RGW Bucket Policies #14307
RGW Bucket Policies #14307
Conversation
adamemerson
force-pushed
the
wip-sts-authorization
branch
from
0fd393f
to
7953684
Compare
doc/radosgw/bucketpolicy.rst
Outdated
| Configuration | ||
| ============= | ||
|
|
||
| Bucket poliies are managed through standard S3 operations rather than |
src/rgw/rgw_op.cc
Outdated
| @@ -3314,6 +3431,9 @@ void RGWPutObj::execute() | |||
|
|
|||
| int RGWPostObj::verify_permission() | |||
adamemerson
force-pushed
the
wip-sts-authorization
branch
from
7953684
to
caccecd
Compare
src/rgw/rgw_op.cc
Outdated
| if (s->iam_policy->eval(s->env, *s->auth.identity, | ||
| s->object.instance.empty() ? | ||
| rgw::IAM::s3ListBucket : | ||
| rgw::IAM::s3ListBucketVersions, |
There was a problem hiding this comment.
this check should be based on the RGWListBucket::list_versions flag. the only problem is that it's assigned later in the request processing (when RGWListBucket_ObjStore_S3::get_params() is called by RGWListBucket::execute()), so you won't have access to it here. you probably want to just check s->info.args.exists("versions")
edit: or, move the call to get_params() into this function, like you did with RGWDeleteMultiObj below
src/rgw/rgw_op.cc
Outdated
| try { | ||
| rgw::IAM::Policy p(s->cct, s->bucket_tenant, policy_text); | ||
| auto attrs = s->bucket_attrs; | ||
| attrs[RGW_ATTR_IAM_POLICY]; |
There was a problem hiding this comment.
seems like something is missing here. what are we doing with p?
src/common/ipaddr.cc
Outdated
| return cmp_addr6((sockaddr_in6*) addrl, | ||
| (sockaddr_in6*) addrr, | ||
| prefix_len); | ||
| #endif |
src/common/iso_8601.cc
Outdated
| // This assumes a contiguous block of numbers in the correct order. | ||
| uint16_t digit(char c) { | ||
| if (!(c >= '0' && c <= '9')) | ||
| throw std::invalid_argument("Not a digit."); |
There was a problem hiding this comment.
re: CodingStyle, single-line blocks still get enclosed in { }
adamemerson
force-pushed
the
wip-sts-authorization
branch
from
caccecd
to
8e59955
Compare
adamemerson
force-pushed
the
wip-sts-authorization
branch
2 times, most recently
from
ddb1c95
to
f0e1d1a
Compare
adamemerson
force-pushed
the
wip-sts-authorization
branch
from
f0e1d1a
to
9e7b330
Compare
src/rgw/rgw_iam_policy.cc
Outdated
| } | ||
|
|
||
| Effect Statement::eval(const Environment& e, | ||
| optional<const rgw::auth::Identity&> ida, |
There was a problem hiding this comment.
@adamemerson: is there a reason for taking the optional reference here? Although boost::optional is able to do that, some restrictions exist.
Maybe pointer-to-const would be a simpler approach?
There was a problem hiding this comment.
Because I wanted to make it explicit in the function signature that the parameter was optional. const pointers /can/ be nulled, but it's less obvious to people reading the code whether the function does something useful with a null value instead of crashing or returning an error.
(If we were using the GSL we could use the not_null template which accomplishes the same thing.)
adamemerson
force-pushed
the
wip-sts-authorization
branch
7 times, most recently
from
7579716
to
0ab3cf5
Compare
adamemerson
force-pushed
the
wip-sts-authorization
branch
3 times, most recently
from
dbc8de6
to
cfc3755
Compare
|
@tchaikov I just wanted to get a checkmark before he logged out for the day, if I could. |
|
@yehudasa If you want the submodule to point to a repository living under the Ceph project, you'll need to get someone who has access to put it there. I think it would be better to leave it pointing to the original repository until we have good reason to move it, since that makes adopting changes easier. |
|
@yehudasa At least I'm pretty sure I don't have access to create a new repo under the Ceph project. |
|
@adamemerson sorry, Adam. i thought you were about to merge. didn't intent to block you anyway. |
adamemerson
force-pushed
the
wip-sts-authorization
branch
from
f05f9e0
to
93b623d
Compare
There was a problem hiding this comment.
@adamemerson: LGTM. Thanks for bringing this feature and sorry for late response.
| } | ||
|
|
||
| return d; | ||
| } catch (const std::logic_error& e) { |
There was a problem hiding this comment.
std::logic_error looks very reasonable here.
There are parts of C++14 that are both useful and easy to implement. This is one of them. Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
This is a high performance, MIT licensed JSON parsing library. It provides a SAX interface so that I can compile an S3 policy without building up a JSONObject tree in the middle that gets thrown away. Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
adamemerson
force-pushed
the
wip-sts-authorization
branch
from
93b623d
to
fd9ed1f
Compare
| }; | ||
|
|
||
| template<typename T, typename... Args> | ||
| inline typename uniquity<T>::datum make_unique(Args&&... args) { |
src/test/common/test_iso_8601.cc
Outdated
| TEST(iso_8601, epoch) { | ||
| const auto epoch = real_clock::from_time_t(0); | ||
|
|
||
| ASSERT_EQ(to_iso_8601(epoch, iso_8601_format::Y), "1970"); |
There was a problem hiding this comment.
nit, the lhs is the expected value, while the rhs is the actual one.
adamemerson
force-pushed
the
wip-sts-authorization
branch
from
fd9ed1f
to
8ed7ead
Compare
src/test/common/test_iso_8601.cc
Outdated
| /* | ||
| * Ceph - scalable distributed file system | ||
| * | ||
| * Copyright (C) 2014 Red Hat <contact@redhat.com> |
There was a problem hiding this comment.
i also miss 2014 for some reason.
adamemerson
force-pushed
the
wip-sts-authorization
branch
from
8ed7ead
to
100d150
Compare
For parsing and unparsing from ceph::real_time. Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
Eventually this will allow us to match all authentication information against all specified principals in a policy. Right now it handles users and wildcards. Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
So they can be used when calling the function Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
Make three wrapper functions to tidy up the process of making a bufferlist holding a single static buffer. The lack of any decent handling of const in buffer::list makes me wax wroth, but it's a bit much to fix right now. Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
This support is currently incomplete but should provide a starting point. Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
Only hook into object/bucket checks for now. Once we have STS (giving us Roles) or User/Group policies it will make sense to hook into those, too. Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
adamemerson
force-pushed
the
wip-sts-authorization
branch
from
100d150
to
80b285d
Compare
Merge pull request #14307 from adamemerson/wip-sts-authorization common: Add make_unique submodule: Tencent's RapidJSON library common: Add ISO-8601 Date Support rgw: Add is_identity to AuthApplier class rgw: Move globbing flags to header buffer: Make the use of static areas more convenient rgw: Add basic support for IAM policies rgw: Build bucket permission and environment in req_state rgw: Verify policies as WELL as ACLs rgw: RESTful bucket policy ops rgw: Write documentation for bucket policies Reviewed-By: Casey Bodley <cbodley@redhat.com> Reviewed-By: Radoslaw Zarzynski <rzarzynski@mirantis.com> Reviewed-By: Kefu Chai <kchai@redhat.com>
| // Statement | ||
|
|
||
| } else if (w->id == TokenID::Sid) { | ||
| t->sid.emplace(s, l); |
There was a problem hiding this comment.
@adamemerson is http://people.redhat.com/bhubbard/scan-build-2017-06-07-193016-13960-1/report-5d592f.html#EndPath a false alarm or a valid warning?
It is by these words— no not the ones you're reading, but the ones in your policy document. it is by those very words that your buckets shall be guarded and gazed, watched and warded. They shall speak and grant access to some and turn others away in despair.