]>
Commit | Line | Data |
---|---|---|
11fdf7f2 | 1 | // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- |
9f95a23c | 2 | // vim: ts=8 sw=2 smarttab ft=cpp |
11fdf7f2 TL |
3 | |
4 | #include <errno.h> | |
5 | #include <regex> | |
6 | ||
7 | #include "common/errno.h" | |
8 | #include "common/Formatter.h" | |
9 | #include "common/ceph_json.h" | |
10 | ||
11 | #include "include/types.h" | |
12 | #include "rgw_string.h" | |
13 | ||
14 | #include "rgw_common.h" | |
f51cf556 | 15 | #include "rgw_iam_managed_policy.h" |
11fdf7f2 | 16 | #include "rgw_op.h" |
f51cf556 | 17 | #include "rgw_process_env.h" |
11fdf7f2 | 18 | #include "rgw_rest.h" |
f51cf556 | 19 | #include "rgw_rest_iam.h" |
11fdf7f2 | 20 | #include "rgw_rest_user_policy.h" |
20effc67 | 21 | #include "rgw_sal.h" |
9f95a23c | 22 | #include "services/svc_zone.h" |
11fdf7f2 TL |
23 | |
24 | #define dout_subsys ceph_subsys_rgw | |
25 | ||
f51cf556 TL |
26 | RGWRestUserPolicy::RGWRestUserPolicy(uint64_t action, uint32_t perm) |
27 | : action(action), perm(perm) | |
11fdf7f2 | 28 | { |
11fdf7f2 TL |
29 | } |
30 | ||
31 | void RGWRestUserPolicy::send_response() | |
32 | { | |
33 | if (op_ret) { | |
34 | set_req_state_err(s, op_ret); | |
35 | } | |
36 | dump_errno(s); | |
37 | end_header(s); | |
38 | } | |
39 | ||
f51cf556 | 40 | int RGWRestUserPolicy::get_params() |
11fdf7f2 | 41 | { |
f51cf556 TL |
42 | user_name = s->info.args.get("UserName"); |
43 | if (!validate_iam_user_name(user_name, s->err.message)) { | |
44 | return -EINVAL; | |
11fdf7f2 TL |
45 | } |
46 | return 0; | |
47 | } | |
48 | ||
f51cf556 | 49 | int RGWRestUserPolicy::init_processing(optional_yield y) |
11fdf7f2 | 50 | { |
f51cf556 TL |
51 | int r = get_params(); |
52 | if (r < 0) { | |
53 | return r; | |
11fdf7f2 TL |
54 | } |
55 | ||
f51cf556 TL |
56 | if (const auto* id = std::get_if<rgw_account_id>(&s->owner.id); id) { |
57 | account_id = *id; | |
58 | ||
59 | // look up account user by UserName | |
60 | const std::string& tenant = s->auth.identity->get_tenant(); | |
61 | r = driver->load_account_user_by_name(this, y, account_id, | |
62 | tenant, user_name, &user); | |
63 | ||
64 | if (r == -ENOENT) { | |
65 | s->err.message = "No such UserName in the account"; | |
66 | return -ERR_NO_SUCH_ENTITY; | |
67 | } | |
68 | if (r >= 0) { | |
69 | // user ARN includes account id, path, and display name | |
70 | const RGWUserInfo& info = user->get_info(); | |
71 | const std::string resource = string_cat_reserve(info.path, info.display_name); | |
72 | user_arn = rgw::ARN{resource, "user", account_id, true}; | |
73 | } | |
74 | } else { | |
75 | // interpret UserName as a uid with optional tenant | |
76 | const auto uid = rgw_user{user_name}; | |
77 | // user ARN includes tenant and user id | |
78 | user_arn = rgw::ARN{uid.id, "user", uid.tenant}; | |
79 | ||
80 | user = driver->get_user(uid); | |
81 | r = user->load_user(this, y); | |
82 | if (r == -ENOENT) { | |
83 | s->err.message = "No such UserName in the tenant"; | |
84 | return -ERR_NO_SUCH_ENTITY; | |
85 | } | |
11fdf7f2 TL |
86 | } |
87 | ||
f51cf556 | 88 | return r; |
11fdf7f2 TL |
89 | } |
90 | ||
f51cf556 | 91 | int RGWRestUserPolicy::check_caps(const RGWUserCaps& caps) |
11fdf7f2 | 92 | { |
f51cf556 | 93 | return caps.check_cap("user-policy", perm); |
11fdf7f2 TL |
94 | } |
95 | ||
f51cf556 | 96 | int RGWRestUserPolicy::verify_permission(optional_yield y) |
11fdf7f2 | 97 | { |
f51cf556 TL |
98 | if (s->auth.identity->is_anonymous()) { |
99 | return -EACCES; | |
100 | } | |
101 | ||
102 | // admin caps are required for non-account users | |
103 | if (check_caps(s->user->get_caps()) == 0) { | |
104 | return 0; | |
105 | } | |
106 | ||
107 | if (! verify_user_permission(this, s, user_arn, action)) { | |
108 | return -EACCES; | |
109 | } | |
110 | return 0; | |
11fdf7f2 TL |
111 | } |
112 | ||
f51cf556 TL |
113 | |
114 | RGWPutUserPolicy::RGWPutUserPolicy(const ceph::bufferlist& post_body) | |
115 | : RGWRestUserPolicy(rgw::IAM::iamPutUserPolicy, RGW_CAP_WRITE), | |
116 | post_body(post_body) | |
11fdf7f2 | 117 | { |
11fdf7f2 TL |
118 | } |
119 | ||
120 | int RGWPutUserPolicy::get_params() | |
121 | { | |
f38dd50b | 122 | policy_name = s->info.args.get("PolicyName"); |
f51cf556 | 123 | if (!validate_iam_policy_name(policy_name, s->err.message)) { |
11fdf7f2 TL |
124 | return -EINVAL; |
125 | } | |
126 | ||
f51cf556 TL |
127 | policy = s->info.args.get("PolicyDocument"); |
128 | if (policy.empty()) { | |
129 | s->err.message = "Missing required element PolicyDocument"; | |
11fdf7f2 TL |
130 | return -EINVAL; |
131 | } | |
132 | ||
f51cf556 | 133 | return RGWRestUserPolicy::get_params(); |
11fdf7f2 TL |
134 | } |
135 | ||
f51cf556 | 136 | int RGWPutUserPolicy::forward_to_master(optional_yield y, const rgw::SiteConfig& site) |
11fdf7f2 | 137 | { |
f51cf556 TL |
138 | RGWXMLDecoder::XMLParser parser; |
139 | if (!parser.init()) { | |
140 | ldpp_dout(this, 0) << "ERROR: failed to initialize xml parser" << dendl; | |
141 | return -EINVAL; | |
11fdf7f2 TL |
142 | } |
143 | ||
f51cf556 TL |
144 | s->info.args.remove("UserName"); |
145 | s->info.args.remove("PolicyName"); | |
146 | s->info.args.remove("PolicyDocument"); | |
147 | s->info.args.remove("Action"); | |
148 | s->info.args.remove("Version"); | |
149 | ||
150 | int r = forward_iam_request_to_master(this, site, s->user->get_info(), | |
151 | post_body, parser, s->info, y); | |
152 | if (r < 0) { | |
153 | ldpp_dout(this, 20) << "ERROR: forward_iam_request_to_master failed with error code: " << r << dendl; | |
154 | return r; | |
9f95a23c | 155 | } |
f51cf556 TL |
156 | return 0; |
157 | } | |
9f95a23c | 158 | |
f51cf556 TL |
159 | void RGWPutUserPolicy::execute(optional_yield y) |
160 | { | |
161 | // validate the policy document | |
11fdf7f2 | 162 | try { |
f51cf556 TL |
163 | // non-account identity policy is restricted to the current tenant |
164 | const std::string* policy_tenant = account_id.empty() ? | |
165 | &s->user->get_tenant() : nullptr; | |
166 | ||
1e59de90 | 167 | const rgw::IAM::Policy p( |
f51cf556 | 168 | s->cct, policy_tenant, policy, |
1e59de90 | 169 | s->cct->_conf.get_val<bool>("rgw_policy_reject_invalid_principals")); |
f51cf556 | 170 | } catch (const rgw::IAM::PolicyParseException& e) { |
1e59de90 TL |
171 | ldpp_dout(this, 5) << "failed to parse policy: " << e.what() << dendl; |
172 | s->err.message = e.what(); | |
11fdf7f2 | 173 | op_ret = -ERR_MALFORMED_DOC; |
f51cf556 TL |
174 | return; |
175 | } | |
176 | ||
177 | const rgw::SiteConfig& site = *s->penv.site; | |
178 | if (!site.is_meta_master()) { | |
179 | op_ret = forward_to_master(y, site); | |
180 | if (op_ret) { | |
181 | return; | |
182 | } | |
11fdf7f2 | 183 | } |
92f5a8d4 | 184 | |
f51cf556 TL |
185 | op_ret = retry_raced_user_write(this, y, user.get(), |
186 | [this, y] { | |
187 | rgw::sal::Attrs& attrs = user->get_attrs(); | |
188 | std::map<std::string, std::string> policies; | |
189 | if (auto it = attrs.find(RGW_ATTR_USER_POLICY); it != attrs.end()) try { | |
190 | decode(policies, it->second); | |
191 | } catch (const buffer::error& err) { | |
192 | ldpp_dout(this, 0) << "ERROR: failed to decode user policies" << dendl; | |
193 | return -EIO; | |
194 | } | |
195 | ||
196 | policies[policy_name] = policy; | |
197 | ||
198 | constexpr unsigned int USER_POLICIES_MAX_NUM = 100; | |
199 | const unsigned int max_num = s->cct->_conf->rgw_user_policies_max_num < 0 ? | |
200 | USER_POLICIES_MAX_NUM : s->cct->_conf->rgw_user_policies_max_num; | |
201 | if (policies.size() > max_num) { | |
202 | ldpp_dout(this, 4) << "IAM user policies has reached the num config: " | |
203 | << max_num << ", cant add another" << dendl; | |
204 | s->err.message = | |
205 | "The number of IAM user policies should not exceed allowed limit " | |
206 | "of " + | |
207 | std::to_string(max_num) + " policies."; | |
208 | return -ERR_LIMIT_EXCEEDED; | |
209 | } | |
210 | ||
211 | bufferlist bl; | |
212 | encode(policies, bl); | |
213 | attrs[RGW_ATTR_USER_POLICY] = std::move(bl); | |
214 | ||
215 | return user->store_user(s, y, false); | |
216 | }); | |
217 | ||
92f5a8d4 | 218 | if (op_ret == 0) { |
f51cf556 | 219 | s->formatter->open_object_section_in_ns("PutUserPolicyResponse", RGW_REST_IAM_XMLNS); |
92f5a8d4 TL |
220 | s->formatter->open_object_section("ResponseMetadata"); |
221 | s->formatter->dump_string("RequestId", s->trans_id); | |
222 | s->formatter->close_section(); | |
223 | s->formatter->close_section(); | |
224 | } | |
11fdf7f2 TL |
225 | } |
226 | ||
f51cf556 TL |
227 | |
228 | RGWGetUserPolicy::RGWGetUserPolicy() | |
229 | : RGWRestUserPolicy(rgw::IAM::iamGetUserPolicy, RGW_CAP_READ) | |
11fdf7f2 | 230 | { |
11fdf7f2 TL |
231 | } |
232 | ||
233 | int RGWGetUserPolicy::get_params() | |
234 | { | |
235 | policy_name = s->info.args.get("PolicyName"); | |
f51cf556 | 236 | if (!validate_iam_policy_name(policy_name, s->err.message)) { |
11fdf7f2 TL |
237 | return -EINVAL; |
238 | } | |
239 | ||
f51cf556 | 240 | return RGWRestUserPolicy::get_params(); |
11fdf7f2 TL |
241 | } |
242 | ||
f67539c2 | 243 | void RGWGetUserPolicy::execute(optional_yield y) |
11fdf7f2 | 244 | { |
f51cf556 TL |
245 | std::map<std::string, std::string> policies; |
246 | if (auto it = user->get_attrs().find(RGW_ATTR_USER_POLICY); it != user->get_attrs().end()) { | |
247 | try { | |
248 | decode(policies, it->second); | |
249 | } catch (buffer::error& err) { | |
250 | ldpp_dout(this, 0) << "ERROR: failed to decode user policies" << dendl; | |
251 | op_ret = -EIO; | |
252 | return; | |
253 | } | |
11fdf7f2 TL |
254 | } |
255 | ||
f51cf556 TL |
256 | auto policy = policies.find(policy_name); |
257 | if (policy == policies.end()) { | |
258 | s->err.message = "No such PolicyName on the user"; | |
11fdf7f2 TL |
259 | op_ret = -ERR_NO_SUCH_ENTITY; |
260 | return; | |
261 | } | |
262 | ||
f51cf556 TL |
263 | s->formatter->open_object_section_in_ns("GetUserPolicyResponse", RGW_REST_IAM_XMLNS); |
264 | s->formatter->open_object_section("ResponseMetadata"); | |
265 | s->formatter->dump_string("RequestId", s->trans_id); | |
266 | s->formatter->close_section(); | |
267 | s->formatter->open_object_section("GetUserPolicyResult"); | |
268 | encode_json("PolicyName", policy_name , s->formatter); | |
269 | encode_json("UserName", user_name, s->formatter); | |
270 | encode_json("PolicyDocument", policy->second, s->formatter); | |
271 | s->formatter->close_section(); | |
272 | s->formatter->close_section(); | |
273 | } | |
274 | ||
275 | ||
276 | RGWListUserPolicies::RGWListUserPolicies() | |
277 | : RGWRestUserPolicy(rgw::IAM::iamListUserPolicies, RGW_CAP_READ) | |
278 | { | |
279 | } | |
280 | ||
281 | int RGWListUserPolicies::get_params() | |
282 | { | |
283 | marker = s->info.args.get("Marker"); | |
284 | ||
285 | int r = s->info.args.get_int("MaxItems", &max_items, max_items); | |
286 | if (r < 0 || max_items > 1000) { | |
287 | s->err.message = "Invalid value for MaxItems"; | |
288 | return -EINVAL; | |
289 | } | |
290 | ||
291 | return RGWRestUserPolicy::get_params(); | |
292 | } | |
293 | ||
294 | void RGWListUserPolicies::execute(optional_yield y) | |
295 | { | |
296 | std::map<std::string, std::string> policies; | |
297 | if (auto it = user->get_attrs().find(RGW_ATTR_USER_POLICY); it != user->get_attrs().end()) { | |
298 | try { | |
299 | decode(policies, it->second); | |
300 | } catch (buffer::error& err) { | |
301 | ldpp_dout(this, 0) << "ERROR: failed to decode user policies" << dendl; | |
302 | op_ret = -EIO; | |
11fdf7f2 TL |
303 | return; |
304 | } | |
305 | } | |
f51cf556 TL |
306 | |
307 | s->formatter->open_object_section_in_ns("ListUserPoliciesResponse", RGW_REST_IAM_XMLNS); | |
308 | s->formatter->open_object_section("ResponseMetadata"); | |
309 | s->formatter->dump_string("RequestId", s->trans_id); | |
310 | s->formatter->close_section(); | |
311 | s->formatter->open_object_section("ListUserPoliciesResult"); | |
312 | s->formatter->open_array_section("PolicyNames"); | |
313 | auto policy = policies.lower_bound(marker); | |
314 | for (; policy != policies.end() && max_items > 0; ++policy, --max_items) { | |
315 | s->formatter->dump_string("member", policy->first); | |
316 | } | |
317 | s->formatter->close_section(); // PolicyNames | |
318 | const bool is_truncated = (policy != policies.end()); | |
319 | encode_json("IsTruncated", is_truncated, s->formatter); | |
320 | if (is_truncated) { | |
321 | encode_json("Marker", policy->first, s->formatter); | |
11fdf7f2 | 322 | } |
f51cf556 TL |
323 | s->formatter->close_section(); // ListUserPoliciesResult |
324 | s->formatter->close_section(); // ListUserPoliciesResponse | |
11fdf7f2 TL |
325 | } |
326 | ||
f51cf556 TL |
327 | |
328 | RGWDeleteUserPolicy::RGWDeleteUserPolicy(const ceph::bufferlist& post_body) | |
329 | : RGWRestUserPolicy(rgw::IAM::iamDeleteUserPolicy, RGW_CAP_WRITE), | |
330 | post_body(post_body) | |
11fdf7f2 | 331 | { |
11fdf7f2 TL |
332 | } |
333 | ||
f51cf556 | 334 | int RGWDeleteUserPolicy::get_params() |
11fdf7f2 | 335 | { |
f51cf556 TL |
336 | policy_name = s->info.args.get("PolicyName"); |
337 | if (!validate_iam_policy_name(policy_name, s->err.message)) { | |
338 | return -EINVAL; | |
339 | } | |
11fdf7f2 | 340 | |
f51cf556 TL |
341 | return RGWRestUserPolicy::get_params(); |
342 | } | |
343 | ||
344 | int RGWDeleteUserPolicy::forward_to_master(optional_yield y, const rgw::SiteConfig& site) | |
345 | { | |
346 | RGWXMLDecoder::XMLParser parser; | |
347 | if (!parser.init()) { | |
348 | ldpp_dout(this, 0) << "ERROR: failed to initialize xml parser" << dendl; | |
11fdf7f2 TL |
349 | return -EINVAL; |
350 | } | |
351 | ||
f51cf556 TL |
352 | s->info.args.remove("UserName"); |
353 | s->info.args.remove("PolicyName"); | |
354 | s->info.args.remove("Action"); | |
355 | s->info.args.remove("Version"); | |
356 | ||
357 | int r = forward_iam_request_to_master(this, site, s->user->get_info(), | |
358 | post_body, parser, s->info, y); | |
359 | if (r < 0) { | |
360 | ldpp_dout(this, 20) << "ERROR: forward_iam_request_to_master failed with error code: " << r << dendl; | |
361 | return r; | |
362 | } | |
11fdf7f2 TL |
363 | return 0; |
364 | } | |
365 | ||
f51cf556 | 366 | void RGWDeleteUserPolicy::execute(optional_yield y) |
11fdf7f2 | 367 | { |
f51cf556 TL |
368 | const rgw::SiteConfig& site = *s->penv.site; |
369 | if (!site.is_meta_master()) { | |
370 | op_ret = forward_to_master(y, site); | |
371 | if (op_ret) { | |
372 | return; | |
373 | } | |
374 | } | |
375 | ||
376 | op_ret = retry_raced_user_write(this, y, user.get(), | |
377 | [this, y, &site] { | |
378 | rgw::sal::Attrs& attrs = user->get_attrs(); | |
379 | std::map<std::string, std::string> policies; | |
380 | if (auto it = attrs.find(RGW_ATTR_USER_POLICY); it != attrs.end()) try { | |
381 | decode(policies, it->second); | |
382 | } catch (const buffer::error& err) { | |
383 | ldpp_dout(this, 0) << "ERROR: failed to decode user policies" << dendl; | |
384 | return -EIO; | |
385 | } | |
386 | ||
387 | auto policy = policies.find(policy_name); | |
388 | if (policy == policies.end()) { | |
389 | if (!site.is_meta_master()) { | |
390 | return 0; // delete succeeded on the master | |
391 | } | |
392 | s->err.message = "No such PolicyName on the user"; | |
393 | return -ERR_NO_SUCH_ENTITY; | |
394 | } | |
395 | policies.erase(policy); | |
396 | ||
397 | bufferlist bl; | |
398 | encode(policies, bl); | |
399 | attrs[RGW_ATTR_USER_POLICY] = std::move(bl); | |
400 | ||
401 | return user->store_user(s, y, false); | |
402 | }); | |
403 | ||
11fdf7f2 TL |
404 | if (op_ret < 0) { |
405 | return; | |
406 | } | |
407 | ||
f51cf556 TL |
408 | s->formatter->open_object_section_in_ns("DeleteUserPoliciesResponse", RGW_REST_IAM_XMLNS); |
409 | s->formatter->open_object_section("ResponseMetadata"); | |
410 | s->formatter->dump_string("RequestId", s->trans_id); | |
411 | s->formatter->close_section(); | |
412 | s->formatter->close_section(); | |
413 | } | |
414 | ||
415 | ||
416 | class RGWAttachUserPolicy_IAM : public RGWRestUserPolicy { | |
417 | bufferlist post_body; | |
418 | std::string policy_arn; | |
419 | ||
420 | int get_params() override; | |
421 | int forward_to_master(optional_yield y, const rgw::SiteConfig& site); | |
422 | public: | |
423 | explicit RGWAttachUserPolicy_IAM(const ceph::bufferlist& post_body) | |
424 | : RGWRestUserPolicy(rgw::IAM::iamAttachUserPolicy, RGW_CAP_WRITE), | |
425 | post_body(post_body) {} | |
426 | ||
427 | void execute(optional_yield y) override; | |
428 | const char* name() const override { return "attach_user_policy"; } | |
429 | RGWOpType get_type() override { return RGW_OP_ATTACH_USER_POLICY; } | |
430 | }; | |
431 | ||
432 | int RGWAttachUserPolicy_IAM::get_params() | |
433 | { | |
434 | policy_arn = s->info.args.get("PolicyArn"); | |
435 | if (!validate_iam_policy_arn(policy_arn, s->err.message)) { | |
436 | return -EINVAL; | |
437 | } | |
438 | ||
439 | return RGWRestUserPolicy::get_params(); | |
440 | } | |
441 | ||
442 | int RGWAttachUserPolicy_IAM::forward_to_master(optional_yield y, const rgw::SiteConfig& site) | |
443 | { | |
444 | RGWXMLDecoder::XMLParser parser; | |
445 | if (!parser.init()) { | |
446 | ldpp_dout(this, 0) << "ERROR: failed to initialize xml parser" << dendl; | |
447 | return -EINVAL; | |
448 | } | |
449 | ||
450 | s->info.args.remove("UserName"); | |
451 | s->info.args.remove("PolicyArn"); | |
452 | s->info.args.remove("Action"); | |
453 | s->info.args.remove("Version"); | |
454 | ||
455 | int r = forward_iam_request_to_master(this, site, s->user->get_info(), | |
456 | post_body, parser, s->info, y); | |
457 | if (r < 0) { | |
458 | ldpp_dout(this, 20) << "ERROR: forward_iam_request_to_master failed with error code: " << r << dendl; | |
459 | return r; | |
460 | } | |
461 | return 0; | |
462 | } | |
463 | ||
464 | void RGWAttachUserPolicy_IAM::execute(optional_yield y) | |
465 | { | |
466 | // validate the policy arn | |
467 | try { | |
468 | const auto p = rgw::IAM::get_managed_policy(s->cct, policy_arn); | |
469 | if (!p) { | |
470 | op_ret = ERR_NO_SUCH_ENTITY; | |
471 | s->err.message = "The requested PolicyArn is not recognized"; | |
472 | return; | |
473 | } | |
474 | } catch (const rgw::IAM::PolicyParseException& e) { | |
475 | ldpp_dout(this, 5) << "failed to parse policy: " << e.what() << dendl; | |
476 | s->err.message = e.what(); | |
477 | op_ret = -ERR_MALFORMED_DOC; | |
11fdf7f2 TL |
478 | return; |
479 | } | |
480 | ||
f51cf556 TL |
481 | const rgw::SiteConfig& site = *s->penv.site; |
482 | if (!site.is_meta_master()) { | |
483 | op_ret = forward_to_master(y, site); | |
484 | if (op_ret) { | |
11fdf7f2 TL |
485 | return; |
486 | } | |
487 | } | |
f51cf556 TL |
488 | |
489 | op_ret = retry_raced_user_write(this, y, user.get(), | |
490 | [this, y] { | |
491 | rgw::sal::Attrs& attrs = user->get_attrs(); | |
492 | rgw::IAM::ManagedPolicies policies; | |
493 | if (auto it = attrs.find(RGW_ATTR_MANAGED_POLICY); it != attrs.end()) try { | |
494 | decode(policies, it->second); | |
495 | } catch (buffer::error& err) { | |
496 | ldpp_dout(this, 0) << "ERROR: failed to decode user policies" << dendl; | |
497 | return -EIO; | |
498 | } | |
499 | policies.arns.insert(policy_arn); | |
500 | ||
501 | bufferlist bl; | |
502 | encode(policies, bl); | |
503 | attrs[RGW_ATTR_MANAGED_POLICY] = std::move(bl); | |
504 | ||
505 | return user->store_user(this, y, false); | |
506 | }); | |
507 | ||
508 | if (op_ret == 0) { | |
509 | s->formatter->open_object_section_in_ns("AttachUserPolicyResponse", RGW_REST_IAM_XMLNS); | |
510 | s->formatter->open_object_section("ResponseMetadata"); | |
511 | s->formatter->dump_string("RequestId", s->trans_id); | |
512 | s->formatter->close_section(); | |
513 | s->formatter->close_section(); | |
11fdf7f2 TL |
514 | } |
515 | } | |
516 | ||
f51cf556 TL |
517 | |
518 | class RGWRestAttachedUserPolicy : public RGWRestUserPolicy { | |
519 | public: | |
520 | using RGWRestUserPolicy::RGWRestUserPolicy; | |
521 | int init_processing(optional_yield y) override; | |
522 | }; | |
523 | ||
524 | int RGWRestAttachedUserPolicy::init_processing(optional_yield y) | |
11fdf7f2 | 525 | { |
f51cf556 TL |
526 | // managed policy is only supported for account users. adding them to |
527 | // non-account roles would give blanket permissions to all buckets | |
528 | if (!s->auth.identity->get_account()) { | |
529 | s->err.message = "Managed policies are only supported for account users"; | |
530 | return -ERR_METHOD_NOT_ALLOWED; | |
531 | } | |
532 | ||
533 | return RGWRestUserPolicy::init_processing(y); | |
11fdf7f2 TL |
534 | } |
535 | ||
f51cf556 TL |
536 | class RGWDetachUserPolicy_IAM : public RGWRestAttachedUserPolicy { |
537 | bufferlist post_body; | |
538 | std::string policy_arn; | |
539 | ||
540 | int get_params() override; | |
541 | int forward_to_master(optional_yield y, const rgw::SiteConfig& site); | |
542 | public: | |
543 | explicit RGWDetachUserPolicy_IAM(const bufferlist& post_body) | |
544 | : RGWRestAttachedUserPolicy(rgw::IAM::iamDetachUserPolicy, RGW_CAP_WRITE), | |
545 | post_body(post_body) {} | |
546 | ||
547 | void execute(optional_yield y) override; | |
548 | const char* name() const override { return "detach_user_policy"; } | |
549 | RGWOpType get_type() override { return RGW_OP_DETACH_USER_POLICY; } | |
550 | }; | |
11fdf7f2 | 551 | |
f51cf556 TL |
552 | int RGWDetachUserPolicy_IAM::get_params() |
553 | { | |
554 | policy_arn = s->info.args.get("PolicyArn"); | |
555 | if (!validate_iam_policy_arn(policy_arn, s->err.message)) { | |
11fdf7f2 TL |
556 | return -EINVAL; |
557 | } | |
558 | ||
f51cf556 | 559 | return RGWRestAttachedUserPolicy::get_params(); |
11fdf7f2 TL |
560 | } |
561 | ||
f51cf556 | 562 | int RGWDetachUserPolicy_IAM::forward_to_master(optional_yield y, const rgw::SiteConfig& site) |
11fdf7f2 | 563 | { |
f51cf556 TL |
564 | RGWXMLDecoder::XMLParser parser; |
565 | if (!parser.init()) { | |
566 | ldpp_dout(this, 0) << "ERROR: failed to initialize xml parser" << dendl; | |
567 | return -EINVAL; | |
11fdf7f2 TL |
568 | } |
569 | ||
f51cf556 TL |
570 | s->info.args.remove("UserName"); |
571 | s->info.args.remove("PolicyArn"); | |
572 | s->info.args.remove("Action"); | |
573 | s->info.args.remove("Version"); | |
11fdf7f2 | 574 | |
f51cf556 TL |
575 | int r = forward_iam_request_to_master(this, site, s->user->get_info(), |
576 | post_body, parser, s->info, y); | |
577 | if (r < 0) { | |
578 | ldpp_dout(this, 20) << "ERROR: forward_iam_request_to_master failed with error code: " << r << dendl; | |
579 | return r; | |
20effc67 | 580 | } |
f51cf556 TL |
581 | return 0; |
582 | } | |
20effc67 | 583 | |
f51cf556 TL |
584 | void RGWDetachUserPolicy_IAM::execute(optional_yield y) |
585 | { | |
586 | const rgw::SiteConfig& site = *s->penv.site; | |
587 | if (!site.is_meta_master()) { | |
588 | op_ret = forward_to_master(y, site); | |
589 | if (op_ret) { | |
f67539c2 | 590 | return; |
9f95a23c | 591 | } |
11fdf7f2 TL |
592 | } |
593 | ||
f51cf556 TL |
594 | op_ret = retry_raced_user_write(this, y, user.get(), |
595 | [this, y, &site] { | |
596 | rgw::sal::Attrs& attrs = user->get_attrs(); | |
597 | rgw::IAM::ManagedPolicies policies; | |
598 | if (auto it = attrs.find(RGW_ATTR_MANAGED_POLICY); it != attrs.end()) try { | |
599 | decode(policies, it->second); | |
600 | } catch (const buffer::error& err) { | |
601 | ldpp_dout(this, 0) << "ERROR: failed to decode user policies" << dendl; | |
602 | return -EIO; | |
603 | } | |
604 | ||
605 | auto i = policies.arns.find(policy_arn); | |
606 | if (i == policies.arns.end()) { | |
607 | if (!site.is_meta_master()) { | |
608 | return 0; // delete succeeded on the master | |
609 | } | |
610 | s->err.message = "No such PolicyArn on the user"; | |
611 | return ERR_NO_SUCH_ENTITY; | |
612 | } | |
613 | policies.arns.erase(i); | |
614 | ||
615 | bufferlist bl; | |
616 | encode(policies, bl); | |
617 | attrs[RGW_ATTR_MANAGED_POLICY] = std::move(bl); | |
618 | ||
619 | return user->store_user(this, y, false); | |
620 | }); | |
621 | ||
622 | if (op_ret == 0) { | |
623 | s->formatter->open_object_section_in_ns("DetachUserPolicyResponse", RGW_REST_IAM_XMLNS); | |
624 | s->formatter->open_object_section("ResponseMetadata"); | |
625 | s->formatter->dump_string("RequestId", s->trans_id); | |
626 | s->formatter->close_section(); | |
627 | s->formatter->close_section(); | |
628 | } | |
629 | } | |
630 | ||
631 | ||
632 | class RGWListAttachedUserPolicies_IAM : public RGWRestAttachedUserPolicy { | |
633 | std::string marker; | |
634 | int max_items = 100; | |
635 | int get_params() override; | |
636 | public: | |
637 | RGWListAttachedUserPolicies_IAM() | |
638 | : RGWRestAttachedUserPolicy(rgw::IAM::iamListAttachedUserPolicies, RGW_CAP_READ) | |
639 | {} | |
640 | void execute(optional_yield y) override; | |
641 | const char* name() const override { return "list_attached_user_policies"; } | |
642 | RGWOpType get_type() override { return RGW_OP_LIST_ATTACHED_USER_POLICIES; } | |
643 | }; | |
644 | ||
645 | int RGWListAttachedUserPolicies_IAM::get_params() | |
646 | { | |
647 | marker = s->info.args.get("Marker"); | |
648 | ||
649 | int r = s->info.args.get_int("MaxItems", &max_items, max_items); | |
650 | if (r < 0 || max_items > 1000) { | |
651 | s->err.message = "Invalid value for MaxItems"; | |
652 | return -EINVAL; | |
653 | } | |
654 | ||
655 | return RGWRestAttachedUserPolicy::get_params(); | |
656 | } | |
657 | ||
658 | void RGWListAttachedUserPolicies_IAM::execute(optional_yield y) | |
659 | { | |
660 | rgw::IAM::ManagedPolicies policies; | |
661 | const auto& attrs = user->get_attrs(); | |
662 | if (auto it = attrs.find(RGW_ATTR_MANAGED_POLICY); it != attrs.end()) { | |
1e59de90 | 663 | try { |
f51cf556 | 664 | decode(policies, it->second); |
1e59de90 TL |
665 | } catch (buffer::error& err) { |
666 | ldpp_dout(this, 0) << "ERROR: failed to decode user policies" << dendl; | |
667 | op_ret = -EIO; | |
668 | return; | |
669 | } | |
f51cf556 | 670 | } |
11fdf7f2 | 671 | |
f51cf556 TL |
672 | s->formatter->open_object_section_in_ns("ListAttachedUserPoliciesResponse", RGW_REST_IAM_XMLNS); |
673 | s->formatter->open_object_section("ResponseMetadata"); | |
674 | s->formatter->dump_string("RequestId", s->trans_id); | |
675 | s->formatter->close_section(); | |
676 | s->formatter->open_object_section("ListAttachedUserPoliciesResult"); | |
677 | s->formatter->open_array_section("AttachedPolicies"); | |
678 | auto policy = policies.arns.lower_bound(marker); | |
679 | for (; policy != policies.arns.end() && max_items > 0; ++policy, --max_items) { | |
680 | s->formatter->open_object_section("member"); | |
681 | std::string_view arn = *policy; | |
682 | if (auto p = arn.find('/'); p != arn.npos) { | |
683 | s->formatter->dump_string("PolicyName", arn.substr(p + 1)); | |
11fdf7f2 | 684 | } |
f51cf556 TL |
685 | s->formatter->dump_string("PolicyArn", arn); |
686 | s->formatter->close_section(); // member | |
687 | } | |
688 | s->formatter->close_section(); // AttachedPolicies | |
689 | const bool is_truncated = (policy != policies.arns.end()); | |
690 | encode_json("IsTruncated", is_truncated, s->formatter); | |
691 | if (is_truncated) { | |
692 | encode_json("Marker", *policy, s->formatter); | |
11fdf7f2 | 693 | } |
f51cf556 TL |
694 | s->formatter->close_section(); // ListAttachedUserPoliciesResult |
695 | s->formatter->close_section(); // ListAttachedUserPoliciesResponse | |
696 | } | |
697 | ||
698 | ||
699 | RGWOp* make_iam_attach_user_policy_op(const ceph::bufferlist& post_body) { | |
700 | return new RGWAttachUserPolicy_IAM(post_body); | |
701 | } | |
702 | ||
703 | RGWOp* make_iam_detach_user_policy_op(const ceph::bufferlist& post_body) { | |
704 | return new RGWDetachUserPolicy_IAM(post_body); | |
705 | } | |
706 | ||
707 | RGWOp* make_iam_list_attached_user_policies_op(const ceph::bufferlist& unused) { | |
708 | return new RGWListAttachedUserPolicies_IAM(); | |
11fdf7f2 | 709 | } |