]>
git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_rest_role.cc
13e1c37e413bc2f5ec875ae25414eecdf4bc69d4
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab ft=cpp
6 #include "common/errno.h"
7 #include "common/Formatter.h"
8 #include "common/ceph_json.h"
10 #include "include/types.h"
11 #include "rgw_string.h"
13 #include "rgw_common.h"
17 #include "rgw_rest_role.h"
18 #include "rgw_sal_rados.h"
20 #define dout_subsys ceph_subsys_rgw
22 int RGWRestRole::verify_permission(optional_yield y
)
24 if (s
->auth
.identity
->is_anonymous()) {
28 string role_name
= s
->info
.args
.get("RoleName");
29 RGWRole
role(s
->cct
, store
->getRados()->pctl
, role_name
, s
->user
->get_tenant());
30 if (op_ret
= role
.get(y
); op_ret
< 0) {
31 if (op_ret
== -ENOENT
) {
32 op_ret
= -ERR_NO_ROLE_FOUND
;
37 if (int ret
= check_caps(s
->user
->get_caps()); ret
== 0) {
38 _role
= std::move(role
);
42 string resource_name
= role
.get_path() + role_name
;
43 uint64_t op
= get_op();
44 if (!verify_user_permission(this,
46 rgw::ARN(resource_name
,
48 s
->user
->get_tenant(), true),
53 _role
= std::move(role
);
58 void RGWRestRole::send_response()
61 set_req_state_err(s
, op_ret
);
67 int RGWRoleRead::check_caps(const RGWUserCaps
& caps
)
69 return caps
.check_cap("roles", RGW_CAP_READ
);
72 int RGWRoleWrite::check_caps(const RGWUserCaps
& caps
)
74 return caps
.check_cap("roles", RGW_CAP_WRITE
);
77 int RGWCreateRole::verify_permission(optional_yield y
)
79 if (s
->auth
.identity
->is_anonymous()) {
83 if (int ret
= check_caps(s
->user
->get_caps()); ret
== 0) {
87 string role_name
= s
->info
.args
.get("RoleName");
88 string role_path
= s
->info
.args
.get("Path");
90 string resource_name
= role_path
+ role_name
;
91 if (!verify_user_permission(this,
93 rgw::ARN(resource_name
,
95 s
->user
->get_tenant(), true),
102 int RGWCreateRole::get_params()
104 role_name
= s
->info
.args
.get("RoleName");
105 role_path
= s
->info
.args
.get("Path");
106 trust_policy
= s
->info
.args
.get("AssumeRolePolicyDocument");
107 max_session_duration
= s
->info
.args
.get("MaxSessionDuration");
109 if (role_name
.empty() || trust_policy
.empty()) {
110 ldout(s
->cct
, 20) << "ERROR: one of role name or assume role policy document is empty"
115 bufferlist bl
= bufferlist::static_from_string(trust_policy
);
117 const rgw::IAM::Policy
p(s
->cct
, s
->user
->get_tenant(), bl
);
119 catch (rgw::IAM::PolicyParseException
& e
) {
120 ldout(s
->cct
, 20) << "failed to parse policy: " << e
.what() << dendl
;
121 return -ERR_MALFORMED_DOC
;
127 void RGWCreateRole::execute(optional_yield y
)
129 op_ret
= get_params();
133 RGWRole
role(s
->cct
, store
->getRados()->pctl
, role_name
, role_path
, trust_policy
,
134 s
->user
->get_tenant(), max_session_duration
);
135 op_ret
= role
.create(true, y
);
137 if (op_ret
== -EEXIST
) {
138 op_ret
= -ERR_ROLE_EXISTS
;
142 s
->formatter
->open_object_section("CreateRoleResponse");
143 s
->formatter
->open_object_section("CreateRoleResult");
144 s
->formatter
->open_object_section("Role");
145 role
.dump(s
->formatter
);
146 s
->formatter
->close_section();
147 s
->formatter
->close_section();
148 s
->formatter
->open_object_section("ResponseMetadata");
149 s
->formatter
->dump_string("RequestId", s
->trans_id
);
150 s
->formatter
->close_section();
151 s
->formatter
->close_section();
155 int RGWDeleteRole::get_params()
157 role_name
= s
->info
.args
.get("RoleName");
159 if (role_name
.empty()) {
160 ldout(s
->cct
, 20) << "ERROR: Role name is empty"<< dendl
;
167 void RGWDeleteRole::execute(optional_yield y
)
169 op_ret
= get_params();
174 op_ret
= _role
.delete_obj(y
);
176 if (op_ret
== -ENOENT
) {
177 op_ret
= -ERR_NO_ROLE_FOUND
;
180 s
->formatter
->open_object_section("DeleteRoleResponse");
181 s
->formatter
->open_object_section("ResponseMetadata");
182 s
->formatter
->dump_string("RequestId", s
->trans_id
);
183 s
->formatter
->close_section();
184 s
->formatter
->close_section();
187 int RGWGetRole::verify_permission(optional_yield y
)
192 int RGWGetRole::_verify_permission(const RGWRole
& role
)
194 if (s
->auth
.identity
->is_anonymous()) {
198 if (int ret
= check_caps(s
->user
->get_caps()); ret
== 0) {
202 string resource_name
= role
.get_path() + role
.get_name();
203 if (!verify_user_permission(this,
205 rgw::ARN(resource_name
,
207 s
->user
->get_tenant(), true),
214 int RGWGetRole::get_params()
216 role_name
= s
->info
.args
.get("RoleName");
218 if (role_name
.empty()) {
219 ldout(s
->cct
, 20) << "ERROR: Role name is empty"<< dendl
;
226 void RGWGetRole::execute(optional_yield y
)
228 op_ret
= get_params();
232 RGWRole
role(s
->cct
, store
->getRados()->pctl
, role_name
, s
->user
->get_tenant());
233 op_ret
= role
.get(y
);
235 if (op_ret
== -ENOENT
) {
236 op_ret
= -ERR_NO_ROLE_FOUND
;
240 op_ret
= _verify_permission(role
);
243 s
->formatter
->open_object_section("GetRoleResponse");
244 s
->formatter
->open_object_section("ResponseMetadata");
245 s
->formatter
->dump_string("RequestId", s
->trans_id
);
246 s
->formatter
->close_section();
247 s
->formatter
->open_object_section("GetRoleResult");
248 s
->formatter
->open_object_section("Role");
249 role
.dump(s
->formatter
);
250 s
->formatter
->close_section();
251 s
->formatter
->close_section();
252 s
->formatter
->close_section();
256 int RGWModifyRole::get_params()
258 role_name
= s
->info
.args
.get("RoleName");
259 trust_policy
= s
->info
.args
.get("PolicyDocument");
261 if (role_name
.empty() || trust_policy
.empty()) {
262 ldout(s
->cct
, 20) << "ERROR: One of role name or trust policy is empty"<< dendl
;
266 if (!p
.parse(trust_policy
.c_str(), trust_policy
.length())) {
267 ldout(s
->cct
, 20) << "ERROR: failed to parse assume role policy doc" << dendl
;
268 return -ERR_MALFORMED_DOC
;
274 void RGWModifyRole::execute(optional_yield y
)
276 op_ret
= get_params();
281 _role
.update_trust_policy(trust_policy
);
282 op_ret
= _role
.update(y
);
284 s
->formatter
->open_object_section("UpdateAssumeRolePolicyResponse");
285 s
->formatter
->open_object_section("ResponseMetadata");
286 s
->formatter
->dump_string("RequestId", s
->trans_id
);
287 s
->formatter
->close_section();
288 s
->formatter
->close_section();
291 int RGWListRoles::verify_permission(optional_yield y
)
293 if (s
->auth
.identity
->is_anonymous()) {
297 if (int ret
= check_caps(s
->user
->get_caps()); ret
== 0) {
301 if (!verify_user_permission(this,
311 int RGWListRoles::get_params()
313 path_prefix
= s
->info
.args
.get("PathPrefix");
318 void RGWListRoles::execute(optional_yield y
)
320 op_ret
= get_params();
324 vector
<RGWRole
> result
;
325 op_ret
= RGWRole::get_roles_by_path_prefix(store
->getRados(), s
->cct
, path_prefix
, s
->user
->get_tenant(), result
, y
);
328 s
->formatter
->open_array_section("ListRolesResponse");
329 s
->formatter
->open_object_section("ResponseMetadata");
330 s
->formatter
->dump_string("RequestId", s
->trans_id
);
331 s
->formatter
->close_section();
332 s
->formatter
->open_array_section("ListRolesResult");
333 s
->formatter
->open_object_section("Roles");
334 for (const auto& it
: result
) {
335 s
->formatter
->open_object_section("member");
336 it
.dump(s
->formatter
);
337 s
->formatter
->close_section();
339 s
->formatter
->close_section();
340 s
->formatter
->close_section();
341 s
->formatter
->close_section();
345 int RGWPutRolePolicy::get_params()
347 role_name
= s
->info
.args
.get("RoleName");
348 policy_name
= s
->info
.args
.get("PolicyName");
349 perm_policy
= s
->info
.args
.get("PolicyDocument");
351 if (role_name
.empty() || policy_name
.empty() || perm_policy
.empty()) {
352 ldout(s
->cct
, 20) << "ERROR: One of role name, policy name or perm policy is empty"<< dendl
;
355 bufferlist bl
= bufferlist::static_from_string(perm_policy
);
357 const rgw::IAM::Policy
p(s
->cct
, s
->user
->get_tenant(), bl
);
359 catch (rgw::IAM::PolicyParseException
& e
) {
360 ldout(s
->cct
, 20) << "failed to parse policy: " << e
.what() << dendl
;
361 return -ERR_MALFORMED_DOC
;
366 void RGWPutRolePolicy::execute(optional_yield y
)
368 op_ret
= get_params();
373 _role
.set_perm_policy(policy_name
, perm_policy
);
374 op_ret
= _role
.update(y
);
377 s
->formatter
->open_object_section("PutRolePolicyResponse");
378 s
->formatter
->open_object_section("ResponseMetadata");
379 s
->formatter
->dump_string("RequestId", s
->trans_id
);
380 s
->formatter
->close_section();
381 s
->formatter
->close_section();
385 int RGWGetRolePolicy::get_params()
387 role_name
= s
->info
.args
.get("RoleName");
388 policy_name
= s
->info
.args
.get("PolicyName");
390 if (role_name
.empty() || policy_name
.empty()) {
391 ldout(s
->cct
, 20) << "ERROR: One of role name or policy name is empty"<< dendl
;
397 void RGWGetRolePolicy::execute(optional_yield y
)
399 op_ret
= get_params();
405 op_ret
= _role
.get_role_policy(policy_name
, perm_policy
);
406 if (op_ret
== -ENOENT
) {
407 op_ret
= -ERR_NO_SUCH_ENTITY
;
411 s
->formatter
->open_object_section("GetRolePolicyResponse");
412 s
->formatter
->open_object_section("ResponseMetadata");
413 s
->formatter
->dump_string("RequestId", s
->trans_id
);
414 s
->formatter
->close_section();
415 s
->formatter
->open_object_section("GetRolePolicyResult");
416 s
->formatter
->dump_string("PolicyName", policy_name
);
417 s
->formatter
->dump_string("RoleName", role_name
);
418 s
->formatter
->dump_string("PolicyDocument", perm_policy
);
419 s
->formatter
->close_section();
420 s
->formatter
->close_section();
424 int RGWListRolePolicies::get_params()
426 role_name
= s
->info
.args
.get("RoleName");
428 if (role_name
.empty()) {
429 ldout(s
->cct
, 20) << "ERROR: Role name is empty"<< dendl
;
435 void RGWListRolePolicies::execute(optional_yield y
)
437 op_ret
= get_params();
442 std::vector
<string
> policy_names
= _role
.get_role_policy_names();
443 s
->formatter
->open_object_section("ListRolePoliciesResponse");
444 s
->formatter
->open_object_section("ResponseMetadata");
445 s
->formatter
->dump_string("RequestId", s
->trans_id
);
446 s
->formatter
->close_section();
447 s
->formatter
->open_object_section("ListRolePoliciesResult");
448 s
->formatter
->open_array_section("PolicyNames");
449 for (const auto& it
: policy_names
) {
450 s
->formatter
->dump_string("member", it
);
452 s
->formatter
->close_section();
453 s
->formatter
->close_section();
454 s
->formatter
->close_section();
457 int RGWDeleteRolePolicy::get_params()
459 role_name
= s
->info
.args
.get("RoleName");
460 policy_name
= s
->info
.args
.get("PolicyName");
462 if (role_name
.empty() || policy_name
.empty()) {
463 ldout(s
->cct
, 20) << "ERROR: One of role name or policy name is empty"<< dendl
;
469 void RGWDeleteRolePolicy::execute(optional_yield y
)
471 op_ret
= get_params();
476 op_ret
= _role
.delete_policy(policy_name
);
477 if (op_ret
== -ENOENT
) {
478 op_ret
= -ERR_NO_ROLE_FOUND
;
482 op_ret
= _role
.update(y
);
485 s
->formatter
->open_object_section("DeleteRolePoliciesResponse");
486 s
->formatter
->open_object_section("ResponseMetadata");
487 s
->formatter
->dump_string("RequestId", s
->trans_id
);
488 s
->formatter
->close_section();
489 s
->formatter
->close_section();