]>
git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_rest_role.cc
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab ft=cpp
6 #include "common/errno.h"
7 #include "common/Formatter.h"
8 #include "common/ceph_json.h"
10 #include "include/types.h"
11 #include "rgw_string.h"
13 #include "rgw_common.h"
17 #include "rgw_rest_role.h"
19 #define dout_subsys ceph_subsys_rgw
21 int RGWRestRole::verify_permission()
23 if (s
->auth
.identity
->is_anonymous()) {
27 string role_name
= s
->info
.args
.get("RoleName");
28 RGWRole
role(s
->cct
, store
->getRados()->pctl
, role_name
, s
->user
->get_tenant());
29 if (op_ret
= role
.get(); op_ret
< 0) {
30 if (op_ret
== -ENOENT
) {
31 op_ret
= -ERR_NO_ROLE_FOUND
;
36 if (int ret
= check_caps(s
->user
->get_caps()); ret
== 0) {
37 _role
= std::move(role
);
41 string resource_name
= role
.get_path() + role_name
;
42 uint64_t op
= get_op();
43 if (!verify_user_permission(this,
45 rgw::ARN(resource_name
,
47 s
->user
->get_tenant(), true),
52 _role
= std::move(role
);
57 void RGWRestRole::send_response()
60 set_req_state_err(s
, op_ret
);
66 int RGWRoleRead::check_caps(const RGWUserCaps
& caps
)
68 return caps
.check_cap("roles", RGW_CAP_READ
);
71 int RGWRoleWrite::check_caps(const RGWUserCaps
& caps
)
73 return caps
.check_cap("roles", RGW_CAP_WRITE
);
76 int RGWCreateRole::verify_permission()
78 if (s
->auth
.identity
->is_anonymous()) {
82 if (int ret
= check_caps(s
->user
->get_caps()); ret
== 0) {
86 string role_name
= s
->info
.args
.get("RoleName");
87 string role_path
= s
->info
.args
.get("Path");
89 string resource_name
= role_path
+ role_name
;
90 if (!verify_user_permission(this,
92 rgw::ARN(resource_name
,
94 s
->user
->get_tenant(), true),
101 int RGWCreateRole::get_params()
103 role_name
= s
->info
.args
.get("RoleName");
104 role_path
= s
->info
.args
.get("Path");
105 trust_policy
= s
->info
.args
.get("AssumeRolePolicyDocument");
106 max_session_duration
= s
->info
.args
.get("MaxSessionDuration");
108 if (role_name
.empty() || trust_policy
.empty()) {
109 ldout(s
->cct
, 20) << "ERROR: one of role name or assume role policy document is empty"
114 bufferlist bl
= bufferlist::static_from_string(trust_policy
);
116 const rgw::IAM::Policy
p(s
->cct
, s
->user
->get_tenant(), bl
);
118 catch (rgw::IAM::PolicyParseException
& e
) {
119 ldout(s
->cct
, 20) << "failed to parse policy: " << e
.what() << dendl
;
120 return -ERR_MALFORMED_DOC
;
126 void RGWCreateRole::execute()
128 op_ret
= get_params();
132 RGWRole
role(s
->cct
, store
->getRados()->pctl
, role_name
, role_path
, trust_policy
,
133 s
->user
->get_tenant(), max_session_duration
);
134 op_ret
= role
.create(true);
136 if (op_ret
== -EEXIST
) {
137 op_ret
= -ERR_ROLE_EXISTS
;
141 s
->formatter
->open_object_section("CreateRoleResponse");
142 s
->formatter
->open_object_section("CreateRoleResult");
143 s
->formatter
->open_object_section("Role");
144 role
.dump(s
->formatter
);
145 s
->formatter
->close_section();
146 s
->formatter
->close_section();
147 s
->formatter
->open_object_section("ResponseMetadata");
148 s
->formatter
->dump_string("RequestId", s
->trans_id
);
149 s
->formatter
->close_section();
150 s
->formatter
->close_section();
154 int RGWDeleteRole::get_params()
156 role_name
= s
->info
.args
.get("RoleName");
158 if (role_name
.empty()) {
159 ldout(s
->cct
, 20) << "ERROR: Role name is empty"<< dendl
;
166 void RGWDeleteRole::execute()
168 op_ret
= get_params();
173 op_ret
= _role
.delete_obj();
175 if (op_ret
== -ENOENT
) {
176 op_ret
= -ERR_NO_ROLE_FOUND
;
179 s
->formatter
->open_object_section("DeleteRoleResponse");
180 s
->formatter
->open_object_section("ResponseMetadata");
181 s
->formatter
->dump_string("RequestId", s
->trans_id
);
182 s
->formatter
->close_section();
183 s
->formatter
->close_section();
186 int RGWGetRole::verify_permission()
191 int RGWGetRole::_verify_permission(const RGWRole
& role
)
193 if (s
->auth
.identity
->is_anonymous()) {
197 if (int ret
= check_caps(s
->user
->get_caps()); ret
== 0) {
201 string resource_name
= role
.get_path() + role
.get_name();
202 if (!verify_user_permission(this,
204 rgw::ARN(resource_name
,
206 s
->user
->get_tenant(), true),
213 int RGWGetRole::get_params()
215 role_name
= s
->info
.args
.get("RoleName");
217 if (role_name
.empty()) {
218 ldout(s
->cct
, 20) << "ERROR: Role name is empty"<< dendl
;
225 void RGWGetRole::execute()
227 op_ret
= get_params();
231 RGWRole
role(s
->cct
, store
->getRados()->pctl
, role_name
, s
->user
->get_tenant());
234 if (op_ret
== -ENOENT
) {
235 op_ret
= -ERR_NO_ROLE_FOUND
;
239 op_ret
= _verify_permission(role
);
242 s
->formatter
->open_object_section("GetRoleResponse");
243 s
->formatter
->open_object_section("ResponseMetadata");
244 s
->formatter
->dump_string("RequestId", s
->trans_id
);
245 s
->formatter
->close_section();
246 s
->formatter
->open_object_section("GetRoleResult");
247 s
->formatter
->open_object_section("Role");
248 role
.dump(s
->formatter
);
249 s
->formatter
->close_section();
250 s
->formatter
->close_section();
251 s
->formatter
->close_section();
255 int RGWModifyRole::get_params()
257 role_name
= s
->info
.args
.get("RoleName");
258 trust_policy
= s
->info
.args
.get("PolicyDocument");
260 if (role_name
.empty() || trust_policy
.empty()) {
261 ldout(s
->cct
, 20) << "ERROR: One of role name or trust policy is empty"<< dendl
;
265 if (!p
.parse(trust_policy
.c_str(), trust_policy
.length())) {
266 ldout(s
->cct
, 20) << "ERROR: failed to parse assume role policy doc" << dendl
;
267 return -ERR_MALFORMED_DOC
;
273 void RGWModifyRole::execute()
275 op_ret
= get_params();
280 _role
.update_trust_policy(trust_policy
);
281 op_ret
= _role
.update();
283 s
->formatter
->open_object_section("UpdateAssumeRolePolicyResponse");
284 s
->formatter
->open_object_section("ResponseMetadata");
285 s
->formatter
->dump_string("RequestId", s
->trans_id
);
286 s
->formatter
->close_section();
287 s
->formatter
->close_section();
290 int RGWListRoles::verify_permission()
292 if (s
->auth
.identity
->is_anonymous()) {
296 if (int ret
= check_caps(s
->user
->get_caps()); ret
== 0) {
300 if (!verify_user_permission(this,
310 int RGWListRoles::get_params()
312 path_prefix
= s
->info
.args
.get("PathPrefix");
317 void RGWListRoles::execute()
319 op_ret
= get_params();
323 vector
<RGWRole
> result
;
324 op_ret
= RGWRole::get_roles_by_path_prefix(store
->getRados(), s
->cct
, path_prefix
, s
->user
->get_tenant(), result
);
327 s
->formatter
->open_array_section("ListRolesResponse");
328 s
->formatter
->open_object_section("ResponseMetadata");
329 s
->formatter
->dump_string("RequestId", s
->trans_id
);
330 s
->formatter
->close_section();
331 s
->formatter
->open_array_section("ListRolesResult");
332 s
->formatter
->open_object_section("Roles");
333 for (const auto& it
: result
) {
334 s
->formatter
->open_object_section("member");
335 it
.dump(s
->formatter
);
336 s
->formatter
->close_section();
338 s
->formatter
->close_section();
339 s
->formatter
->close_section();
340 s
->formatter
->close_section();
344 int RGWPutRolePolicy::get_params()
346 role_name
= s
->info
.args
.get("RoleName");
347 policy_name
= s
->info
.args
.get("PolicyName");
348 perm_policy
= s
->info
.args
.get("PolicyDocument");
350 if (role_name
.empty() || policy_name
.empty() || perm_policy
.empty()) {
351 ldout(s
->cct
, 20) << "ERROR: One of role name, policy name or perm policy is empty"<< dendl
;
354 bufferlist bl
= bufferlist::static_from_string(perm_policy
);
356 const rgw::IAM::Policy
p(s
->cct
, s
->user
->get_tenant(), bl
);
358 catch (rgw::IAM::PolicyParseException
& e
) {
359 ldout(s
->cct
, 20) << "failed to parse policy: " << e
.what() << dendl
;
360 return -ERR_MALFORMED_DOC
;
365 void RGWPutRolePolicy::execute()
367 op_ret
= get_params();
372 _role
.set_perm_policy(policy_name
, perm_policy
);
373 op_ret
= _role
.update();
376 s
->formatter
->open_object_section("PutRolePolicyResponse");
377 s
->formatter
->open_object_section("ResponseMetadata");
378 s
->formatter
->dump_string("RequestId", s
->trans_id
);
379 s
->formatter
->close_section();
380 s
->formatter
->close_section();
384 int RGWGetRolePolicy::get_params()
386 role_name
= s
->info
.args
.get("RoleName");
387 policy_name
= s
->info
.args
.get("PolicyName");
389 if (role_name
.empty() || policy_name
.empty()) {
390 ldout(s
->cct
, 20) << "ERROR: One of role name or policy name is empty"<< dendl
;
396 void RGWGetRolePolicy::execute()
398 op_ret
= get_params();
404 op_ret
= _role
.get_role_policy(policy_name
, perm_policy
);
405 if (op_ret
== -ENOENT
) {
406 op_ret
= -ERR_NO_SUCH_ENTITY
;
410 s
->formatter
->open_object_section("GetRolePolicyResponse");
411 s
->formatter
->open_object_section("ResponseMetadata");
412 s
->formatter
->dump_string("RequestId", s
->trans_id
);
413 s
->formatter
->close_section();
414 s
->formatter
->open_object_section("GetRolePolicyResult");
415 s
->formatter
->dump_string("PolicyName", policy_name
);
416 s
->formatter
->dump_string("RoleName", role_name
);
417 s
->formatter
->dump_string("Permission policy", perm_policy
);
418 s
->formatter
->close_section();
419 s
->formatter
->close_section();
423 int RGWListRolePolicies::get_params()
425 role_name
= s
->info
.args
.get("RoleName");
427 if (role_name
.empty()) {
428 ldout(s
->cct
, 20) << "ERROR: Role name is empty"<< dendl
;
434 void RGWListRolePolicies::execute()
436 op_ret
= get_params();
441 std::vector
<string
> policy_names
= _role
.get_role_policy_names();
442 s
->formatter
->open_object_section("ListRolePoliciesResponse");
443 s
->formatter
->open_object_section("ResponseMetadata");
444 s
->formatter
->dump_string("RequestId", s
->trans_id
);
445 s
->formatter
->close_section();
446 s
->formatter
->open_object_section("ListRolePoliciesResult");
447 s
->formatter
->open_array_section("PolicyNames");
448 for (const auto& it
: policy_names
) {
449 s
->formatter
->dump_string("member", it
);
451 s
->formatter
->close_section();
452 s
->formatter
->close_section();
453 s
->formatter
->close_section();
456 int RGWDeleteRolePolicy::get_params()
458 role_name
= s
->info
.args
.get("RoleName");
459 policy_name
= s
->info
.args
.get("PolicyName");
461 if (role_name
.empty() || policy_name
.empty()) {
462 ldout(s
->cct
, 20) << "ERROR: One of role name or policy name is empty"<< dendl
;
468 void RGWDeleteRolePolicy::execute()
470 op_ret
= get_params();
475 op_ret
= _role
.delete_policy(policy_name
);
476 if (op_ret
== -ENOENT
) {
477 op_ret
= -ERR_NO_ROLE_FOUND
;
481 op_ret
= _role
.update();
484 s
->formatter
->open_object_section("DeleteRolePoliciesResponse");
485 s
->formatter
->open_object_section("ResponseMetadata");
486 s
->formatter
->dump_string("RequestId", s
->trans_id
);
487 s
->formatter
->close_section();
488 s
->formatter
->close_section();