diff options
| author | Tobias Urdin <tobias.urdin@binero.se> | 2022-05-02 11:48:15 +0200 |
|---|---|---|
| committer | Tobias Urdin <tobias.urdin@binero.se> | 2022-09-21 22:33:29 +0200 |
| commit | 7ead219d726f63f55d793ebb0c059acbb310a15e (patch) | |
| tree | 8e0ad39b53146d1c789aa2e2010af5820ec8b296 /src/rgw/rgw_auth_keystone.cc | |
| parent | rgw/auth: Set see_also backreferences for service token opts (diff) | |
| download | ceph-7ead219d726f63f55d793ebb0c059acbb310a15e.tar.xz ceph-7ead219d726f63f55d793ebb0c059acbb310a15e.zip | |
rgw/auth: Deny request if service token does not have accepted roles
The default behavior should be that an invalid service token
makes the request invalid even though we have not checked the
X-Auth-Token yet.
This is not required but should reflect the same behavior as other
keystonemiddleware implemented services have.
Signed-off-by: Tobias Urdin <tobias.urdin@binero.com>
Diffstat (limited to 'src/rgw/rgw_auth_keystone.cc')
| -rw-r--r-- | src/rgw/rgw_auth_keystone.cc | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc index 9976449f28b..c42b0604ceb 100644 --- a/src/rgw/rgw_auth_keystone.cc +++ b/src/rgw/rgw_auth_keystone.cc @@ -300,6 +300,7 @@ TokenEngine::authenticate(const DoutPrefixProvider* dpp, if (!allow_expired) { ldpp_dout(dpp, 0) << "service token user does not hold a matching role; required roles: " << g_conf()->rgw_keystone_service_token_accepted_roles << dendl; + return result_t::deny(-EPERM); } } } |