]> git.proxmox.com Git - ceph.git/blob - ceph/src/rgw/rgw_rest_role.cc
projects / ceph.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
import ceph 16.2.6
[ceph.git] / ceph / src / rgw / rgw_rest_role.cc
1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab ft=cpp
3
4 #include <errno.h>
5
6 #include "common/errno.h"
7 #include "common/Formatter.h"
8 #include "common/ceph_json.h"
9
10 #include "include/types.h"
11 #include "rgw_string.h"
12
13 #include "rgw_common.h"
14 #include "rgw_op.h"
15 #include "rgw_rest.h"
16 #include "rgw_role.h"
17 #include "rgw_rest_role.h"
18 #include "rgw_sal_rados.h"
19
20 #define dout_subsys ceph_subsys_rgw
21
22 int RGWRestRole::verify_permission(optional_yield y)
23 {
24 if (s->auth.identity->is_anonymous()) {
25 return -EACCES;
26 }
27
28 string role_name = s->info.args.get("RoleName");
29 RGWRole role(s->cct, store->getRados()->pctl, role_name, s->user->get_tenant());
30 if (op_ret = role.get(s, y); op_ret < 0) {
31 if (op_ret == -ENOENT) {
32 op_ret = -ERR_NO_ROLE_FOUND;
33 }
34 return op_ret;
35 }
36
37 if (int ret = check_caps(s->user->get_caps()); ret == 0) {
38 _role = std::move(role);
39 return ret;
40 }
41
42 string resource_name = role.get_path() + role_name;
43 uint64_t op = get_op();
44 if (!verify_user_permission(this,
45 s,
46 rgw::ARN(resource_name,
47 "role",
48 s->user->get_tenant(), true),
49 op)) {
50 return -EACCES;
51 }
52
53 _role = std::move(role);
54
55 return 0;
56 }
57
58 void RGWRestRole::send_response()
59 {
60 if (op_ret) {
61 set_req_state_err(s, op_ret);
62 }
63 dump_errno(s);
64 end_header(s, this);
65 }
66
67 int RGWRoleRead::check_caps(const RGWUserCaps& caps)
68 {
69 return caps.check_cap("roles", RGW_CAP_READ);
70 }
71
72 int RGWRoleWrite::check_caps(const RGWUserCaps& caps)
73 {
74 return caps.check_cap("roles", RGW_CAP_WRITE);
75 }
76
77 int RGWCreateRole::verify_permission(optional_yield y)
78 {
79 if (s->auth.identity->is_anonymous()) {
80 return -EACCES;
81 }
82
83 if (int ret = check_caps(s->user->get_caps()); ret == 0) {
84 return ret;
85 }
86
87 string role_name = s->info.args.get("RoleName");
88 string role_path = s->info.args.get("Path");
89
90 string resource_name = role_path + role_name;
91 if (!verify_user_permission(this,
92 s,
93 rgw::ARN(resource_name,
94 "role",
95 s->user->get_tenant(), true),
96 get_op())) {
97 return -EACCES;
98 }
99 return 0;
100 }
101
102 int RGWCreateRole::get_params()
103 {
104 role_name = s->info.args.get("RoleName");
105 role_path = s->info.args.get("Path");
106 trust_policy = s->info.args.get("AssumeRolePolicyDocument");
107 max_session_duration = s->info.args.get("MaxSessionDuration");
108
109 if (role_name.empty() || trust_policy.empty()) {
110 ldpp_dout(this, 20) << "ERROR: one of role name or assume role policy document is empty"
111 << dendl;
112 return -EINVAL;
113 }
114
115 bufferlist bl = bufferlist::static_from_string(trust_policy);
116 try {
117 const rgw::IAM::Policy p(s->cct, s->user->get_tenant(), bl);
118 }
119 catch (rgw::IAM::PolicyParseException& e) {
120 ldpp_dout(this, 20) << "failed to parse policy: " << e.what() << dendl;
121 return -ERR_MALFORMED_DOC;
122 }
123
124 return 0;
125 }
126
127 void RGWCreateRole::execute(optional_yield y)
128 {
129 op_ret = get_params();
130 if (op_ret < 0) {
131 return;
132 }
133 std::string user_tenant = s->user->get_tenant();
134 RGWRole role(s->cct, store->getRados()->pctl, role_name, role_path, trust_policy,
135 user_tenant, max_session_duration);
136 if (!user_tenant.empty() && role.get_tenant() != user_tenant) {
137 ldpp_dout(this, 20) << "ERROR: the tenant provided in the role name does not match with the tenant of the user creating the role"
138 << dendl;
139 op_ret = -EINVAL;
140 return;
141 }
142 op_ret = role.create(s, true, y);
143
144 if (op_ret == -EEXIST) {
145 op_ret = -ERR_ROLE_EXISTS;
146 }
147
148 if (op_ret == 0) {
149 s->formatter->open_object_section("CreateRoleResponse");
150 s->formatter->open_object_section("CreateRoleResult");
151 s->formatter->open_object_section("Role");
152 role.dump(s->formatter);
153 s->formatter->close_section();
154 s->formatter->close_section();
155 s->formatter->open_object_section("ResponseMetadata");
156 s->formatter->dump_string("RequestId", s->trans_id);
157 s->formatter->close_section();
158 s->formatter->close_section();
159 }
160 }
161
162 int RGWDeleteRole::get_params()
163 {
164 role_name = s->info.args.get("RoleName");
165
166 if (role_name.empty()) {
167 ldpp_dout(this, 20) << "ERROR: Role name is empty"<< dendl;
168 return -EINVAL;
169 }
170
171 return 0;
172 }
173
174 void RGWDeleteRole::execute(optional_yield y)
175 {
176 op_ret = get_params();
177 if (op_ret < 0) {
178 return;
179 }
180
181 op_ret = _role.delete_obj(s, y);
182
183 if (op_ret == -ENOENT) {
184 op_ret = -ERR_NO_ROLE_FOUND;
185 }
186 if (!op_ret) {
187 s->formatter->open_object_section("DeleteRoleResponse");
188 s->formatter->open_object_section("ResponseMetadata");
189 s->formatter->dump_string("RequestId", s->trans_id);
190 s->formatter->close_section();
191 s->formatter->close_section();
192 }
193 }
194
195 int RGWGetRole::verify_permission(optional_yield y)
196 {
197 return 0;
198 }
199
200 int RGWGetRole::_verify_permission(const RGWRole& role)
201 {
202 if (s->auth.identity->is_anonymous()) {
203 return -EACCES;
204 }
205
206 if (int ret = check_caps(s->user->get_caps()); ret == 0) {
207 return ret;
208 }
209
210 string resource_name = role.get_path() + role.get_name();
211 if (!verify_user_permission(this,
212 s,
213 rgw::ARN(resource_name,
214 "role",
215 s->user->get_tenant(), true),
216 get_op())) {
217 return -EACCES;
218 }
219 return 0;
220 }
221
222 int RGWGetRole::get_params()
223 {
224 role_name = s->info.args.get("RoleName");
225
226 if (role_name.empty()) {
227 ldpp_dout(this, 20) << "ERROR: Role name is empty"<< dendl;
228 return -EINVAL;
229 }
230
231 return 0;
232 }
233
234 void RGWGetRole::execute(optional_yield y)
235 {
236 op_ret = get_params();
237 if (op_ret < 0) {
238 return;
239 }
240 RGWRole role(s->cct, store->getRados()->pctl, role_name, s->user->get_tenant());
241 op_ret = role.get(s, y);
242
243 if (op_ret == -ENOENT) {
244 op_ret = -ERR_NO_ROLE_FOUND;
245 return;
246 }
247
248 op_ret = _verify_permission(role);
249
250 if (op_ret == 0) {
251 s->formatter->open_object_section("GetRoleResponse");
252 s->formatter->open_object_section("ResponseMetadata");
253 s->formatter->dump_string("RequestId", s->trans_id);
254 s->formatter->close_section();
255 s->formatter->open_object_section("GetRoleResult");
256 s->formatter->open_object_section("Role");
257 role.dump(s->formatter);
258 s->formatter->close_section();
259 s->formatter->close_section();
260 s->formatter->close_section();
261 }
262 }
263
264 int RGWModifyRole::get_params()
265 {
266 role_name = s->info.args.get("RoleName");
267 trust_policy = s->info.args.get("PolicyDocument");
268
269 if (role_name.empty() || trust_policy.empty()) {
270 ldpp_dout(this, 20) << "ERROR: One of role name or trust policy is empty"<< dendl;
271 return -EINVAL;
272 }
273 JSONParser p;
274 if (!p.parse(trust_policy.c_str(), trust_policy.length())) {
275 ldpp_dout(this, 20) << "ERROR: failed to parse assume role policy doc" << dendl;
276 return -ERR_MALFORMED_DOC;
277 }
278
279 return 0;
280 }
281
282 void RGWModifyRole::execute(optional_yield y)
283 {
284 op_ret = get_params();
285 if (op_ret < 0) {
286 return;
287 }
288
289 _role.update_trust_policy(trust_policy);
290 op_ret = _role.update(this, y);
291
292 s->formatter->open_object_section("UpdateAssumeRolePolicyResponse");
293 s->formatter->open_object_section("ResponseMetadata");
294 s->formatter->dump_string("RequestId", s->trans_id);
295 s->formatter->close_section();
296 s->formatter->close_section();
297 }
298
299 int RGWListRoles::verify_permission(optional_yield y)
300 {
301 if (s->auth.identity->is_anonymous()) {
302 return -EACCES;
303 }
304
305 if (int ret = check_caps(s->user->get_caps()); ret == 0) {
306 return ret;
307 }
308
309 if (!verify_user_permission(this,
310 s,
311 rgw::ARN(),
312 get_op())) {
313 return -EACCES;
314 }
315
316 return 0;
317 }
318
319 int RGWListRoles::get_params()
320 {
321 path_prefix = s->info.args.get("PathPrefix");
322
323 return 0;
324 }
325
326 void RGWListRoles::execute(optional_yield y)
327 {
328 op_ret = get_params();
329 if (op_ret < 0) {
330 return;
331 }
332 vector<RGWRole> result;
333 op_ret = RGWRole::get_roles_by_path_prefix(s, store->getRados(), s->cct, path_prefix, s->user->get_tenant(), result, y);
334
335 if (op_ret == 0) {
336 s->formatter->open_array_section("ListRolesResponse");
337 s->formatter->open_object_section("ResponseMetadata");
338 s->formatter->dump_string("RequestId", s->trans_id);
339 s->formatter->close_section();
340 s->formatter->open_array_section("ListRolesResult");
341 s->formatter->open_object_section("Roles");
342 for (const auto& it : result) {
343 s->formatter->open_object_section("member");
344 it.dump(s->formatter);
345 s->formatter->close_section();
346 }
347 s->formatter->close_section();
348 s->formatter->close_section();
349 s->formatter->close_section();
350 }
351 }
352
353 int RGWPutRolePolicy::get_params()
354 {
355 role_name = s->info.args.get("RoleName");
356 policy_name = s->info.args.get("PolicyName");
357 perm_policy = s->info.args.get("PolicyDocument");
358
359 if (role_name.empty() || policy_name.empty() || perm_policy.empty()) {
360 ldpp_dout(this, 20) << "ERROR: One of role name, policy name or perm policy is empty"<< dendl;
361 return -EINVAL;
362 }
363 bufferlist bl = bufferlist::static_from_string(perm_policy);
364 try {
365 const rgw::IAM::Policy p(s->cct, s->user->get_tenant(), bl);
366 }
367 catch (rgw::IAM::PolicyParseException& e) {
368 ldpp_dout(this, 20) << "failed to parse policy: " << e.what() << dendl;
369 return -ERR_MALFORMED_DOC;
370 }
371 return 0;
372 }
373
374 void RGWPutRolePolicy::execute(optional_yield y)
375 {
376 op_ret = get_params();
377 if (op_ret < 0) {
378 return;
379 }
380
381 _role.set_perm_policy(policy_name, perm_policy);
382 op_ret = _role.update(this, y);
383
384 if (op_ret == 0) {
385 s->formatter->open_object_section("PutRolePolicyResponse");
386 s->formatter->open_object_section("ResponseMetadata");
387 s->formatter->dump_string("RequestId", s->trans_id);
388 s->formatter->close_section();
389 s->formatter->close_section();
390 }
391 }
392
393 int RGWGetRolePolicy::get_params()
394 {
395 role_name = s->info.args.get("RoleName");
396 policy_name = s->info.args.get("PolicyName");
397
398 if (role_name.empty() || policy_name.empty()) {
399 ldpp_dout(this, 20) << "ERROR: One of role name or policy name is empty"<< dendl;
400 return -EINVAL;
401 }
402 return 0;
403 }
404
405 void RGWGetRolePolicy::execute(optional_yield y)
406 {
407 op_ret = get_params();
408 if (op_ret < 0) {
409 return;
410 }
411
412 string perm_policy;
413 op_ret = _role.get_role_policy(policy_name, perm_policy);
414 if (op_ret == -ENOENT) {
415 op_ret = -ERR_NO_SUCH_ENTITY;
416 }
417
418 if (op_ret == 0) {
419 s->formatter->open_object_section("GetRolePolicyResponse");
420 s->formatter->open_object_section("ResponseMetadata");
421 s->formatter->dump_string("RequestId", s->trans_id);
422 s->formatter->close_section();
423 s->formatter->open_object_section("GetRolePolicyResult");
424 s->formatter->dump_string("PolicyName", policy_name);
425 s->formatter->dump_string("RoleName", role_name);
426 s->formatter->dump_string("PolicyDocument", perm_policy);
427 s->formatter->close_section();
428 s->formatter->close_section();
429 }
430 }
431
432 int RGWListRolePolicies::get_params()
433 {
434 role_name = s->info.args.get("RoleName");
435
436 if (role_name.empty()) {
437 ldpp_dout(this, 20) << "ERROR: Role name is empty"<< dendl;
438 return -EINVAL;
439 }
440 return 0;
441 }
442
443 void RGWListRolePolicies::execute(optional_yield y)
444 {
445 op_ret = get_params();
446 if (op_ret < 0) {
447 return;
448 }
449
450 std::vector<string> policy_names = _role.get_role_policy_names();
451 s->formatter->open_object_section("ListRolePoliciesResponse");
452 s->formatter->open_object_section("ResponseMetadata");
453 s->formatter->dump_string("RequestId", s->trans_id);
454 s->formatter->close_section();
455 s->formatter->open_object_section("ListRolePoliciesResult");
456 s->formatter->open_array_section("PolicyNames");
457 for (const auto& it : policy_names) {
458 s->formatter->dump_string("member", it);
459 }
460 s->formatter->close_section();
461 s->formatter->close_section();
462 s->formatter->close_section();
463 }
464
465 int RGWDeleteRolePolicy::get_params()
466 {
467 role_name = s->info.args.get("RoleName");
468 policy_name = s->info.args.get("PolicyName");
469
470 if (role_name.empty() || policy_name.empty()) {
471 ldpp_dout(this, 20) << "ERROR: One of role name or policy name is empty"<< dendl;
472 return -EINVAL;
473 }
474 return 0;
475 }
476
477 void RGWDeleteRolePolicy::execute(optional_yield y)
478 {
479 op_ret = get_params();
480 if (op_ret < 0) {
481 return;
482 }
483
484 op_ret = _role.delete_policy(policy_name);
485 if (op_ret == -ENOENT) {
486 op_ret = -ERR_NO_ROLE_FOUND;
487 }
488
489 if (op_ret == 0) {
490 op_ret = _role.update(this, y);
491 }
492
493 s->formatter->open_object_section("DeleteRolePoliciesResponse");
494 s->formatter->open_object_section("ResponseMetadata");
495 s->formatter->dump_string("RequestId", s->trans_id);
496 s->formatter->close_section();
497 s->formatter->close_section();
498 }
Ceph