]>
git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_auth_keystone.h
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
5 #ifndef CEPH_RGW_AUTH_KEYSTONE_H
6 #define CEPH_RGW_AUTH_KEYSTONE_H
9 #include <boost/optional.hpp>
10 #include <boost/utility/string_view.hpp>
13 #include "rgw_rest_s3.h"
14 #include "rgw_common.h"
15 #include "rgw_keystone.h"
21 /* Dedicated namespace for Keystone-related auth engines. We need it because
22 * Keystone offers three different authentication mechanisms (token, EC2 and
23 * regular user/pass). RadosGW actually does support the first two. */
25 class TokenEngine
: public rgw::auth::Engine
{
26 CephContext
* const cct
;
28 using acl_strategy_t
= rgw::auth::RemoteApplier::acl_strategy_t
;
29 using auth_info_t
= rgw::auth::RemoteApplier::AuthInfo
;
30 using result_t
= rgw::auth::Engine::result_t
;
31 using token_envelope_t
= rgw::keystone::TokenEnvelope
;
33 const rgw::auth::TokenExtractor
* const extractor
;
34 const rgw::auth::RemoteApplier::Factory
* const apl_factory
;
35 rgw::keystone::Config
& config
;
36 rgw::keystone::TokenCache
& token_cache
;
39 bool is_applicable(const std::string
& token
) const noexcept
;
40 token_envelope_t
decode_pki_token(const std::string
& token
) const;
42 boost::optional
<token_envelope_t
>
43 get_from_keystone(const std::string
& token
) const;
45 acl_strategy_t
get_acl_strategy(const token_envelope_t
& token
) const;
46 auth_info_t
get_creds_info(const token_envelope_t
& token
,
47 const std::vector
<std::string
>& admin_roles
49 result_t
authenticate(const std::string
& token
,
50 const req_state
* s
) const;
53 TokenEngine(CephContext
* const cct
,
54 const rgw::auth::TokenExtractor
* const extractor
,
55 const rgw::auth::RemoteApplier::Factory
* const apl_factory
,
56 rgw::keystone::Config
& config
,
57 rgw::keystone::TokenCache
& token_cache
)
60 apl_factory(apl_factory
),
62 token_cache(token_cache
) {
65 const char* get_name() const noexcept override
{
66 return "rgw::auth::keystone::TokenEngine";
69 result_t
authenticate(const req_state
* const s
) const override
{
70 return authenticate(extractor
->get_token(s
), s
);
72 }; /* class TokenEngine */
75 class EC2Engine
: public rgw::auth::s3::AWSEngine
{
76 using acl_strategy_t
= rgw::auth::RemoteApplier::acl_strategy_t
;
77 using auth_info_t
= rgw::auth::RemoteApplier::AuthInfo
;
78 using result_t
= rgw::auth::Engine::result_t
;
79 using token_envelope_t
= rgw::keystone::TokenEnvelope
;
81 const rgw::auth::RemoteApplier::Factory
* const apl_factory
;
82 rgw::keystone::Config
& config
;
83 rgw::keystone::TokenCache
& token_cache
;
86 acl_strategy_t
get_acl_strategy(const token_envelope_t
& token
) const;
87 auth_info_t
get_creds_info(const token_envelope_t
& token
,
88 const std::vector
<std::string
>& admin_roles
90 std::pair
<boost::optional
<token_envelope_t
>, int>
91 get_from_keystone(const boost::string_view
& access_key_id
,
92 const std::string
& string_to_sign
,
93 const boost::string_view
& signature
) const;
94 result_t
authenticate(const boost::string_view
& access_key_id
,
95 const boost::string_view
& signature
,
96 const string_to_sign_t
& string_to_sign
,
97 const signature_factory_t
&,
98 const completer_factory_t
& completer_factory
,
99 const req_state
* s
) const override
;
101 EC2Engine(CephContext
* const cct
,
102 const rgw::auth::s3::AWSEngine::VersionAbstractor
* const ver_abstractor
,
103 const rgw::auth::RemoteApplier::Factory
* const apl_factory
,
104 rgw::keystone::Config
& config
,
105 /* The token cache is used ONLY for the retrieving admin token.
106 * Due to the architecture of AWS Auth S3 credentials cannot be
108 rgw::keystone::TokenCache
& token_cache
)
109 : AWSEngine(cct
, *ver_abstractor
),
110 apl_factory(apl_factory
),
112 token_cache(token_cache
) {
115 using AWSEngine::authenticate
;
117 const char* get_name() const noexcept override
{
118 return "rgw::auth::keystone::EC2Engine";
121 }; /* class EC2Engine */
123 }; /* namespace keystone */
124 }; /* namespace auth */
125 }; /* namespace rgw */
127 #endif /* CEPH_RGW_AUTH_KEYSTONE_H */