]>
git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_rest_role.cc
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab ft=cpp
6 #include "common/errno.h"
7 #include "common/Formatter.h"
8 #include "common/ceph_json.h"
10 #include "include/types.h"
11 #include "rgw_string.h"
13 #include "rgw_common.h"
17 #include "rgw_rest_role.h"
18 #include "rgw_sal_rados.h"
20 #define dout_subsys ceph_subsys_rgw
22 int RGWRestRole::verify_permission(optional_yield y
)
24 if (s
->auth
.identity
->is_anonymous()) {
28 string role_name
= s
->info
.args
.get("RoleName");
29 RGWRole
role(s
->cct
, store
->getRados()->pctl
, role_name
, s
->user
->get_tenant());
30 if (op_ret
= role
.get(s
, y
); op_ret
< 0) {
31 if (op_ret
== -ENOENT
) {
32 op_ret
= -ERR_NO_ROLE_FOUND
;
37 if (int ret
= check_caps(s
->user
->get_caps()); ret
== 0) {
38 _role
= std::move(role
);
42 string resource_name
= role
.get_path() + role_name
;
43 uint64_t op
= get_op();
44 if (!verify_user_permission(this,
46 rgw::ARN(resource_name
,
48 s
->user
->get_tenant(), true),
53 _role
= std::move(role
);
58 void RGWRestRole::send_response()
61 set_req_state_err(s
, op_ret
);
67 int RGWRoleRead::check_caps(const RGWUserCaps
& caps
)
69 return caps
.check_cap("roles", RGW_CAP_READ
);
72 int RGWRoleWrite::check_caps(const RGWUserCaps
& caps
)
74 return caps
.check_cap("roles", RGW_CAP_WRITE
);
77 int RGWCreateRole::verify_permission(optional_yield y
)
79 if (s
->auth
.identity
->is_anonymous()) {
83 if (int ret
= check_caps(s
->user
->get_caps()); ret
== 0) {
87 string role_name
= s
->info
.args
.get("RoleName");
88 string role_path
= s
->info
.args
.get("Path");
90 string resource_name
= role_path
+ role_name
;
91 if (!verify_user_permission(this,
93 rgw::ARN(resource_name
,
95 s
->user
->get_tenant(), true),
102 int RGWCreateRole::get_params()
104 role_name
= s
->info
.args
.get("RoleName");
105 role_path
= s
->info
.args
.get("Path");
106 trust_policy
= s
->info
.args
.get("AssumeRolePolicyDocument");
107 max_session_duration
= s
->info
.args
.get("MaxSessionDuration");
109 if (role_name
.empty() || trust_policy
.empty()) {
110 ldpp_dout(this, 20) << "ERROR: one of role name or assume role policy document is empty"
115 bufferlist bl
= bufferlist::static_from_string(trust_policy
);
117 const rgw::IAM::Policy
p(s
->cct
, s
->user
->get_tenant(), bl
);
119 catch (rgw::IAM::PolicyParseException
& e
) {
120 ldpp_dout(this, 20) << "failed to parse policy: " << e
.what() << dendl
;
121 return -ERR_MALFORMED_DOC
;
127 void RGWCreateRole::execute(optional_yield y
)
129 op_ret
= get_params();
133 std::string user_tenant
= s
->user
->get_tenant();
134 RGWRole
role(s
->cct
, store
->getRados()->pctl
, role_name
, role_path
, trust_policy
,
135 user_tenant
, max_session_duration
);
136 if (!user_tenant
.empty() && role
.get_tenant() != user_tenant
) {
137 ldpp_dout(this, 20) << "ERROR: the tenant provided in the role name does not match with the tenant of the user creating the role"
142 op_ret
= role
.create(s
, true, y
);
144 if (op_ret
== -EEXIST
) {
145 op_ret
= -ERR_ROLE_EXISTS
;
149 s
->formatter
->open_object_section("CreateRoleResponse");
150 s
->formatter
->open_object_section("CreateRoleResult");
151 s
->formatter
->open_object_section("Role");
152 role
.dump(s
->formatter
);
153 s
->formatter
->close_section();
154 s
->formatter
->close_section();
155 s
->formatter
->open_object_section("ResponseMetadata");
156 s
->formatter
->dump_string("RequestId", s
->trans_id
);
157 s
->formatter
->close_section();
158 s
->formatter
->close_section();
162 int RGWDeleteRole::get_params()
164 role_name
= s
->info
.args
.get("RoleName");
166 if (role_name
.empty()) {
167 ldpp_dout(this, 20) << "ERROR: Role name is empty"<< dendl
;
174 void RGWDeleteRole::execute(optional_yield y
)
176 op_ret
= get_params();
181 op_ret
= _role
.delete_obj(s
, y
);
183 if (op_ret
== -ENOENT
) {
184 op_ret
= -ERR_NO_ROLE_FOUND
;
187 s
->formatter
->open_object_section("DeleteRoleResponse");
188 s
->formatter
->open_object_section("ResponseMetadata");
189 s
->formatter
->dump_string("RequestId", s
->trans_id
);
190 s
->formatter
->close_section();
191 s
->formatter
->close_section();
195 int RGWGetRole::verify_permission(optional_yield y
)
200 int RGWGetRole::_verify_permission(const RGWRole
& role
)
202 if (s
->auth
.identity
->is_anonymous()) {
206 if (int ret
= check_caps(s
->user
->get_caps()); ret
== 0) {
210 string resource_name
= role
.get_path() + role
.get_name();
211 if (!verify_user_permission(this,
213 rgw::ARN(resource_name
,
215 s
->user
->get_tenant(), true),
222 int RGWGetRole::get_params()
224 role_name
= s
->info
.args
.get("RoleName");
226 if (role_name
.empty()) {
227 ldpp_dout(this, 20) << "ERROR: Role name is empty"<< dendl
;
234 void RGWGetRole::execute(optional_yield y
)
236 op_ret
= get_params();
240 RGWRole
role(s
->cct
, store
->getRados()->pctl
, role_name
, s
->user
->get_tenant());
241 op_ret
= role
.get(s
, y
);
243 if (op_ret
== -ENOENT
) {
244 op_ret
= -ERR_NO_ROLE_FOUND
;
248 op_ret
= _verify_permission(role
);
251 s
->formatter
->open_object_section("GetRoleResponse");
252 s
->formatter
->open_object_section("ResponseMetadata");
253 s
->formatter
->dump_string("RequestId", s
->trans_id
);
254 s
->formatter
->close_section();
255 s
->formatter
->open_object_section("GetRoleResult");
256 s
->formatter
->open_object_section("Role");
257 role
.dump(s
->formatter
);
258 s
->formatter
->close_section();
259 s
->formatter
->close_section();
260 s
->formatter
->close_section();
264 int RGWModifyRole::get_params()
266 role_name
= s
->info
.args
.get("RoleName");
267 trust_policy
= s
->info
.args
.get("PolicyDocument");
269 if (role_name
.empty() || trust_policy
.empty()) {
270 ldpp_dout(this, 20) << "ERROR: One of role name or trust policy is empty"<< dendl
;
274 if (!p
.parse(trust_policy
.c_str(), trust_policy
.length())) {
275 ldpp_dout(this, 20) << "ERROR: failed to parse assume role policy doc" << dendl
;
276 return -ERR_MALFORMED_DOC
;
282 void RGWModifyRole::execute(optional_yield y
)
284 op_ret
= get_params();
289 _role
.update_trust_policy(trust_policy
);
290 op_ret
= _role
.update(this, y
);
292 s
->formatter
->open_object_section("UpdateAssumeRolePolicyResponse");
293 s
->formatter
->open_object_section("ResponseMetadata");
294 s
->formatter
->dump_string("RequestId", s
->trans_id
);
295 s
->formatter
->close_section();
296 s
->formatter
->close_section();
299 int RGWListRoles::verify_permission(optional_yield y
)
301 if (s
->auth
.identity
->is_anonymous()) {
305 if (int ret
= check_caps(s
->user
->get_caps()); ret
== 0) {
309 if (!verify_user_permission(this,
319 int RGWListRoles::get_params()
321 path_prefix
= s
->info
.args
.get("PathPrefix");
326 void RGWListRoles::execute(optional_yield y
)
328 op_ret
= get_params();
332 vector
<RGWRole
> result
;
333 op_ret
= RGWRole::get_roles_by_path_prefix(s
, store
->getRados(), s
->cct
, path_prefix
, s
->user
->get_tenant(), result
, y
);
336 s
->formatter
->open_array_section("ListRolesResponse");
337 s
->formatter
->open_object_section("ResponseMetadata");
338 s
->formatter
->dump_string("RequestId", s
->trans_id
);
339 s
->formatter
->close_section();
340 s
->formatter
->open_array_section("ListRolesResult");
341 s
->formatter
->open_object_section("Roles");
342 for (const auto& it
: result
) {
343 s
->formatter
->open_object_section("member");
344 it
.dump(s
->formatter
);
345 s
->formatter
->close_section();
347 s
->formatter
->close_section();
348 s
->formatter
->close_section();
349 s
->formatter
->close_section();
353 int RGWPutRolePolicy::get_params()
355 role_name
= s
->info
.args
.get("RoleName");
356 policy_name
= s
->info
.args
.get("PolicyName");
357 perm_policy
= s
->info
.args
.get("PolicyDocument");
359 if (role_name
.empty() || policy_name
.empty() || perm_policy
.empty()) {
360 ldpp_dout(this, 20) << "ERROR: One of role name, policy name or perm policy is empty"<< dendl
;
363 bufferlist bl
= bufferlist::static_from_string(perm_policy
);
365 const rgw::IAM::Policy
p(s
->cct
, s
->user
->get_tenant(), bl
);
367 catch (rgw::IAM::PolicyParseException
& e
) {
368 ldpp_dout(this, 20) << "failed to parse policy: " << e
.what() << dendl
;
369 return -ERR_MALFORMED_DOC
;
374 void RGWPutRolePolicy::execute(optional_yield y
)
376 op_ret
= get_params();
381 _role
.set_perm_policy(policy_name
, perm_policy
);
382 op_ret
= _role
.update(this, y
);
385 s
->formatter
->open_object_section("PutRolePolicyResponse");
386 s
->formatter
->open_object_section("ResponseMetadata");
387 s
->formatter
->dump_string("RequestId", s
->trans_id
);
388 s
->formatter
->close_section();
389 s
->formatter
->close_section();
393 int RGWGetRolePolicy::get_params()
395 role_name
= s
->info
.args
.get("RoleName");
396 policy_name
= s
->info
.args
.get("PolicyName");
398 if (role_name
.empty() || policy_name
.empty()) {
399 ldpp_dout(this, 20) << "ERROR: One of role name or policy name is empty"<< dendl
;
405 void RGWGetRolePolicy::execute(optional_yield y
)
407 op_ret
= get_params();
413 op_ret
= _role
.get_role_policy(policy_name
, perm_policy
);
414 if (op_ret
== -ENOENT
) {
415 op_ret
= -ERR_NO_SUCH_ENTITY
;
419 s
->formatter
->open_object_section("GetRolePolicyResponse");
420 s
->formatter
->open_object_section("ResponseMetadata");
421 s
->formatter
->dump_string("RequestId", s
->trans_id
);
422 s
->formatter
->close_section();
423 s
->formatter
->open_object_section("GetRolePolicyResult");
424 s
->formatter
->dump_string("PolicyName", policy_name
);
425 s
->formatter
->dump_string("RoleName", role_name
);
426 s
->formatter
->dump_string("PolicyDocument", perm_policy
);
427 s
->formatter
->close_section();
428 s
->formatter
->close_section();
432 int RGWListRolePolicies::get_params()
434 role_name
= s
->info
.args
.get("RoleName");
436 if (role_name
.empty()) {
437 ldpp_dout(this, 20) << "ERROR: Role name is empty"<< dendl
;
443 void RGWListRolePolicies::execute(optional_yield y
)
445 op_ret
= get_params();
450 std::vector
<string
> policy_names
= _role
.get_role_policy_names();
451 s
->formatter
->open_object_section("ListRolePoliciesResponse");
452 s
->formatter
->open_object_section("ResponseMetadata");
453 s
->formatter
->dump_string("RequestId", s
->trans_id
);
454 s
->formatter
->close_section();
455 s
->formatter
->open_object_section("ListRolePoliciesResult");
456 s
->formatter
->open_array_section("PolicyNames");
457 for (const auto& it
: policy_names
) {
458 s
->formatter
->dump_string("member", it
);
460 s
->formatter
->close_section();
461 s
->formatter
->close_section();
462 s
->formatter
->close_section();
465 int RGWDeleteRolePolicy::get_params()
467 role_name
= s
->info
.args
.get("RoleName");
468 policy_name
= s
->info
.args
.get("PolicyName");
470 if (role_name
.empty() || policy_name
.empty()) {
471 ldpp_dout(this, 20) << "ERROR: One of role name or policy name is empty"<< dendl
;
477 void RGWDeleteRolePolicy::execute(optional_yield y
)
479 op_ret
= get_params();
484 op_ret
= _role
.delete_policy(policy_name
);
485 if (op_ret
== -ENOENT
) {
486 op_ret
= -ERR_NO_ROLE_FOUND
;
490 op_ret
= _role
.update(this, y
);
493 s
->formatter
->open_object_section("DeleteRolePoliciesResponse");
494 s
->formatter
->open_object_section("ResponseMetadata");
495 s
->formatter
->dump_string("RequestId", s
->trans_id
);
496 s
->formatter
->close_section();
497 s
->formatter
->close_section();