]>
git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_auth_keystone.h
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
5 #ifndef CEPH_RGW_AUTH_KEYSTONE_H
6 #define CEPH_RGW_AUTH_KEYSTONE_H
9 #include <boost/optional.hpp>
10 #include <boost/utility/string_view.hpp>
13 #include "rgw_rest_s3.h"
14 #include "rgw_common.h"
15 #include "rgw_keystone.h"
21 /* Dedicated namespace for Keystone-related auth engines. We need it because
22 * Keystone offers three different authentication mechanisms (token, EC2 and
23 * regular user/pass). RadosGW actually does support the first two. */
25 class TokenEngine
: public rgw::auth::Engine
{
26 CephContext
* const cct
;
28 using acl_strategy_t
= rgw::auth::RemoteApplier::acl_strategy_t
;
29 using auth_info_t
= rgw::auth::RemoteApplier::AuthInfo
;
30 using result_t
= rgw::auth::Engine::result_t
;
31 using token_envelope_t
= rgw::keystone::TokenEnvelope
;
33 const rgw::auth::TokenExtractor
* const extractor
;
34 const rgw::auth::RemoteApplier::Factory
* const apl_factory
;
35 rgw::keystone::Config
& config
;
36 rgw::keystone::TokenCache
& token_cache
;
39 bool is_applicable(const std::string
& token
) const noexcept
;
40 token_envelope_t
decode_pki_token(const DoutPrefixProvider
* dpp
, const std::string
& token
) const;
42 boost::optional
<token_envelope_t
>
43 get_from_keystone(const DoutPrefixProvider
* dpp
, const std::string
& token
) const;
45 acl_strategy_t
get_acl_strategy(const token_envelope_t
& token
) const;
46 auth_info_t
get_creds_info(const token_envelope_t
& token
,
47 const std::vector
<std::string
>& admin_roles
49 result_t
authenticate(const DoutPrefixProvider
* dpp
,
50 const std::string
& token
,
51 const req_state
* s
) const;
54 TokenEngine(CephContext
* const cct
,
55 const rgw::auth::TokenExtractor
* const extractor
,
56 const rgw::auth::RemoteApplier::Factory
* const apl_factory
,
57 rgw::keystone::Config
& config
,
58 rgw::keystone::TokenCache
& token_cache
)
61 apl_factory(apl_factory
),
63 token_cache(token_cache
) {
66 const char* get_name() const noexcept override
{
67 return "rgw::auth::keystone::TokenEngine";
70 result_t
authenticate(const DoutPrefixProvider
* dpp
, const req_state
* const s
) const override
{
71 return authenticate(dpp
, extractor
->get_token(s
), s
);
73 }; /* class TokenEngine */
76 class EC2Engine
: public rgw::auth::s3::AWSEngine
{
77 using acl_strategy_t
= rgw::auth::RemoteApplier::acl_strategy_t
;
78 using auth_info_t
= rgw::auth::RemoteApplier::AuthInfo
;
79 using result_t
= rgw::auth::Engine::result_t
;
80 using token_envelope_t
= rgw::keystone::TokenEnvelope
;
82 const rgw::auth::RemoteApplier::Factory
* const apl_factory
;
83 rgw::keystone::Config
& config
;
84 rgw::keystone::TokenCache
& token_cache
;
87 acl_strategy_t
get_acl_strategy(const token_envelope_t
& token
) const;
88 auth_info_t
get_creds_info(const token_envelope_t
& token
,
89 const std::vector
<std::string
>& admin_roles
91 std::pair
<boost::optional
<token_envelope_t
>, int>
92 get_from_keystone(const DoutPrefixProvider
* dpp
, const boost::string_view
& access_key_id
,
93 const std::string
& string_to_sign
,
94 const boost::string_view
& signature
) const;
95 result_t
authenticate(const DoutPrefixProvider
* dpp
,
96 const boost::string_view
& access_key_id
,
97 const boost::string_view
& signature
,
98 const boost::string_view
& session_token
,
99 const string_to_sign_t
& string_to_sign
,
100 const signature_factory_t
&,
101 const completer_factory_t
& completer_factory
,
102 const req_state
* s
) const override
;
104 EC2Engine(CephContext
* const cct
,
105 const rgw::auth::s3::AWSEngine::VersionAbstractor
* const ver_abstractor
,
106 const rgw::auth::RemoteApplier::Factory
* const apl_factory
,
107 rgw::keystone::Config
& config
,
108 /* The token cache is used ONLY for the retrieving admin token.
109 * Due to the architecture of AWS Auth S3 credentials cannot be
111 rgw::keystone::TokenCache
& token_cache
)
112 : AWSEngine(cct
, *ver_abstractor
),
113 apl_factory(apl_factory
),
115 token_cache(token_cache
) {
118 using AWSEngine::authenticate
;
120 const char* get_name() const noexcept override
{
121 return "rgw::auth::keystone::EC2Engine";
124 }; /* class EC2Engine */
126 }; /* namespace keystone */
127 }; /* namespace auth */
128 }; /* namespace rgw */
130 #endif /* CEPH_RGW_AUTH_KEYSTONE_H */