Initial work for OPA-Ceph integration

Signed-off-by: Ashutosh Narkar <anarkar4387@gmail.com>
author: Ashutosh Narkar <anarkar4387@gmail.com> 2018-05-31 01:49:30 +0200
committer: Ashutosh Narkar <anarkar4387@gmail.com> 2018-07-25 10:20:34 +0200
commit: 631a036a6b02d30d12d0a1c6cae25c9aa0c38af1 (patch)
tree: 72431dfb6fdaf7965f31e4afa44bf03e4c148793 /src/rgw/rgw_opa.cc
parent: Merge pull request #22996 from batrick/mds-state-dot (diff)
download: ceph-631a036a6b02d30d12d0a1c6cae25c9aa0c38af1.tar.xz
ceph-631a036a6b02d30d12d0a1c6cae25c9aa0c38af1.zip
1 files changed, 81 insertions, 0 deletions
diff --git a/src/rgw/rgw_opa.cc b/src/rgw/rgw_opa.cc
new file mode 100644
index 00000000000..08abf5a174f
--- /dev/null
+++ b/src/rgw/rgw_opa.cc
@@ -0,0 +1,81 @@
+// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
+// vim: ts=8 sw=2 smarttab
+
+#include "rgw_opa.h"
+
+#define dout_context g_ceph_context
+#define dout_subsys ceph_subsys_rgw
+
+int rgw_opa_authorize(RGWOp *& op,
+                      req_state * const s)
+{
+
+  ldpp_dout(op, 2) << "authorizing request using OPA" << dendl;
+
+  /* get OPA url */
+  const string& opa_url = s->cct->_conf->rgw_opa_url;
+  if (opa_url == "") {
+    ldpp_dout(op, 2) << "OPA_URL not provided" << dendl;
+    return -ERR_INVALID_REQUEST;
+  }
+  ldpp_dout(op, 2) << "OPA URL= " << opa_url.c_str() << dendl;
+
+  /* get authentication token for OPA */
+  const string& opa_token = s->cct->_conf->rgw_opa_token;
+
+  int ret;
+  bufferlist bl;
+  RGWHTTPTransceiver req(s->cct, "POST", opa_url.c_str(), &bl);
+
+  /* set required headers for OPA request */
+  req.append_header("X-Auth-Token", opa_token);
+  req.append_header("Content-Type", "application/json");
+
+  /* check if we want to verify OPA server SSL certificate */
+  req.set_verify_ssl(s->cct->_conf->rgw_opa_verify_ssl);
+
+  /* create json request body */
+  JSONFormatter jf;
+  jf.open_object_section("");
+  jf.open_object_section("input");
+  jf.dump_string("method", s->info.env->get("REQUEST_METHOD"));
+  jf.dump_string("relative_uri", s->relative_uri.c_str());
+  jf.dump_string("decoded_uri", s->decoded_uri.c_str());
+  jf.dump_string("params", s->info.request_params.c_str());
+  jf.dump_string("request_uri_aws4", s->info.request_uri_aws4.c_str());
+  jf.dump_string("object_name", s->object.name.c_str());
+  jf.dump_object("user_info", *s->user);
+  jf.dump_object("bucket_info", s->bucket_info);
+  jf.close_section();
+  jf.close_section();
+
+  std::stringstream ss;
+  jf.flush(ss);
+  req.set_post_data(ss.str());
+  req.set_send_length(ss.str().length());
+
+  /* send request */
+  ret = req.process();
+  if (ret < 0) {
+    ldpp_dout(op, 2) << "OPA process error:" << bl.c_str() << dendl;
+    return ret;
+  }
+
+  /* check OPA response */
+  JSONParser parser;
+  if (!parser.parse(bl.c_str(), bl.length())) {
+    ldpp_dout(op, 2) << "OPA parse error: malformed json" << dendl;
+    return -EINVAL;
+  }
+
+  bool opa_result;
+  JSONDecoder::decode_json("result", opa_result, &parser);
+
+  if (opa_result == false) {
+    ldpp_dout(op, 2) << "OPA rejecting request" << dendl;
+    return -EPERM;
+  }
+
+  ldpp_dout(op, 2) << "OPA accepting request" << dendl;
+  return 0;
+}
author	Ashutosh Narkar <anarkar4387@gmail.com>	2018-05-31 01:49:30 +0200
committer	Ashutosh Narkar <anarkar4387@gmail.com>	2018-07-25 10:20:34 +0200
commit	631a036a6b02d30d12d0a1c6cae25c9aa0c38af1 (patch)
tree	72431dfb6fdaf7965f31e4afa44bf03e4c148793 /src/rgw/rgw_opa.cc
parent	Merge pull request #22996 from batrick/mds-state-dot (diff)
download	ceph-631a036a6b02d30d12d0a1c6cae25c9aa0c38af1.tar.xz ceph-631a036a6b02d30d12d0a1c6cae25c9aa0c38af1.zip