]>
git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_rest_role.cc
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
6 #include "common/errno.h"
7 #include "common/Formatter.h"
8 #include "common/ceph_json.h"
10 #include "include/types.h"
11 #include "rgw_string.h"
13 #include "rgw_common.h"
17 #include "rgw_rest_role.h"
19 #define dout_subsys ceph_subsys_rgw
21 int RGWRestRole::verify_permission()
23 if (s
->auth
.identity
->is_anonymous()) {
27 string role_name
= s
->info
.args
.get("RoleName");
28 RGWRole
role(s
->cct
, store
, role_name
, s
->user
->user_id
.tenant
);
29 if (op_ret
= role
.get(); op_ret
< 0) {
30 if (op_ret
== -ENOENT
) {
31 op_ret
= -ERR_NO_ROLE_FOUND
;
36 if (int ret
= check_caps(s
->user
->caps
); ret
== 0) {
37 _role
= std::move(role
);
41 string resource_name
= role
.get_path() + role_name
;
42 uint64_t op
= get_op();
43 if (!verify_user_permission(this,
45 rgw::ARN(resource_name
,
47 s
->user
->user_id
.tenant
, true),
52 _role
= std::move(role
);
57 void RGWRestRole::send_response()
60 set_req_state_err(s
, op_ret
);
66 int RGWRoleRead::check_caps(RGWUserCaps
& caps
)
68 return caps
.check_cap("roles", RGW_CAP_READ
);
71 int RGWRoleWrite::check_caps(RGWUserCaps
& caps
)
73 return caps
.check_cap("roles", RGW_CAP_WRITE
);
76 int RGWCreateRole::verify_permission()
78 if (s
->auth
.identity
->is_anonymous()) {
82 if (int ret
= check_caps(s
->user
->caps
); ret
== 0) {
86 string role_name
= s
->info
.args
.get("RoleName");
87 string role_path
= s
->info
.args
.get("Path");
89 string resource_name
= role_path
+ role_name
;
90 if (!verify_user_permission(this,
92 rgw::ARN(resource_name
,
94 s
->user
->user_id
.tenant
, true),
101 int RGWCreateRole::get_params()
103 role_name
= s
->info
.args
.get("RoleName");
104 role_path
= s
->info
.args
.get("Path");
105 trust_policy
= s
->info
.args
.get("AssumeRolePolicyDocument");
106 max_session_duration
= s
->info
.args
.get("MaxSessionDuration");
108 if (role_name
.empty() || trust_policy
.empty()) {
109 ldout(s
->cct
, 20) << "ERROR: one of role name or assume role policy document is empty"
114 bufferlist bl
= bufferlist::static_from_string(trust_policy
);
116 const rgw::IAM::Policy
p(s
->cct
, s
->user
->user_id
.tenant
, bl
);
118 catch (rgw::IAM::PolicyParseException
& e
) {
119 ldout(s
->cct
, 20) << "failed to parse policy: " << e
.what() << dendl
;
120 return -ERR_MALFORMED_DOC
;
126 void RGWCreateRole::execute()
128 op_ret
= get_params();
132 RGWRole
role(s
->cct
, store
, role_name
, role_path
, trust_policy
,
133 s
->user
->user_id
.tenant
, max_session_duration
);
134 op_ret
= role
.create(true);
136 if (op_ret
== -EEXIST
) {
137 op_ret
= -ERR_ROLE_EXISTS
;
141 s
->formatter
->open_object_section("role");
142 role
.dump(s
->formatter
);
143 s
->formatter
->close_section();
147 int RGWDeleteRole::get_params()
149 role_name
= s
->info
.args
.get("RoleName");
151 if (role_name
.empty()) {
152 ldout(s
->cct
, 20) << "ERROR: Role name is empty"<< dendl
;
159 void RGWDeleteRole::execute()
161 op_ret
= get_params();
166 op_ret
= _role
.delete_obj();
168 if (op_ret
== -ENOENT
) {
169 op_ret
= -ERR_NO_ROLE_FOUND
;
173 int RGWGetRole::verify_permission()
178 int RGWGetRole::_verify_permission(const RGWRole
& role
)
180 if (s
->auth
.identity
->is_anonymous()) {
184 if (int ret
= check_caps(s
->user
->caps
); ret
== 0) {
188 string resource_name
= role
.get_path() + role
.get_name();
189 if (!verify_user_permission(this,
191 rgw::ARN(resource_name
,
193 s
->user
->user_id
.tenant
, true),
200 int RGWGetRole::get_params()
202 role_name
= s
->info
.args
.get("RoleName");
204 if (role_name
.empty()) {
205 ldout(s
->cct
, 20) << "ERROR: Role name is empty"<< dendl
;
212 void RGWGetRole::execute()
214 op_ret
= get_params();
218 RGWRole
role(s
->cct
, store
, role_name
, s
->user
->user_id
.tenant
);
221 if (op_ret
== -ENOENT
) {
222 op_ret
= -ERR_NO_ROLE_FOUND
;
226 op_ret
= _verify_permission(role
);
229 s
->formatter
->open_object_section("role");
230 role
.dump(s
->formatter
);
231 s
->formatter
->close_section();
235 int RGWModifyRole::get_params()
237 role_name
= s
->info
.args
.get("RoleName");
238 trust_policy
= s
->info
.args
.get("PolicyDocument");
240 if (role_name
.empty() || trust_policy
.empty()) {
241 ldout(s
->cct
, 20) << "ERROR: One of role name or trust policy is empty"<< dendl
;
245 if (!p
.parse(trust_policy
.c_str(), trust_policy
.length())) {
246 ldout(s
->cct
, 20) << "ERROR: failed to parse assume role policy doc" << dendl
;
247 return -ERR_MALFORMED_DOC
;
253 void RGWModifyRole::execute()
255 op_ret
= get_params();
260 _role
.update_trust_policy(trust_policy
);
261 op_ret
= _role
.update();
265 int RGWListRoles::verify_permission()
267 if (s
->auth
.identity
->is_anonymous()) {
271 if (int ret
= check_caps(s
->user
->caps
); ret
== 0) {
275 if (!verify_user_permission(this,
285 int RGWListRoles::get_params()
287 path_prefix
= s
->info
.args
.get("PathPrefix");
292 void RGWListRoles::execute()
294 op_ret
= get_params();
298 vector
<RGWRole
> result
;
299 op_ret
= RGWRole::get_roles_by_path_prefix(store
, s
->cct
, path_prefix
, s
->user
->user_id
.tenant
, result
);
302 s
->formatter
->open_array_section("Roles");
303 for (const auto& it
: result
) {
304 s
->formatter
->open_object_section("role");
305 it
.dump(s
->formatter
);
306 s
->formatter
->close_section();
308 s
->formatter
->close_section();
312 int RGWPutRolePolicy::get_params()
314 role_name
= s
->info
.args
.get("RoleName");
315 policy_name
= s
->info
.args
.get("PolicyName");
316 perm_policy
= s
->info
.args
.get("PolicyDocument");
318 if (role_name
.empty() || policy_name
.empty() || perm_policy
.empty()) {
319 ldout(s
->cct
, 20) << "ERROR: One of role name, policy name or perm policy is empty"<< dendl
;
322 bufferlist bl
= bufferlist::static_from_string(perm_policy
);
324 const rgw::IAM::Policy
p(s
->cct
, s
->user
->user_id
.tenant
, bl
);
326 catch (rgw::IAM::PolicyParseException
& e
) {
327 ldout(s
->cct
, 20) << "failed to parse policy: " << e
.what() << dendl
;
328 return -ERR_MALFORMED_DOC
;
333 void RGWPutRolePolicy::execute()
335 op_ret
= get_params();
340 _role
.set_perm_policy(policy_name
, perm_policy
);
341 op_ret
= _role
.update();
344 int RGWGetRolePolicy::get_params()
346 role_name
= s
->info
.args
.get("RoleName");
347 policy_name
= s
->info
.args
.get("PolicyName");
349 if (role_name
.empty() || policy_name
.empty()) {
350 ldout(s
->cct
, 20) << "ERROR: One of role name or policy name is empty"<< dendl
;
356 void RGWGetRolePolicy::execute()
358 op_ret
= get_params();
364 op_ret
= _role
.get_role_policy(policy_name
, perm_policy
);
366 s
->formatter
->open_object_section("GetRolePolicyResult");
367 s
->formatter
->dump_string("PolicyName", policy_name
);
368 s
->formatter
->dump_string("RoleName", role_name
);
369 s
->formatter
->dump_string("Permission policy", perm_policy
);
370 s
->formatter
->close_section();
374 int RGWListRolePolicies::get_params()
376 role_name
= s
->info
.args
.get("RoleName");
378 if (role_name
.empty()) {
379 ldout(s
->cct
, 20) << "ERROR: Role name is empty"<< dendl
;
385 void RGWListRolePolicies::execute()
387 op_ret
= get_params();
392 std::vector
<string
> policy_names
= _role
.get_role_policy_names();
393 s
->formatter
->open_array_section("PolicyNames");
394 for (const auto& it
: policy_names
) {
395 s
->formatter
->dump_string("member", it
);
397 s
->formatter
->close_section();
400 int RGWDeleteRolePolicy::get_params()
402 role_name
= s
->info
.args
.get("RoleName");
403 policy_name
= s
->info
.args
.get("PolicyName");
405 if (role_name
.empty() || policy_name
.empty()) {
406 ldout(s
->cct
, 20) << "ERROR: One of role name or policy name is empty"<< dendl
;
412 void RGWDeleteRolePolicy::execute()
414 op_ret
= get_params();
419 op_ret
= _role
.delete_policy(policy_name
);
420 if (op_ret
== -ENOENT
) {
421 op_ret
= -ERR_NO_ROLE_FOUND
;
425 op_ret
= _role
.update();