]> git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_auth.h
projects / ceph.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
update ceph source to reef 18.1.2
[ceph.git] / ceph / src / rgw / rgw_auth.h
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab ft=cpp
3
4 #pragma once
5
6 #include <functional>
7 #include <optional>
8 #include <ostream>
9 #include <type_traits>
10 #include <system_error>
11 #include <utility>
12
13 #include "rgw_common.h"
14 #include "rgw_web_idp.h"
15
16 #define RGW_USER_ANON_ID "anonymous"
17
18 class RGWCtl;
19 struct rgw_log_entry;
20 struct req_state;
21
22 namespace rgw {
23 namespace auth {
24
25 using Exception = std::system_error;
26
27
28 /* Load information about identity that will be used by RGWOp to authorize
29 * any operation that comes from an authenticated user. */
30 class Identity {
31 public:
32 typedef std::map<std::string, int> aclspec_t;
33 using idset_t = boost::container::flat_set<Principal>;
34
35 virtual ~Identity() = default;
36
37 /* Translate the ACL provided in @aclspec into concrete permission set that
38 * can be used during the authorization phase (RGWOp::verify_permission).
39 * On error throws rgw::auth::Exception storing the reason.
40 *
41 * NOTE: an implementation is responsible for giving the real semantic to
42 * the items in @aclspec. That is, their meaning may depend on particular
43 * applier that is being used. */
44 virtual uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const = 0;
45
46 /* Verify whether a given identity *can be treated as* an admin of rgw_user
47 * (account in Swift's terminology) specified in @uid. On error throws
48 * rgw::auth::Exception storing the reason. */
49 virtual bool is_admin_of(const rgw_user& uid) const = 0;
50
51 /* Verify whether a given identity *is* the owner of the rgw_user (account
52 * in the Swift's terminology) specified in @uid. On internal error throws
53 * rgw::auth::Exception storing the reason. */
54 virtual bool is_owner_of(const rgw_user& uid) const = 0;
55
56 /* Return the permission mask that is used to narrow down the set of
57 * operations allowed for a given identity. This method reflects the idea
58 * of subuser tied to RGWUserInfo. On error throws rgw::auth::Exception
59 * with the reason. */
60 virtual uint32_t get_perm_mask() const = 0;
61
62 virtual bool is_anonymous() const {
63 /* If the identity owns the anonymous account (rgw_user), it's considered
64 * the anonymous identity. On error throws rgw::auth::Exception storing
65 * the reason. */
66 return is_owner_of(rgw_user(RGW_USER_ANON_ID));
67 }
68
69 virtual void to_str(std::ostream& out) const = 0;
70
71 /* Verify whether a given identity corresponds to an identity in the
72 provided set */
73 virtual bool is_identity(const idset_t& ids) const = 0;
74
75 /* Identity Type: RGW/ LDAP/ Keystone */
76 virtual uint32_t get_identity_type() const = 0;
77
78 /* Name of Account */
79 virtual std::string get_acct_name() const = 0;
80
81 /* Subuser of Account */
82 virtual std::string get_subuser() const = 0;
83
84 virtual std::string get_role_tenant() const { return ""; }
85
86 /* write any auth-specific fields that are safe to expose in the ops log */
87 virtual void write_ops_log_entry(rgw_log_entry& entry) const {};
88 };
89
90 inline std::ostream& operator<<(std::ostream& out,
91 const rgw::auth::Identity& id) {
92 id.to_str(out);
93 return out;
94 }
95
96
97 std::unique_ptr<rgw::auth::Identity>
98 transform_old_authinfo(CephContext* const cct,
99 const rgw_user& auth_id,
100 const int perm_mask,
101 const bool is_admin,
102 const uint32_t type);
103 std::unique_ptr<Identity> transform_old_authinfo(const req_state* const s);
104
105
106 /* Interface for classes applying changes to request state/RADOS store
107 * imposed by a particular rgw::auth::Engine.
108 *
109 * In contrast to rgw::auth::Engine, implementations of this interface
110 * are allowed to handle req_state or RGWUserCtl in the read-write manner.
111 *
112 * It's expected that most (if not all) of implementations will also
113 * conform to rgw::auth::Identity interface to provide authorization
114 * policy (ACLs, account's ownership and entitlement). */
115 class IdentityApplier : public Identity {
116 public:
117 typedef std::unique_ptr<IdentityApplier> aplptr_t;
118
119 virtual ~IdentityApplier() {};
120
121 /* Fill provided RGWUserInfo with information about the account that
122 * RGWOp will operate on. Errors are handled solely through exceptions.
123 *
124 * XXX: be aware that the "account" term refers to rgw_user. The naming
125 * is legacy. */
126 virtual void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const = 0; /* out */
127
128 /* Apply any changes to request state. This method will be most useful for
129 * TempURL of Swift API. */
130 virtual void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const {} /* in/out */
131 };
132
133
134 /* Interface class for completing the two-step authentication process.
135 * Completer provides the second step - the complete() method that should
136 * be called after Engine::authenticate() but before *committing* results
137 * of an RGWOp (or sending a response in the case of non-mutating ops).
138 *
139 * The motivation driving the interface is to address those authentication
140 * schemas that require message integrity verification *without* in-memory
141 * data buffering. Typical examples are AWS Auth v4 and the auth mechanism
142 * of browser uploads facilities both in S3 and Swift APIs (see RGWPostObj).
143 * The workflow of request from the authentication point-of-view does look
144 * like following one:
145 * A. authenticate (Engine::authenticate),
146 * B. authorize (see RGWOp::verify_permissions),
147 * C. execute-prepare (init potential data modifications),
148 * D. authenticate-complete - (Completer::complete),
149 * E. execute-commit - commit the modifications from point C. */
150 class Completer {
151 public:
152 /* It's expected that Completers would tend to implement many interfaces
153 * and be used not only in req_state::auth::completer. Ref counting their
154 * instances would be helpful. */
155 typedef std::shared_ptr<Completer> cmplptr_t;
156
157 virtual ~Completer() = default;
158
159 /* Complete the authentication process. Return boolean indicating whether
160 * the completion succeeded. On error throws rgw::auth::Exception storing
161 * the reason. */
162 virtual bool complete() = 0;
163
164 /* Apply any changes to request state. The initial use case was injecting
165 * the AWSv4 filter over rgw::io::RestfulClient in req_state. */
166 virtual void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) = 0; /* in/out */
167 };
168
169
170 /* Interface class for authentication backends (auth engines) in RadosGW.
171 *
172 * An engine is supposed only to authenticate (not authorize!) requests
173 * basing on their req_state and - if access has been granted - provide
174 * an upper layer with:
175 * - rgw::auth::IdentityApplier to commit all changes to the request state as
176 * well as to the RADOS store (creating an account, synchronizing
177 * user-related information with external databases and so on).
178 * - rgw::auth::Completer (optionally) to finish the authentication
179 * of the request. Typical use case is verifying message integrity
180 * in AWS Auth v4 and browser uploads (RGWPostObj).
181 *
182 * Both of them are supposed to be wrapped in Engine::AuthResult.
183 *
184 * The authentication process consists of two steps:
185 * - Engine::authenticate() which should be called before *initiating*
186 * any modifications to RADOS store that are related to an operation
187 * a client wants to perform (RGWOp::execute).
188 * - Completer::complete() supposed to be called, if completer has been
189 * returned, after the authenticate() step but before *committing*
190 * those modifications or sending a response (RGWOp::complete).
191 *
192 * An engine outlives both Applier and Completer. It's intended to live
193 * since RadosGW's initialization and handle multiple requests till
194 * a reconfiguration.
195 *
196 * Auth engine MUST NOT make any changes to req_state nor RADOS store.
197 * This is solely an Applier's responsibility!
198 *
199 * Separation between authentication and global state modification has
200 * been introduced because many auth engines are orthogonal to appliers
201 * and thus they can be decoupled. Additional motivation is to clearly
202 * distinguish all portions of code modifying data structures. */
203 class Engine {
204 public:
205 virtual ~Engine() = default;
206
207 class AuthResult {
208 struct rejection_mark_t {};
209 bool is_rejected = false;
210 int reason = 0;
211
212 std::pair<IdentityApplier::aplptr_t, Completer::cmplptr_t> result_pair;
213
214 explicit AuthResult(const int reason)
215 : reason(reason) {
216 }
217
218 AuthResult(rejection_mark_t&&, const int reason)
219 : is_rejected(true),
220 reason(reason) {
221 }
222
223 /* Allow only the reasonable combintations - returning just Completer
224 * without accompanying IdentityApplier is strictly prohibited! */
225 explicit AuthResult(IdentityApplier::aplptr_t&& applier)
226 : result_pair(std::move(applier), nullptr) {
227 }
228
229 AuthResult(IdentityApplier::aplptr_t&& applier,
230 Completer::cmplptr_t&& completer)
231 : result_pair(std::move(applier), std::move(completer)) {
232 }
233
234 public:
235 enum class Status {
236 /* Engine doesn't grant the access but also doesn't reject it. */
237 DENIED,
238
239 /* Engine successfully authenicated requester. */
240 GRANTED,
241
242 /* Engine strictly indicates that a request should be rejected
243 * without trying any further engine. */
244 REJECTED
245 };
246
247 Status get_status() const {
248 if (is_rejected) {
249 return Status::REJECTED;
250 } else if (! result_pair.first) {
251 return Status::DENIED;
252 } else {
253 return Status::GRANTED;
254 }
255 }
256
257 int get_reason() const {
258 return reason;
259 }
260
261 IdentityApplier::aplptr_t get_applier() {
262 return std::move(result_pair.first);
263 }
264
265 Completer::cmplptr_t&& get_completer() {
266 return std::move(result_pair.second);
267 }
268
269 static AuthResult reject(const int reason = -EACCES) {
270 return AuthResult(rejection_mark_t(), reason);
271 }
272
273 static AuthResult deny(const int reason = -EACCES) {
274 return AuthResult(reason);
275 }
276
277 static AuthResult grant(IdentityApplier::aplptr_t&& applier) {
278 return AuthResult(std::move(applier));
279 }
280
281 static AuthResult grant(IdentityApplier::aplptr_t&& applier,
282 Completer::cmplptr_t&& completer) {
283 return AuthResult(std::move(applier), std::move(completer));
284 }
285 };
286
287 using result_t = AuthResult;
288
289 /* Get name of the auth engine. */
290 virtual const char* get_name() const noexcept = 0;
291
292 /* Throwing method for identity verification. When the check is positive
293 * an implementation should return Engine::result_t containing:
294 * - a non-null pointer to an object conforming the Applier interface.
295 * Otherwise, the authentication is treated as failed.
296 * - a (potentially null) pointer to an object conforming the Completer
297 * interface.
298 *
299 * On error throws rgw::auth::Exception containing the reason. */
300 virtual result_t authenticate(const DoutPrefixProvider* dpp, const req_state* s, optional_yield y) const = 0;
301 };
302
303
304 /* Interface for extracting a token basing from data carried by req_state. */
305 class TokenExtractor {
306 public:
307 virtual ~TokenExtractor() = default;
308 virtual std::string get_token(const req_state* s) const = 0;
309 };
310
311
312 /* Abstract class for stacking sub-engines to expose them as a single
313 * Engine. It is responsible for ordering its sub-engines and managing
314 * fall-backs between them. Derivatee is supposed to encapsulate engine
315 * instances and add them using the add_engine() method in the order it
316 * wants to be tried during the call to authenticate().
317 *
318 * Each new Strategy should be exposed to StrategyRegistry for handling
319 * the dynamic reconfiguration. */
320 class Strategy : public Engine {
321 public:
322 /* Specifiers controlling what happens when an associated engine fails.
323 * The names and semantic has been borrowed mostly from libpam. */
324 enum class Control {
325 /* Failure of an engine injected with the REQUISITE specifier aborts
326 * the strategy's authentication process immediately. No other engine
327 * will be tried. */
328 REQUISITE,
329
330 /* Success of an engine injected with the SUFFICIENT specifier ends
331 * strategy's authentication process successfully. However, denying
332 * doesn't abort it -- there will be fall-back to following engine
333 * if the one that failed wasn't the last one. */
334 SUFFICIENT,
335
336 /* Like SUFFICIENT with the exception that on failure the reason code
337 * is not overridden. Instead, it's taken directly from the last tried
338 * non-FALLBACK engine. If there was no previous non-FALLBACK engine
339 * in a Strategy, then the result_t::deny(reason = -EACCES) is used. */
340 FALLBACK,
341 };
342
343 Engine::result_t authenticate(const DoutPrefixProvider* dpp, const req_state* s, optional_yield y) const override final;
344
345 bool is_empty() const {
346 return auth_stack.empty();
347 }
348
349 static int apply(const DoutPrefixProvider* dpp, const Strategy& auth_strategy, req_state* s, optional_yield y) noexcept;
350
351 private:
352 /* Using the reference wrapper here to explicitly point out we are not
353 * interested in storing nulls while preserving the dynamic polymorphism. */
354 using stack_item_t = std::pair<std::reference_wrapper<const Engine>,
355 Control>;
356 std::vector<stack_item_t> auth_stack;
357
358 protected:
359 void add_engine(Control ctrl_flag, const Engine& engine) noexcept;
360 };
361
362
363 /* A class aggregating the knowledge about all Strategies in RadosGW. It is
364 * responsible for handling the dynamic reconfiguration on e.g. realm update.
365 * The definition is in rgw/rgw_auth_registry.h,
366 *
367 * Each new Strategy should be exposed to it. */
368 class StrategyRegistry;
369
370 class WebIdentityApplier : public IdentityApplier {
371 std::string sub;
372 std::string iss;
373 std::string aud;
374 std::string client_id;
375 std::string user_name;
376 protected:
377 CephContext* const cct;
378 rgw::sal::Driver* driver;
379 std::string role_session;
380 std::string role_tenant;
381 std::unordered_multimap<std::string, std::string> token_claims;
382 boost::optional<std::multimap<std::string,std::string>> role_tags;
383 boost::optional<std::set<std::pair<std::string, std::string>>> principal_tags;
384
385 std::string get_idp_url() const;
386
387 void create_account(const DoutPrefixProvider* dpp,
388 const rgw_user& acct_user,
389 const std::string& display_name,
390 RGWUserInfo& user_info) const; /* out */
391 public:
392 WebIdentityApplier( CephContext* const cct,
393 rgw::sal::Driver* driver,
394 const std::string& role_session,
395 const std::string& role_tenant,
396 const std::unordered_multimap<std::string, std::string>& token_claims,
397 boost::optional<std::multimap<std::string,std::string>> role_tags,
398 boost::optional<std::set<std::pair<std::string, std::string>>> principal_tags)
399 : cct(cct),
400 driver(driver),
401 role_session(role_session),
402 role_tenant(role_tenant),
403 token_claims(token_claims),
404 role_tags(role_tags),
405 principal_tags(principal_tags) {
406 const auto& sub = token_claims.find("sub");
407 if(sub != token_claims.end()) {
408 this->sub = sub->second;
409 }
410
411 const auto& iss = token_claims.find("iss");
412 if(iss != token_claims.end()) {
413 this->iss = iss->second;
414 }
415
416 const auto& aud = token_claims.find("aud");
417 if(aud != token_claims.end()) {
418 this->aud = aud->second;
419 }
420
421 const auto& client_id = token_claims.find("client_id");
422 if(client_id != token_claims.end()) {
423 this->client_id = client_id->second;
424 } else {
425 const auto& azp = token_claims.find("azp");
426 if (azp != token_claims.end()) {
427 this->client_id = azp->second;
428 }
429 }
430
431 const auto& user_name = token_claims.find("username");
432 if(user_name != token_claims.end()) {
433 this->user_name = user_name->second;
434 } else {
435 const auto& given_username = token_claims.find("given_username");
436 if (given_username != token_claims.end()) {
437 this->user_name = given_username->second;
438 }
439 }
440 }
441
442 void modify_request_state(const DoutPrefixProvider *dpp, req_state* s) const override;
443
444 uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
445 return RGW_PERM_NONE;
446 }
447
448 bool is_admin_of(const rgw_user& uid) const override {
449 return false;
450 }
451
452 bool is_owner_of(const rgw_user& uid) const override {
453 if (uid.id == this->sub && uid.tenant == role_tenant && uid.ns == "oidc") {
454 return true;
455 }
456 return false;
457 }
458
459 uint32_t get_perm_mask() const override {
460 return RGW_PERM_NONE;
461 }
462
463 void to_str(std::ostream& out) const override;
464
465 bool is_identity(const idset_t& ids) const override;
466
467 void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override;
468
469 uint32_t get_identity_type() const override {
470 return TYPE_WEB;
471 }
472
473 std::string get_acct_name() const override {
474 return this->user_name;
475 }
476
477 std::string get_subuser() const override {
478 return {};
479 }
480
481 struct Factory {
482 virtual ~Factory() {}
483
484 virtual aplptr_t create_apl_web_identity( CephContext* cct,
485 const req_state* s,
486 const std::string& role_session,
487 const std::string& role_tenant,
488 const std::unordered_multimap<std::string, std::string>& token,
489 boost::optional<std::multimap<std::string, std::string>>,
490 boost::optional<std::set<std::pair<std::string, std::string>>> principal_tags) const = 0;
491 };
492 };
493
494 class ImplicitTenants: public md_config_obs_t {
495 public:
496 enum implicit_tenant_flag_bits {IMPLICIT_TENANTS_SWIFT=1,
497 IMPLICIT_TENANTS_S3=2, IMPLICIT_TENANTS_BAD = -1, };
498 private:
499 int saved;
500 void recompute_value(const ConfigProxy& );
501 class ImplicitTenantValue {
502 friend class ImplicitTenants;
503 int v;
504 ImplicitTenantValue(int v) : v(v) {};
505 public:
506 bool inline is_split_mode()
507 {
508 assert(v != IMPLICIT_TENANTS_BAD);
509 return v == IMPLICIT_TENANTS_SWIFT || v == IMPLICIT_TENANTS_S3;
510 }
511 bool inline implicit_tenants_for_(const implicit_tenant_flag_bits bit)
512 {
513 assert(v != IMPLICIT_TENANTS_BAD);
514 return static_cast<bool>(v&bit);
515 }
516 };
517 public:
518 ImplicitTenants(const ConfigProxy& c) { recompute_value(c);}
519 ImplicitTenantValue get_value() const {
520 return ImplicitTenantValue(saved);
521 }
522 private:
523 const char** get_tracked_conf_keys() const override;
524 void handle_conf_change(const ConfigProxy& conf,
525 const std::set <std::string> &changed) override;
526 };
527
528 std::tuple<bool,bool> implicit_tenants_enabled_for_swift(CephContext * const cct);
529 std::tuple<bool,bool> implicit_tenants_enabled_for_s3(CephContext * const cct);
530
531 /* rgw::auth::RemoteApplier targets those authentication engines which don't
532 * need to ask the RADOS store while performing the auth process. Instead,
533 * they obtain credentials from an external source like Keystone or LDAP.
534 *
535 * As the authenticated user may not have an account yet, RGWRemoteAuthApplier
536 * must be able to create it basing on data passed by an auth engine. Those
537 * data will be used to fill RGWUserInfo structure. */
538 class RemoteApplier : public IdentityApplier {
539 public:
540 class AuthInfo {
541 friend class RemoteApplier;
542 protected:
543 const rgw_user acct_user;
544 const std::string acct_name;
545 const uint32_t perm_mask;
546 const bool is_admin;
547 const uint32_t acct_type;
548 const std::string access_key_id;
549 const std::string subuser;
550
551 public:
552 enum class acct_privilege_t {
553 IS_ADMIN_ACCT,
554 IS_PLAIN_ACCT
555 };
556
557 static const std::string NO_SUBUSER;
558 static const std::string NO_ACCESS_KEY;
559
560 AuthInfo(const rgw_user& acct_user,
561 const std::string& acct_name,
562 const uint32_t perm_mask,
563 const acct_privilege_t level,
564 const std::string access_key_id,
565 const std::string subuser,
566 const uint32_t acct_type=TYPE_NONE)
567 : acct_user(acct_user),
568 acct_name(acct_name),
569 perm_mask(perm_mask),
570 is_admin(acct_privilege_t::IS_ADMIN_ACCT == level),
571 acct_type(acct_type),
572 access_key_id(access_key_id),
573 subuser(subuser) {
574 }
575 };
576
577 using aclspec_t = rgw::auth::Identity::aclspec_t;
578 typedef std::function<uint32_t(const aclspec_t&)> acl_strategy_t;
579
580 protected:
581 CephContext* const cct;
582
583 /* Read-write is intensional here due to RGWUserInfo creation process. */
584 rgw::sal::Driver* driver;
585
586 /* Supplemental strategy for extracting permissions from ACLs. Its results
587 * will be combined (ORed) with a default strategy that is responsible for
588 * handling backward compatibility. */
589 const acl_strategy_t extra_acl_strategy;
590
591 const AuthInfo info;
592 const rgw::auth::ImplicitTenants& implicit_tenant_context;
593 const rgw::auth::ImplicitTenants::implicit_tenant_flag_bits implicit_tenant_bit;
594
595 virtual void create_account(const DoutPrefixProvider* dpp,
596 const rgw_user& acct_user,
597 bool implicit_tenant,
598 RGWUserInfo& user_info) const; /* out */
599
600 public:
601 RemoteApplier(CephContext* const cct,
602 rgw::sal::Driver* driver,
603 acl_strategy_t&& extra_acl_strategy,
604 const AuthInfo& info,
605 const rgw::auth::ImplicitTenants& implicit_tenant_context,
606 rgw::auth::ImplicitTenants::implicit_tenant_flag_bits implicit_tenant_bit)
607 : cct(cct),
608 driver(driver),
609 extra_acl_strategy(std::move(extra_acl_strategy)),
610 info(info),
611 implicit_tenant_context(implicit_tenant_context),
612 implicit_tenant_bit(implicit_tenant_bit) {
613 }
614
615 uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override;
616 bool is_admin_of(const rgw_user& uid) const override;
617 bool is_owner_of(const rgw_user& uid) const override;
618 bool is_identity(const idset_t& ids) const override;
619
620 uint32_t get_perm_mask() const override { return info.perm_mask; }
621 void to_str(std::ostream& out) const override;
622 void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
623 void write_ops_log_entry(rgw_log_entry& entry) const override;
624 uint32_t get_identity_type() const override { return info.acct_type; }
625 std::string get_acct_name() const override { return info.acct_name; }
626 std::string get_subuser() const override { return {}; }
627
628 struct Factory {
629 virtual ~Factory() {}
630 /* Providing r-value reference here is required intensionally. Callee is
631 * thus disallowed to handle std::function in a way that could inhibit
632 * the move behaviour (like forgetting about std::moving a l-value). */
633 virtual aplptr_t create_apl_remote(CephContext* cct,
634 const req_state* s,
635 acl_strategy_t&& extra_acl_strategy,
636 const AuthInfo &info) const = 0;
637 };
638 };
639
640
641 /* rgw::auth::LocalApplier targets those auth engines that base on the data
642 * enclosed in the RGWUserInfo control structure. As a side effect of doing
643 * the authentication process, they must have it loaded. Leveraging this is
644 * a way to avoid unnecessary calls to underlying RADOS store. */
645 class LocalApplier : public IdentityApplier {
646 using aclspec_t = rgw::auth::Identity::aclspec_t;
647
648 protected:
649 const RGWUserInfo user_info;
650 const std::string subuser;
651 uint32_t perm_mask;
652 const std::string access_key_id;
653
654 uint32_t get_perm_mask(const std::string& subuser_name,
655 const RGWUserInfo &uinfo) const;
656
657 public:
658 static const std::string NO_SUBUSER;
659 static const std::string NO_ACCESS_KEY;
660
661 LocalApplier(CephContext* const cct,
662 const RGWUserInfo& user_info,
663 std::string subuser,
664 const std::optional<uint32_t>& perm_mask,
665 const std::string access_key_id)
666 : user_info(user_info),
667 subuser(std::move(subuser)),
668 perm_mask(perm_mask.value_or(RGW_PERM_INVALID)),
669 access_key_id(access_key_id) {
670 }
671
672
673 uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override;
674 bool is_admin_of(const rgw_user& uid) const override;
675 bool is_owner_of(const rgw_user& uid) const override;
676 bool is_identity(const idset_t& ids) const override;
677 uint32_t get_perm_mask() const override {
678 if (this->perm_mask == RGW_PERM_INVALID) {
679 return get_perm_mask(subuser, user_info);
680 } else {
681 return this->perm_mask;
682 }
683 }
684 void to_str(std::ostream& out) const override;
685 void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
686 uint32_t get_identity_type() const override { return TYPE_RGW; }
687 std::string get_acct_name() const override { return {}; }
688 std::string get_subuser() const override { return subuser; }
689 void write_ops_log_entry(rgw_log_entry& entry) const override;
690
691 struct Factory {
692 virtual ~Factory() {}
693 virtual aplptr_t create_apl_local(CephContext* cct,
694 const req_state* s,
695 const RGWUserInfo& user_info,
696 const std::string& subuser,
697 const std::optional<uint32_t>& perm_mask,
698 const std::string& access_key_id) const = 0;
699 };
700 };
701
702 class RoleApplier : public IdentityApplier {
703 public:
704 struct Role {
705 std::string id;
706 std::string name;
707 std::string tenant;
708 std::vector<std::string> role_policies;
709 };
710 struct TokenAttrs {
711 rgw_user user_id;
712 std::string token_policy;
713 std::string role_session_name;
714 std::vector<std::string> token_claims;
715 std::string token_issued_at;
716 std::vector<std::pair<std::string, std::string>> principal_tags;
717 };
718 protected:
719 Role role;
720 TokenAttrs token_attrs;
721
722 public:
723
724 RoleApplier(CephContext* const cct,
725 const Role& role,
726 const TokenAttrs& token_attrs)
727 : role(role),
728 token_attrs(token_attrs) {}
729
730 uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
731 return 0;
732 }
733 bool is_admin_of(const rgw_user& uid) const override {
734 return false;
735 }
736 bool is_owner_of(const rgw_user& uid) const override {
737 return (this->token_attrs.user_id.id == uid.id && this->token_attrs.user_id.tenant == uid.tenant && this->token_attrs.user_id.ns == uid.ns);
738 }
739 bool is_identity(const idset_t& ids) const override;
740 uint32_t get_perm_mask() const override {
741 return RGW_PERM_NONE;
742 }
743 void to_str(std::ostream& out) const override;
744 void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
745 uint32_t get_identity_type() const override { return TYPE_ROLE; }
746 std::string get_acct_name() const override { return {}; }
747 std::string get_subuser() const override { return {}; }
748 void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override;
749 std::string get_role_tenant() const override { return role.tenant; }
750
751 struct Factory {
752 virtual ~Factory() {}
753 virtual aplptr_t create_apl_role( CephContext* cct,
754 const req_state* s,
755 const rgw::auth::RoleApplier::Role& role,
756 const rgw::auth::RoleApplier::TokenAttrs& token_attrs) const = 0;
757 };
758 };
759
760 /* The anonymous abstract engine. */
761 class AnonymousEngine : public Engine {
762 CephContext* const cct;
763 const rgw::auth::LocalApplier::Factory* const apl_factory;
764
765 public:
766 AnonymousEngine(CephContext* const cct,
767 const rgw::auth::LocalApplier::Factory* const apl_factory)
768 : cct(cct),
769 apl_factory(apl_factory) {
770 }
771
772 const char* get_name() const noexcept override {
773 return "rgw::auth::AnonymousEngine";
774 }
775
776 Engine::result_t authenticate(const DoutPrefixProvider* dpp, const req_state* s, optional_yield y) const override final;
777
778 protected:
779 virtual bool is_applicable(const req_state*) const noexcept {
780 return true;
781 }
782 };
783
784 } /* namespace auth */
785 } /* namespace rgw */
786
787
788 uint32_t rgw_perms_from_aclspec_default_strategy(
789 const rgw_user& uid,
790 const rgw::auth::Identity::aclspec_t& aclspec,
791 const DoutPrefixProvider *dpp);
Ceph