Merge pull request #20332 from pritha-srivastava/wip-rgw-role-admin-only

rgw: Correct permission evaluation to allow only admin users to work with Roles. Reviewed-by: Casey Bodley <cbodley@redhat.com> Reviewed-by: Adam Emerson <aemerson@redhat.com>
ceph · Feb 16, 2018 · 0212990 · 0212990
2 parents 191ab13 + 09c1bfe
commit 0212990
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 25 deletions.
diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
@@ -1742,7 +1742,8 @@ bool RGWUserCaps::is_valid_cap_type(const string& tp)
                                     "bilog",
                                     "mdlog",
                                     "datalog",
-                                    "opstate" };
+                                    "opstate",
+                                    "roles"};
 
   for (unsigned int i = 0; i < sizeof(cap_type) / sizeof(char *); ++i) {
     if (tp.compare(cap_type[i]) == 0) {

diff --git a/src/rgw/rgw_rest_role.cc b/src/rgw/rgw_rest_role.cc
@@ -26,30 +26,21 @@ void RGWRestRole::send_response()
   end_header(s);
 }
 
-int RGWRoleRead::verify_permission()
+int RGWRestRole::verify_permission()
 {
-  if (s->auth.identity->is_anonymous()) {
-    return -EACCES;
-  }
-
-  if (!verify_user_permission(s, RGW_PERM_READ)) {
-    return -EACCES;
-  }
-
-  return 0;
+  int ret = check_caps(s->user->caps);
+  ldout(s->cct, 0) << "INFO: verify_permissions ret" << ret << dendl;
+  return ret;
 }
 
-int RGWRoleWrite::verify_permission()
+int RGWRoleRead::check_caps(RGWUserCaps& caps)
 {
-  if (s->auth.identity->is_anonymous()) {
-    return -EACCES;
-  }
-
-  if (!verify_user_permission(s, RGW_PERM_WRITE)) {
-    return -EACCES;
-  }
+    return caps.check_cap("roles", RGW_CAP_READ);
+}
 
-  return 0;
+int RGWRoleWrite::check_caps(RGWUserCaps& caps)
+{
+    return caps.check_cap("roles", RGW_CAP_WRITE);
 }
 
 int RGWCreateRole::get_params()

diff --git a/src/rgw/rgw_rest_role.h b/src/rgw/rgw_rest_role.h
@@ -3,7 +3,7 @@
 #ifndef CEPH_RGW_REST_ROLE_H
 #define CEPH_RGW_REST_ROLE_H
 
-class RGWRestRole : public RGWOp {
+class RGWRestRole : public RGWRESTOp {
 protected:
   string role_name;
   string role_path;
@@ -13,21 +13,20 @@ class RGWRestRole : public RGWOp {
   string path_prefix;
 
 public:
+  int verify_permission() override;
   void send_response() override;
 };
 
 class RGWRoleRead : public RGWRestRole {
 public:
   RGWRoleRead() = default;
-  int verify_permission() override;
-  uint32_t op_mask() override { return RGW_OP_TYPE_READ; }
+  int check_caps(RGWUserCaps& caps) override;
 };
 
 class RGWRoleWrite : public RGWRestRole {
 public:
   RGWRoleWrite() = default;
-  int verify_permission() override;
-  uint32_t op_mask() override { return RGW_OP_TYPE_WRITE; }
+  int check_caps(RGWUserCaps& caps) override;
 };
 
 class RGWCreateRole : public RGWRoleWrite {