rgw/test_rgw_iam_policy.cc | 5 +++++ 6 files changed, 25 insertions(+) diff --git a/doc/radosgw/opa.rst b/doc/radosgw/opa.rst index 89f9300b94e..74eeb918b95 100644 --- a/doc/radosgw/opa.rst +++ b/doc/radosgw/opa.rst @@ -46,6 +46,7 @@ Example request:: { "input": { "method": "GET", + "subuser": "subuser", "user_info": { "used_id": "john", "display_name": "John" diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index b03d5b28010..078c16e6f67 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -87,6 +87,10 @@ transform_old_authinfo(const req_state* const s) return {}; } + string get_subuser() const override { + return {}; + } + void to_str(std::ostream& out) const override { out << "RGWDummyIdentityApplier(auth_id=" << id << ", perm_mask=" << perm_mask diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index 2aaa1a5ac1f..dad0897697f 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -75,6 +75,9 @@ public: /* Name of Account */ virtual string get_acct_name() const = 0; + + /* Subuser of Account */ + virtual string get_subuser() const = 0; }; inline std::ostream& operator<<(std::ostream& out, @@ -403,6 +406,10 @@ public: return token_claims.user_name; } + string get_subuser() const override { + return {}; + } + struct Factory { virtual ~Factory() {} @@ -535,6 +542,7 @@ public: void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */ uint32_t get_identity_type() const override { return info.acct_type; } string get_acct_name() const override { return info.acct_name; } + string get_subuser() const override { return {}; } struct Factory { virtual ~Factory() {} @@ -596,6 +604,7 @@ public: void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */ uint32_t get_identity_type() const override { return TYPE_RGW; } string get_acct_name() const override { return {}; } + string get_subuser() const override { return subuser; } struct Factory { virtual ~Factory() {} @@ -640,6 +649,7 @@ public: void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */ uint32_t get_identity_type() const override { return TYPE_ROLE; } string get_acct_name() const override { return {}; } + string get_subuser() const override { return {}; } void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override; struct Factory { diff --git a/src/rgw/rgw_auth_filters.h b/src/rgw/rgw_auth_filters.h index ff0a33eaae6..a2b62e2cff5 100644 --- a/src/rgw/rgw_auth_filters.h +++ b/src/rgw/rgw_auth_filters.h @@ -88,6 +88,10 @@ public: return get_decoratee().get_acct_name(); } + string get_subuser() const override { + return get_decoratee().get_subuser(); + } + bool is_identity( const boost::container::flat_set& ids) const override { return get_decoratee().is_identity(ids); diff --git a/src/rgw/rgw_opa.cc b/src/rgw/rgw_opa.cc index 08abf5a174f..2331beb69a4 100644 --- a/src/rgw/rgw_opa.cc +++ b/src/rgw/rgw_opa.cc @@ -44,6 +44,7 @@ int rgw_opa_authorize(RGWOp *& op, jf.dump_string("params", s->info.request_params.c_str()); jf.dump_string("request_uri_aws4", s->info.request_uri_aws4.c_str()); jf.dump_string("object_name", s->object.name.c_str()); + jf.dump_string("subuser", s->auth.identity->get_subuser().c_str()); jf.dump_object("user_info", *s->user); jf.dump_object("bucket_info", s->bucket_info); jf.close_section(); diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc index a0a6ac4fdd1..b12ab7fd978 100644 --- a/src/test/rgw/test_rgw_iam_policy.cc +++ b/src/test/rgw/test_rgw_iam_policy.cc @@ -124,6 +124,11 @@ public: return 0; } + string get_subuser() const override { + abort(); + return 0; + } + void to_str(std::ostream& out) const override { out << id; } -- 2.47.3