rgw: link account root to account user index

account root users were not linked to the account's user index because they're not visible to iam apis like ListUsers but now that 'account rm' is prevented from deleting the account while users are still present, we want account root users to prevent deletion too add root users back to the account user index, but filter them out of the iam user apis Signed-off-by: Casey Bodley <cbodley@redhat.com>
author: Casey Bodley <cbodley@redhat.com> 2024-03-05 20:28:41 +0100
committer: Casey Bodley <cbodley@redhat.com> 2024-04-10 19:09:17 +0200
commit: b60335997266932f0a2c26fefc128732c66551a1 (patch)
tree: d4cd75013a1cfc37c18412ee84d37459623bf781 /src/rgw/rgw_rest_iam_user.cc
parent: rgw/auth: expose Identity::get_account() (diff)
download: ceph-b60335997266932f0a2c26fefc128732c66551a1.tar.xz
ceph-b60335997266932f0a2c26fefc128732c66551a1.zip
1 files changed, 24 insertions, 7 deletions
diff --git a/src/rgw/rgw_rest_iam_user.cc b/src/rgw/rgw_rest_iam_user.cc
index 06c0d5bde08..ae413e6d185 100644
--- a/src/rgw/rgw_rest_iam_user.cc
+++ b/src/rgw/rgw_rest_iam_user.cc
@@ -275,7 +275,9 @@ int RGWGetUser_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   int r = driver->load_account_user_by_name(this, y, account_id,
                                             tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     s->err.message = "No such UserName in the account";
     return -ERR_NO_SUCH_ENTITY;
   }
@@ -375,7 +377,9 @@ int RGWUpdateUser_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   int r = driver->load_account_user_by_name(this, y, account_id,
                                             tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     s->err.message = "No such UserName in the account";
     return -ERR_NO_SUCH_ENTITY;
   }
@@ -514,7 +518,9 @@ int RGWDeleteUser_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   int r = driver->load_account_user_by_name(this, y, account_id,
                                             tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     s->err.message = "No such UserName in the account";
     return -ERR_NO_SUCH_ENTITY;
   }
@@ -764,6 +770,9 @@ void RGWListUsers_IAM::send_response_data(std::span<RGWUserInfo> users)
   }
 
   for (const auto& info : users) {
+    if (info.type == TYPE_ROOT) {
+      continue; // root user is hidden from user apis
+    }
     s->formatter->open_object_section("member");
     dump_iam_user(info, s->formatter);
     s->formatter->close_section(); // member
@@ -838,7 +847,9 @@ int RGWCreateAccessKey_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   int r = driver->load_account_user_by_name(this, y, account_id,
                                             tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     s->err.message = "No such UserName in the account";
     return -ERR_NO_SUCH_ENTITY;
   }
@@ -1059,7 +1070,9 @@ int RGWUpdateAccessKey_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   int r = driver->load_account_user_by_name(this, y, account_id,
                                             tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     s->err.message = "No such UserName in the account";
     return -ERR_NO_SUCH_ENTITY;
   }
@@ -1205,7 +1218,9 @@ int RGWDeleteAccessKey_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   int r = driver->load_account_user_by_name(this, y, account_id,
                                             tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     s->err.message = "No such UserName in the account";
     return -ERR_NO_SUCH_ENTITY;
   }
@@ -1350,7 +1365,9 @@ int RGWListAccessKeys_IAM::init_processing(optional_yield y)
   const std::string& tenant = s->auth.identity->get_tenant();
   r = driver->load_account_user_by_name(this, y, account_id,
                                         tenant, username, &user);
-  if (r == -ENOENT) {
+  // root user is hidden from user apis
+  const bool is_root = (user && user->get_type() == TYPE_ROOT);
+  if (r == -ENOENT || is_root) {
     return -ERR_NO_SUCH_ENTITY;
   }
   return r;
author	Casey Bodley <cbodley@redhat.com>	2024-03-05 20:28:41 +0100
committer	Casey Bodley <cbodley@redhat.com>	2024-04-10 19:09:17 +0200
commit	b60335997266932f0a2c26fefc128732c66551a1 (patch)
tree	d4cd75013a1cfc37c18412ee84d37459623bf781 /src/rgw/rgw_rest_iam_user.cc
parent	rgw/auth: expose Identity::get_account() (diff)
download	ceph-b60335997266932f0a2c26fefc128732c66551a1.tar.xz ceph-b60335997266932f0a2c26fefc128732c66551a1.zip