rgw/auth: Identity::get_aclowner() for resources it creates

Signed-off-by: Casey Bodley <cbodley@redhat.com>

src/rgw/driver/rados/rgw_data_sync.cc

@@ -2645,8 +2645,8 @@ class RGWUserPermHandler {
         return ret;
       }
 
-      info->identity = rgw::auth::transform_old_authinfo(sync_env->cct,
-                                                         uid,
+      info->identity = rgw::auth::transform_old_authinfo(sync_env->cct, uid,
+                                                         info->user_info.display_name,
                                                          RGW_PERM_FULL_CONTROL,
                                                          false, /* system_request? */
                                                          TYPE_RGW);

src/rgw/rgw_auth.cc

@@ -26,6 +26,7 @@ namespace auth {
 std::unique_ptr<rgw::auth::Identity>
 transform_old_authinfo(CephContext* const cct,
                        const rgw_user& auth_id,
+                       const std::string& display_name,
                        const int perm_mask,
                        const bool is_admin,
                        const uint32_t type)
@@ -40,22 +41,32 @@ transform_old_authinfo(CephContext* const cct,
      * the identity info as this was the policy for doing that before the
      * new auth. */
     const rgw_user id;
+    const std::string display_name;
     const int perm_mask;
     const bool is_admin;
     const uint32_t type;
   public:
     DummyIdentityApplier(CephContext* const cct,
                          const rgw_user& auth_id,
+                         const std::string display_name,
                          const int perm_mask,
                          const bool is_admin,
                          const uint32_t type)
       : cct(cct),
         id(auth_id),
+        display_name(display_name),
         perm_mask(perm_mask),
         is_admin(is_admin),
         type(type) {
     }
 
+    ACLOwner get_aclowner() const {
+      ACLOwner owner;
+      owner.id = id;
+      owner.display_name = display_name;
+      return owner;
+    }
+
     uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
       return rgw_perms_from_aclspec_default_strategy(id, aclspec, dpp);
     }
@@ -112,6 +123,7 @@ transform_old_authinfo(CephContext* const cct,
   return std::unique_ptr<rgw::auth::Identity>(
         new DummyIdentityApplier(cct,
                                  auth_id,
+                                 display_name,
                                  perm_mask,
                                  is_admin,
                                  type));
@@ -122,6 +134,7 @@ transform_old_authinfo(const req_state* const s)
 {
   return transform_old_authinfo(s->cct,
                                 s->user->get_id(),
+                                s->user->get_display_name(),
                                 s->perm_mask,
   /* System user has admin permissions by default - it's supposed to pass
    * through any security check. */
@@ -531,6 +544,14 @@ const std::string rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER;
 const std::string rgw::auth::RemoteApplier::AuthInfo::NO_ACCESS_KEY;
 
 /* rgw::auth::RemoteAuthApplier */
+ACLOwner rgw::auth::RemoteApplier::get_aclowner() const
+{
+  ACLOwner owner;
+  owner.id = info.acct_user;
+  owner.display_name = info.acct_name;
+  return owner;
+}
+
 uint32_t rgw::auth::RemoteApplier::get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const
 {
   uint32_t perm = 0;
@@ -748,6 +769,14 @@ void rgw::auth::RemoteApplier::load_acct_info(const DoutPrefixProvider* dpp, RGW
 const std::string rgw::auth::LocalApplier::NO_SUBUSER;
 const std::string rgw::auth::LocalApplier::NO_ACCESS_KEY;
 
+ACLOwner rgw::auth::LocalApplier::get_aclowner() const
+{
+  ACLOwner owner;
+  owner.id = user_info.user_id;
+  owner.display_name = user_info.display_name;
+  return owner;
+}
+
 uint32_t rgw::auth::LocalApplier::get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const
 {
   return rgw_perms_from_aclspec_default_strategy(user_info.user_id, aclspec, dpp);
@@ -831,6 +860,14 @@ void rgw::auth::LocalApplier::write_ops_log_entry(rgw_log_entry& entry) const
   entry.subuser = subuser;
 }
 
+ACLOwner rgw::auth::RoleApplier::get_aclowner() const
+{
+  ACLOwner owner;
+  owner.id = token_attrs.user_id;
+  owner.display_name = role.name;
+  return owner;
+}
+
 void rgw::auth::RoleApplier::to_str(std::ostream& out) const {
   out << "rgw::auth::RoleApplier(role name =" << role.name;
   for (auto& policy: role.role_policies) {

src/rgw/rgw_auth.h

@@ -36,6 +36,9 @@ class Identity {
 
   virtual ~Identity() = default;
 
+  /* Return the ACLOwner for resources created by this identity. */
+  virtual ACLOwner get_aclowner() const = 0;
+
   /* Translate the ACL provided in @aclspec into concrete permission set that
    * can be used during the authorization phase (RGWOp::verify_permission).
    * On error throws rgw::auth::Exception storing the reason.
@@ -100,6 +103,7 @@ inline std::ostream& operator<<(std::ostream& out,
 std::unique_ptr<rgw::auth::Identity>
 transform_old_authinfo(CephContext* const cct,
                        const rgw_user& auth_id,
+                       const std::string& display_name,
                        const int perm_mask,
                        const bool is_admin,
                        const uint32_t type);
@@ -444,6 +448,13 @@ class WebIdentityApplier : public IdentityApplier {
 
   void modify_request_state(const DoutPrefixProvider *dpp, req_state* s) const override;
 
+  ACLOwner get_aclowner() const override {
+    ACLOwner owner;
+    owner.id = rgw_user{role_tenant, sub, "oidc"};
+    owner.display_name = user_name;
+    return owner;
+  }
+
   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const  override {
     return RGW_PERM_NONE;
   }
@@ -618,6 +629,7 @@ class RemoteApplier : public IdentityApplier {
       implicit_tenant_bit(implicit_tenant_bit) {
   }
 
+  ACLOwner get_aclowner() const override;
   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override;
   bool is_admin_of(const rgw_user& uid) const override;
   bool is_owner_of(const rgw_user& uid) const override;
@@ -678,7 +690,7 @@ class LocalApplier : public IdentityApplier {
       access_key_id(access_key_id) {
   }
 
-
+  ACLOwner get_aclowner() const override;
   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override;
   bool is_admin_of(const rgw_user& uid) const override;
   bool is_owner_of(const rgw_user& uid) const override;
@@ -740,6 +752,7 @@ class RoleApplier : public IdentityApplier {
     : role(role),
       token_attrs(token_attrs) {}
 
+  ACLOwner get_aclowner() const override;
   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
     return 0;
   }

src/rgw/rgw_auth_filters.h

@@ -65,6 +65,10 @@ class DecoratedApplier : public rgw::auth::IdentityApplier {
     : decoratee(std::forward<DecorateeT>(decoratee)) {
   }
 
+  ACLOwner get_aclowner() const override {
+    return get_decoratee().get_aclowner();
+  }
+
   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
     return get_decoratee().get_perms_from_aclspec(dpp, aclspec);
   }

src/test/rgw/test_rgw_iam_policy.cc

@@ -102,6 +102,12 @@ class FakeIdentity : public Identity {
 public:
 
   explicit FakeIdentity(Principal&& id) : id(std::move(id)) {}
+
+  ACLOwner get_aclowner() const override {
+    ceph_abort();
+    return {};
+  }
+
   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
     ceph_abort();
     return 0;

src/test/rgw/test_rgw_lua.cc

@@ -33,6 +33,10 @@ class FakeIdentity : public Identity {
 public:
   FakeIdentity() = default;
 
+  ACLOwner get_aclowner() const override {
+    return {};
+  }
+
   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
     return 0;
   };