New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rgw: Rework of s3 v2 local authentication code. #10448
rgw: Rework of s3 v2 local authentication code. #10448
Conversation
This PR contains reworked code for s3 v2 local auth.
|
eaa68ad
to
cf81f4d
Compare
return nullptr; | ||
} | ||
|
||
dout(15) << "calculated digest=" << digest << dendl; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
could we probably replace dout -> ldout if we have s->cct here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
harmless for now?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah harmless, though we do we have req_info, ie. s->cct here :)
This commit now has conflicts with master, and needs a rebase. Pritha, can you rebase and re-post? |
Also, just quickly: does this change really only apply to v2? Will another change be required for v4? If so, can we combine those (I mean, in one PR, not speaking of impl per se)? |
cf81f4d
to
4b6c263
Compare
@mattbenjamin : Yes, this change only applies to v2. But I will update this PR with changes for v4 also as you have suggested. |
@mattbenjamin, @rzarzynski : I need some feedback on the design of classes RGWS3V2TokenBasedAuthEngine and RGWS3V2TokenExtractor. Instead of having an extractor class for just the auth id and the other tokens getting extracted in RGWS3V2TokenBasedAuthEngine, I can just have RGWS3V2TokenBasedAuthEngine derive from RGWAuthEngine and not have any extractor class. The RGWS3V2TokenBasedAuthEngine class will take care of extracting all auth tokens (like auth id, signature and expires). This class could be re-used for Keystone Auth as well (and maybe for ldap also.) |
@mattbenjamin : In the old code for ldap auth, the code would fallback to local auth incase ldap auth failed. Is that really intended here? Or should we just send an error to the user in case ldap auth fails (and not proceed to ocal auth)? |
@@ -689,7 +689,67 @@ class RGWLDAPTokenExtractor : public RGWTokenBasedAuthEngine::Extractor { | |||
std::string get_token() const override; | |||
}; | |||
|
|||
class S3AuthFactory : public RGWRemoteAuthApplier::Factory { | |||
class RGWS3V2TokenBasedAuthEngine : public RGWTokenBasedAuthEngine { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@pritha-srivastava: I'm not sure whether deriving from RGWTokenBasedAuthEngine
is suitable way for AWS auth. The class is targeting those authenticators which are token-based. OpenStack Identity API and Kerberos might be seen as typical examples. It's worth to add that under token I mean a short-living string that can be used multiple times without alternations. A comment on StackOverflow might be helpful as well.
AWSv2 isn't token-based in this sense. Instead of providing a constant string, client needs to send AWSAccessKeyId
and Signature
according the Amazon's terminology. Signature
is varying with each request.
The second solution proposed by you seems to be the good one. However, I wouldn't name the class with anything having Token inside. Also the extractor concept still could be useful. IIRC the AWS auth stuff could be extracted either from HTTP headers or from query string.
@rzarzynski : Thank you very much for your comments. |
4b6c263
to
52fd837
Compare
ldout(cct, 10) << "ERROR: User id of type: " << user_info.type << " is already present" << dendl; | ||
return nullptr; | ||
} | ||
}*/ | ||
} |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I will enable the type checking once we have a plan to migrate existing users to the new format.
Note:
|
@mattbenjamin @rzarzynski : Please review |
|
||
public: | ||
S3Extractor(std::string access_key_id, std::string signature) | ||
: access_key_id(access_key_id), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would suggest std::moving here to save additional memory allocation/increasing a reference counter in std::string
.
52fd837
to
d2486e9
Compare
@rzarzynski : Reworked. |
@@ -1754,13 +1754,22 @@ int RGWPostObj_ObjStore_S3::get_policy() | |||
s->perm_mask = RGW_PERM_FULL_CONTROL; | |||
} | |||
} else if (ldap.is_applicable()) { | |||
auto applier = ldap.authenticate(); | |||
if (! applier) { | |||
try { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
OK.
d2486e9
to
295657b
Compare
@pritha-srivastava I don't think we should just comment out the type checking, since we I believe all agree it should be present (Shilpa raised the issue as a potential bug). Rather, we should figure out a change following this one which allows dealing with this issue. My first thought on it was:
|
@mattbenjamin : My intention was to keep the type checking commented, till we have the radosgw-admin command in place (or whatever will help in adding the user source type field to the existing users). This is to avoid any confusion in case someone wants to use the master branch may see incorrect auth failures. Once the auth rework is done, my plan was to work on the new command and then enable the type checking throughout the code. Let me know what you think. |
I think the type checking should be re-enabled. Yehuda has already agreed that the migration rules can come later, so long as we prioritize them. If you are not comfortable with that, I'd rather delay merging this change until we have a migration path. |
@mattbenjamin : My only concern was the migration of the existing users. If that can be deffered, then it is fine with me. The code to add the source user type and to check the type is already there. I'll add/ re-enable them and update the PR. |
295657b
to
fd39aab
Compare
@mattbenjamin : I have re-enabled the type checking both for ldap and local auth. |
@pritha-srivastava I agree it's kind of annoying either way. I'm honestly responding partly from intuition here. Changing the behavior between pushes and without discussion felt wrong to me. I also don't like adding disabled sections terribly much, but then again, I sometimes do it myself. Here I think we should focus on the real issue that was exposed by this rework, which is the lack of a proper policy governing multiple auth backends. I share Shilpa's intuition that it's not good to allow dynamic backends like ldap to induce privilege escalation, so I've been trying to force us to address it. |
@pritha-srivastava I forgot to add. Do you have a sense of what strategies we should take for the migration? I wrote down the ideas I had come up with previously. Do you have other ideas? Let's discuss this in standup. |
@mattbenjamin : The note about disabling the user type check was intended to bring about the discussion, but I will bring it up in the stand-up next time. Sorry about that. Yes, I did think a little about migrating existing users: We could probably use radosgw-admin modify user command, and give the users an option to add the source type. We could write up a script using this command addressing all users. I am not sure though how many users the end-user will typically have. |
@pritha-srivastava I'll merge as soon as the next push re-disabling checks lands. |
@mattbenjamin : Checking teuthology errors, will update the PR once done |
fd39aab
to
bb94f26
Compare
@mattbenjamin : I have updated the PR. But there is still one job in which one of the s3tests timeout randomly because of an IO error. I have run the job twice and each time a new s3 test timed out. I am running it on a different machine now. @cbodley has agreed to check the result and let you know. Please dont merge the PR till then. Thanks! |
@pritha-srivastava it hadn't run by the time i left today, but you guys can track progress at http://pulpito.ceph.com/prsrivas-2016-08-11_19:53:53-rgw-wip_s3_v2_local_auth_rework---basic-mira/ |
The v2 local auth code has been reworked based on the new new authentication infrastructure. Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
bb94f26
to
b5b3e5c
Compare
The v2 local auth code has been reworked based on the new new authentication infrastructure.
Signed-off-by: Pritha Srivastava prsrivas@redhat.com