]>
git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_rest_role.cc
0fa0f8f011554cf755b1aaf36f69ec2edcf3ad25
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab ft=cpp
7 #include "common/errno.h"
8 #include "common/Formatter.h"
9 #include "common/ceph_json.h"
11 #include "include/types.h"
12 #include "rgw_string.h"
14 #include "rgw_common.h"
18 #include "rgw_rest_role.h"
21 #define dout_subsys ceph_subsys_rgw
25 int RGWRestRole::verify_permission(optional_yield y
)
27 if (s
->auth
.identity
->is_anonymous()) {
31 string role_name
= s
->info
.args
.get("RoleName");
32 std::unique_ptr
<rgw::sal::RGWRole
> role
= store
->get_role(role_name
,
33 s
->user
->get_tenant());
34 if (op_ret
= role
->get(s
, y
); op_ret
< 0) {
35 if (op_ret
== -ENOENT
) {
36 op_ret
= -ERR_NO_ROLE_FOUND
;
41 if (int ret
= check_caps(s
->user
->get_caps()); ret
== 0) {
42 _role
= std::move(role
);
46 string resource_name
= role
->get_path() + role_name
;
47 uint64_t op
= get_op();
48 if (!verify_user_permission(this,
50 rgw::ARN(resource_name
,
52 s
->user
->get_tenant(), true),
57 _role
= std::move(role
);
62 int RGWRestRole::parse_tags()
64 vector
<string
> keys
, vals
;
65 auto val_map
= s
->info
.args
.get_params();
66 const regex
pattern_key("Tags.member.([0-9]+).Key");
67 const regex
pattern_value("Tags.member.([0-9]+).Value");
68 for (auto& v
: val_map
) {
69 string key_index
="", value_index
="";
70 for(sregex_iterator it
= sregex_iterator(
71 v
.first
.begin(), v
.first
.end(), pattern_key
);
72 it
!= sregex_iterator(); it
++) {
75 key_index
= match
.str(1);
76 ldout(s
->cct
, 20) << "Key index: " << match
.str(1) << dendl
;
77 if (!key_index
.empty()) {
78 int index
= stoi(key_index
);
79 auto pos
= keys
.begin() + (index
-1);
80 keys
.insert(pos
, v
.second
);
83 for(sregex_iterator it
= sregex_iterator(
84 v
.first
.begin(), v
.first
.end(), pattern_value
);
85 it
!= sregex_iterator(); it
++) {
88 value_index
= match
.str(1);
89 ldout(s
->cct
, 20) << "Value index: " << match
.str(1) << dendl
;
90 if (!value_index
.empty()) {
91 int index
= stoi(value_index
);
92 auto pos
= vals
.begin() + (index
-1);
93 vals
.insert(pos
, v
.second
);
97 if (keys
.size() != vals
.size()) {
98 ldout(s
->cct
, 0) << "No. of keys doesn't match with no. of values in tags" << dendl
;
101 for (size_t i
= 0; i
< keys
.size(); i
++) {
102 tags
.emplace(keys
[i
], vals
[i
]);
103 ldout(s
->cct
, 0) << "Tag Key: " << keys
[i
] << " Tag Value is: " << vals
[i
] << dendl
;
108 void RGWRestRole::send_response()
111 set_req_state_err(s
, op_ret
);
117 int RGWRoleRead::check_caps(const RGWUserCaps
& caps
)
119 return caps
.check_cap("roles", RGW_CAP_READ
);
122 int RGWRoleWrite::check_caps(const RGWUserCaps
& caps
)
124 return caps
.check_cap("roles", RGW_CAP_WRITE
);
127 int RGWCreateRole::verify_permission(optional_yield y
)
129 if (s
->auth
.identity
->is_anonymous()) {
133 if (int ret
= check_caps(s
->user
->get_caps()); ret
== 0) {
137 string role_name
= s
->info
.args
.get("RoleName");
138 string role_path
= s
->info
.args
.get("Path");
140 string resource_name
= role_path
+ role_name
;
141 if (!verify_user_permission(this,
143 rgw::ARN(resource_name
,
145 s
->user
->get_tenant(), true),
152 int RGWCreateRole::get_params()
154 role_name
= s
->info
.args
.get("RoleName");
155 role_path
= s
->info
.args
.get("Path");
156 trust_policy
= s
->info
.args
.get("AssumeRolePolicyDocument");
157 max_session_duration
= s
->info
.args
.get("MaxSessionDuration");
159 if (role_name
.empty() || trust_policy
.empty()) {
160 ldpp_dout(this, 20) << "ERROR: one of role name or assume role policy document is empty"
165 bufferlist bl
= bufferlist::static_from_string(trust_policy
);
167 const rgw::IAM::Policy
p(s
->cct
, s
->user
->get_tenant(), bl
);
169 catch (rgw::IAM::PolicyParseException
& e
) {
170 ldpp_dout(this, 20) << "failed to parse policy: " << e
.what() << dendl
;
171 return -ERR_MALFORMED_DOC
;
174 int ret
= parse_tags();
179 if (tags
.size() > 50) {
180 ldout(s
->cct
, 0) << "No. tags is greater than 50" << dendl
;
187 void RGWCreateRole::execute(optional_yield y
)
189 op_ret
= get_params();
193 std::string user_tenant
= s
->user
->get_tenant();
194 std::unique_ptr
<rgw::sal::RGWRole
> role
= store
->get_role(role_name
,
198 max_session_duration
,
200 if (!user_tenant
.empty() && role
->get_tenant() != user_tenant
) {
201 ldpp_dout(this, 20) << "ERROR: the tenant provided in the role name does not match with the tenant of the user creating the role"
206 op_ret
= role
->create(s
, true, y
);
207 if (op_ret
== -EEXIST
) {
208 op_ret
= -ERR_ROLE_EXISTS
;
212 s
->formatter
->open_object_section("CreateRoleResponse");
213 s
->formatter
->open_object_section("CreateRoleResult");
214 s
->formatter
->open_object_section("Role");
215 role
->dump(s
->formatter
);
216 s
->formatter
->close_section();
217 s
->formatter
->close_section();
218 s
->formatter
->open_object_section("ResponseMetadata");
219 s
->formatter
->dump_string("RequestId", s
->trans_id
);
220 s
->formatter
->close_section();
221 s
->formatter
->close_section();
225 int RGWDeleteRole::get_params()
227 role_name
= s
->info
.args
.get("RoleName");
229 if (role_name
.empty()) {
230 ldpp_dout(this, 20) << "ERROR: Role name is empty"<< dendl
;
237 void RGWDeleteRole::execute(optional_yield y
)
239 op_ret
= get_params();
244 op_ret
= _role
->delete_obj(s
, y
);
246 if (op_ret
== -ENOENT
) {
247 op_ret
= -ERR_NO_ROLE_FOUND
;
250 s
->formatter
->open_object_section("DeleteRoleResponse");
251 s
->formatter
->open_object_section("ResponseMetadata");
252 s
->formatter
->dump_string("RequestId", s
->trans_id
);
253 s
->formatter
->close_section();
254 s
->formatter
->close_section();
258 int RGWGetRole::verify_permission(optional_yield y
)
263 int RGWGetRole::_verify_permission(const rgw::sal::RGWRole
* role
)
265 if (s
->auth
.identity
->is_anonymous()) {
269 if (int ret
= check_caps(s
->user
->get_caps()); ret
== 0) {
273 string resource_name
= role
->get_path() + role
->get_name();
274 if (!verify_user_permission(this,
276 rgw::ARN(resource_name
,
278 s
->user
->get_tenant(), true),
285 int RGWGetRole::get_params()
287 role_name
= s
->info
.args
.get("RoleName");
289 if (role_name
.empty()) {
290 ldpp_dout(this, 20) << "ERROR: Role name is empty"<< dendl
;
297 void RGWGetRole::execute(optional_yield y
)
299 op_ret
= get_params();
303 std::unique_ptr
<rgw::sal::RGWRole
> role
= store
->get_role(role_name
,
304 s
->user
->get_tenant());
305 op_ret
= role
->get(s
, y
);
307 if (op_ret
== -ENOENT
) {
308 op_ret
= -ERR_NO_ROLE_FOUND
;
312 op_ret
= _verify_permission(role
.get());
315 s
->formatter
->open_object_section("GetRoleResponse");
316 s
->formatter
->open_object_section("ResponseMetadata");
317 s
->formatter
->dump_string("RequestId", s
->trans_id
);
318 s
->formatter
->close_section();
319 s
->formatter
->open_object_section("GetRoleResult");
320 s
->formatter
->open_object_section("Role");
321 role
->dump(s
->formatter
);
322 s
->formatter
->close_section();
323 s
->formatter
->close_section();
324 s
->formatter
->close_section();
328 int RGWModifyRole::get_params()
330 role_name
= s
->info
.args
.get("RoleName");
331 trust_policy
= s
->info
.args
.get("PolicyDocument");
333 if (role_name
.empty() || trust_policy
.empty()) {
334 ldpp_dout(this, 20) << "ERROR: One of role name or trust policy is empty"<< dendl
;
338 if (!p
.parse(trust_policy
.c_str(), trust_policy
.length())) {
339 ldpp_dout(this, 20) << "ERROR: failed to parse assume role policy doc" << dendl
;
340 return -ERR_MALFORMED_DOC
;
346 void RGWModifyRole::execute(optional_yield y
)
348 op_ret
= get_params();
353 _role
->update_trust_policy(trust_policy
);
354 op_ret
= _role
->update(this, y
);
356 s
->formatter
->open_object_section("UpdateAssumeRolePolicyResponse");
357 s
->formatter
->open_object_section("ResponseMetadata");
358 s
->formatter
->dump_string("RequestId", s
->trans_id
);
359 s
->formatter
->close_section();
360 s
->formatter
->close_section();
363 int RGWListRoles::verify_permission(optional_yield y
)
365 if (s
->auth
.identity
->is_anonymous()) {
369 if (int ret
= check_caps(s
->user
->get_caps()); ret
== 0) {
373 if (!verify_user_permission(this,
383 int RGWListRoles::get_params()
385 path_prefix
= s
->info
.args
.get("PathPrefix");
390 void RGWListRoles::execute(optional_yield y
)
392 op_ret
= get_params();
396 vector
<std::unique_ptr
<rgw::sal::RGWRole
>> result
;
397 op_ret
= store
->get_roles(s
, y
, path_prefix
, s
->user
->get_tenant(), result
);
400 s
->formatter
->open_array_section("ListRolesResponse");
401 s
->formatter
->open_array_section("ListRolesResult");
402 s
->formatter
->open_object_section("Roles");
403 for (const auto& it
: result
) {
404 s
->formatter
->open_object_section("member");
405 it
->dump(s
->formatter
);
406 s
->formatter
->close_section();
408 s
->formatter
->close_section();
409 s
->formatter
->close_section();
410 s
->formatter
->open_object_section("ResponseMetadata");
411 s
->formatter
->dump_string("RequestId", s
->trans_id
);
412 s
->formatter
->close_section();
413 s
->formatter
->close_section();
417 int RGWPutRolePolicy::get_params()
419 role_name
= s
->info
.args
.get("RoleName");
420 policy_name
= s
->info
.args
.get("PolicyName");
421 perm_policy
= s
->info
.args
.get("PolicyDocument");
423 if (role_name
.empty() || policy_name
.empty() || perm_policy
.empty()) {
424 ldpp_dout(this, 20) << "ERROR: One of role name, policy name or perm policy is empty"<< dendl
;
427 bufferlist bl
= bufferlist::static_from_string(perm_policy
);
429 const rgw::IAM::Policy
p(s
->cct
, s
->user
->get_tenant(), bl
);
431 catch (rgw::IAM::PolicyParseException
& e
) {
432 ldpp_dout(this, 20) << "failed to parse policy: " << e
.what() << dendl
;
433 return -ERR_MALFORMED_DOC
;
438 void RGWPutRolePolicy::execute(optional_yield y
)
440 op_ret
= get_params();
445 _role
->set_perm_policy(policy_name
, perm_policy
);
446 op_ret
= _role
->update(this, y
);
449 s
->formatter
->open_object_section("PutRolePolicyResponse");
450 s
->formatter
->open_object_section("ResponseMetadata");
451 s
->formatter
->dump_string("RequestId", s
->trans_id
);
452 s
->formatter
->close_section();
453 s
->formatter
->close_section();
457 int RGWGetRolePolicy::get_params()
459 role_name
= s
->info
.args
.get("RoleName");
460 policy_name
= s
->info
.args
.get("PolicyName");
462 if (role_name
.empty() || policy_name
.empty()) {
463 ldpp_dout(this, 20) << "ERROR: One of role name or policy name is empty"<< dendl
;
469 void RGWGetRolePolicy::execute(optional_yield y
)
471 op_ret
= get_params();
477 op_ret
= _role
->get_role_policy(this, policy_name
, perm_policy
);
478 if (op_ret
== -ENOENT
) {
479 op_ret
= -ERR_NO_SUCH_ENTITY
;
483 s
->formatter
->open_object_section("GetRolePolicyResponse");
484 s
->formatter
->open_object_section("ResponseMetadata");
485 s
->formatter
->dump_string("RequestId", s
->trans_id
);
486 s
->formatter
->close_section();
487 s
->formatter
->open_object_section("GetRolePolicyResult");
488 s
->formatter
->dump_string("PolicyName", policy_name
);
489 s
->formatter
->dump_string("RoleName", role_name
);
490 s
->formatter
->dump_string("PolicyDocument", perm_policy
);
491 s
->formatter
->close_section();
492 s
->formatter
->close_section();
496 int RGWListRolePolicies::get_params()
498 role_name
= s
->info
.args
.get("RoleName");
500 if (role_name
.empty()) {
501 ldpp_dout(this, 20) << "ERROR: Role name is empty"<< dendl
;
507 void RGWListRolePolicies::execute(optional_yield y
)
509 op_ret
= get_params();
514 std::vector
<string
> policy_names
= _role
->get_role_policy_names();
515 s
->formatter
->open_object_section("ListRolePoliciesResponse");
516 s
->formatter
->open_object_section("ResponseMetadata");
517 s
->formatter
->dump_string("RequestId", s
->trans_id
);
518 s
->formatter
->close_section();
519 s
->formatter
->open_object_section("ListRolePoliciesResult");
520 s
->formatter
->open_array_section("PolicyNames");
521 for (const auto& it
: policy_names
) {
522 s
->formatter
->dump_string("member", it
);
524 s
->formatter
->close_section();
525 s
->formatter
->close_section();
526 s
->formatter
->close_section();
529 int RGWDeleteRolePolicy::get_params()
531 role_name
= s
->info
.args
.get("RoleName");
532 policy_name
= s
->info
.args
.get("PolicyName");
534 if (role_name
.empty() || policy_name
.empty()) {
535 ldpp_dout(this, 20) << "ERROR: One of role name or policy name is empty"<< dendl
;
541 void RGWDeleteRolePolicy::execute(optional_yield y
)
543 op_ret
= get_params();
548 op_ret
= _role
->delete_policy(this, policy_name
);
549 if (op_ret
== -ENOENT
) {
550 op_ret
= -ERR_NO_ROLE_FOUND
;
554 op_ret
= _role
->update(this, y
);
557 s
->formatter
->open_object_section("DeleteRolePoliciesResponse");
558 s
->formatter
->open_object_section("ResponseMetadata");
559 s
->formatter
->dump_string("RequestId", s
->trans_id
);
560 s
->formatter
->close_section();
561 s
->formatter
->close_section();
564 int RGWTagRole::get_params()
566 role_name
= s
->info
.args
.get("RoleName");
568 if (role_name
.empty()) {
569 ldout(s
->cct
, 0) << "ERROR: Role name is empty" << dendl
;
572 int ret
= parse_tags();
580 void RGWTagRole::execute(optional_yield y
)
582 op_ret
= get_params();
587 op_ret
= _role
->set_tags(this, tags
);
589 op_ret
= _role
->update(this, y
);
593 s
->formatter
->open_object_section("TagRoleResponse");
594 s
->formatter
->open_object_section("ResponseMetadata");
595 s
->formatter
->dump_string("RequestId", s
->trans_id
);
596 s
->formatter
->close_section();
597 s
->formatter
->close_section();
601 int RGWListRoleTags::get_params()
603 role_name
= s
->info
.args
.get("RoleName");
605 if (role_name
.empty()) {
606 ldout(s
->cct
, 0) << "ERROR: Role name is empty" << dendl
;
613 void RGWListRoleTags::execute(optional_yield y
)
615 op_ret
= get_params();
620 boost::optional
<multimap
<string
,string
>> tag_map
= _role
->get_tags();
621 s
->formatter
->open_object_section("ListRoleTagsResponse");
622 s
->formatter
->open_object_section("ListRoleTagsResult");
624 s
->formatter
->open_array_section("Tags");
625 for (const auto& it
: tag_map
.get()) {
626 s
->formatter
->open_object_section("Key");
627 encode_json("Key", it
.first
, s
->formatter
);
628 s
->formatter
->close_section();
629 s
->formatter
->open_object_section("Value");
630 encode_json("Value", it
.second
, s
->formatter
);
631 s
->formatter
->close_section();
633 s
->formatter
->close_section();
635 s
->formatter
->close_section();
636 s
->formatter
->open_object_section("ResponseMetadata");
637 s
->formatter
->dump_string("RequestId", s
->trans_id
);
638 s
->formatter
->close_section();
639 s
->formatter
->close_section();
642 int RGWUntagRole::get_params()
644 role_name
= s
->info
.args
.get("RoleName");
646 if (role_name
.empty()) {
647 ldout(s
->cct
, 0) << "ERROR: Role name is empty" << dendl
;
651 auto val_map
= s
->info
.args
.get_params();
652 for (auto& it
: val_map
) {
653 if (it
.first
.find("TagKeys.member.") != string::npos
) {
654 tagKeys
.emplace_back(it
.second
);
660 void RGWUntagRole::execute(optional_yield y
)
662 op_ret
= get_params();
667 _role
->erase_tags(tagKeys
);
668 op_ret
= _role
->update(this, y
);
671 s
->formatter
->open_object_section("UntagRoleResponse");
672 s
->formatter
->open_object_section("ResponseMetadata");
673 s
->formatter
->dump_string("RequestId", s
->trans_id
);
674 s
->formatter
->close_section();
675 s
->formatter
->close_section();