// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
// vim: ts=8 sw=2 smarttab ft=cpp
-#ifndef CEPH_RGW_IAM_POLICY_H
-#define CEPH_RGW_IAM_POLICY_H
+#pragma once
#include <bitset>
#include <chrono>
#include <boost/thread/shared_mutex.hpp>
#include <boost/variant.hpp>
+#include <fmt/format.h>
+
#include "common/ceph_time.h"
#include "common/iso_8601.h"
static constexpr std::uint64_t iamListUserPolicies = s3All + 4;
static constexpr std::uint64_t iamCreateRole = s3All + 5;
static constexpr std::uint64_t iamDeleteRole = s3All + 6;
-static constexpr std::uint64_t iamModifyRole = s3All + 7;
+static constexpr std::uint64_t iamModifyRoleTrustPolicy = s3All + 7;
static constexpr std::uint64_t iamGetRole = s3All + 8;
static constexpr std::uint64_t iamListRoles = s3All + 9;
static constexpr std::uint64_t iamPutRolePolicy = s3All + 10;
static constexpr std::uint64_t iamTagRole = s3All + 18;
static constexpr std::uint64_t iamListRoleTags = s3All + 19;
static constexpr std::uint64_t iamUntagRole = s3All + 20;
-static constexpr std::uint64_t iamAll = s3All + 21;
+static constexpr std::uint64_t iamUpdateRole = s3All + 21;
+static constexpr std::uint64_t iamAll = s3All + 22;
static constexpr std::uint64_t stsAssumeRole = iamAll + 1;
static constexpr std::uint64_t stsAssumeRoleWithWebIdentity = iamAll + 2;
struct PolicyParseException : public std::exception {
rapidjson::ParseResult pr;
+ std::string msg;
+
+ explicit PolicyParseException(const rapidjson::ParseResult pr,
+ const std::string& annotation)
+ : pr(pr),
+ msg(fmt::format("At character offset {}, {}",
+ pr.Offset(),
+ (pr.Code() == rapidjson::kParseErrorTermination ?
+ annotation :
+ rapidjson::GetParseError_En(pr.Code())))) {}
- explicit PolicyParseException(rapidjson::ParseResult&& pr)
- : pr(pr) { }
const char* what() const noexcept override {
- return rapidjson::GetParseError_En(pr.Code());
+ return msg.c_str();
}
};
std::vector<Statement> statements;
+ // reject_invalid_principals should be set to
+ // `cct->_conf.get_val<bool>("rgw_policy_reject_invalid_principals")`
+ // when executing operations that *set* a bucket policy, but should
+ // be false when reading a stored bucket policy so as not to break
+ // backwards configuration.
Policy(CephContext* cct, const std::string& tenant,
- const bufferlist& text);
+ const bufferlist& text,
+ bool reject_invalid_principals);
Effect eval(const Environment& e,
boost::optional<const rgw::auth::Identity&> ida,
}
}
-
-#endif