Merge pull request #10687 from rzarzynski/wip-rgw-is_admin-fix

rgw: fix is_admin handling in RGWLDAPAuthEngine and introduce acct_privilege_t Reviewed-by: Orit Wasserman <owasserm@redhat.com>
ceph · Sep 16, 2016 · 8ee372a · 8ee372a
2 parents 0029f99 + 32a04b0
commit 8ee372a
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 6 deletions.
diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
@@ -368,11 +368,13 @@ RGWKeystoneAuthEngine::get_creds_info(const KeystoneToken& token,
                                       const std::vector<std::string>& admin_roles
                                     ) const noexcept
 {
+  using acct_privilege_t = RGWRemoteAuthApplier::AuthInfo::acct_privilege_t;
+
   /* Check whether the user has an admin status. */
-  bool is_admin = false;
+  acct_privilege_t level = acct_privilege_t::IS_PLAIN_ACCT;
   for (const auto& admin_role : admin_roles) {
     if (token.has_role(admin_role)) {
-      is_admin = true;
+      level = acct_privilege_t::IS_ADMIN_ACCT;
       break;
     }
   }
@@ -385,7 +387,7 @@ RGWKeystoneAuthEngine::get_creds_info(const KeystoneToken& token,
     /* Keystone doesn't support RGW's subuser concept, so we cannot cut down
      * the access rights through the perm_mask. At least at this layer. */
     RGW_PERM_FULL_CONTROL,
-    is_admin,
+    level,
   };
 }
 

diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
@@ -120,15 +120,20 @@ class RGWRemoteAuthApplier : public RGWAuthApplier {
     const uint32_t acct_type;
 
   public:
+    enum class acct_privilege_t {
+      IS_ADMIN_ACCT,
+      IS_PLAIN_ACCT
+    };
+
     AuthInfo(const rgw_user& acct_user,
              const std::string& acct_name,
              const uint32_t perm_mask,
-             const bool is_admin,
+             const acct_privilege_t level,
              const uint32_t acct_type=TYPE_NONE)
     : acct_user(acct_user),
       acct_name(acct_name),
       perm_mask(perm_mask),
-      is_admin(is_admin),
+      is_admin(acct_privilege_t::IS_ADMIN_ACCT == level),
       acct_type(acct_type) {
     }
   };

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
@@ -4332,11 +4332,13 @@ RGWRemoteAuthApplier::acl_strategy_t RGWLDAPAuthEngine::get_acl_strategy() const
 RGWRemoteAuthApplier::AuthInfo
 RGWLDAPAuthEngine::get_creds_info(const rgw::RGWToken& token) const noexcept
 {
+  using acct_privilege_t = RGWRemoteAuthApplier::AuthInfo::acct_privilege_t;
+
   return RGWRemoteAuthApplier::AuthInfo {
     rgw_user(token.id),
     token.id,
     RGW_PERM_FULL_CONTROL,
-    true,
+    acct_privilege_t::IS_PLAIN_ACCT,
     TYPE_LDAP
   };
 }