rgw: add RGWIdentityType::TYPE_ROOT for account root user

Signed-off-by: Casey Bodley <cbodley@redhat.com>
author: Casey Bodley <cbodley@redhat.com> 2023-12-17 17:11:13 +0100
committer: Casey Bodley <cbodley@redhat.com> 2024-04-10 19:09:14 +0200
commit: 828aa90a2b0070d043c67464a03529105d835db2 (patch)
tree: ae8a2f67dec6e7fe980c6f0a773328a2daf557bf /src/rgw
parent: qa/rgw: create accounts for random s3test users (diff)
download: ceph-828aa90a2b0070d043c67464a03529105d835db2.tar.xz
ceph-828aa90a2b0070d043c67464a03529105d835db2.zip
10 files changed, 58 insertions, 8 deletions
diff --git a/src/rgw/driver/rados/rgw_data_sync.cc b/src/rgw/driver/rados/rgw_data_sync.cc
index 84e13049319..4a57a268f08 100644
--- a/src/rgw/driver/rados/rgw_data_sync.cc
+++ b/src/rgw/driver/rados/rgw_data_sync.cc
@@ -2650,7 +2650,7 @@ class RGWUserPermHandler {
                                                          info->user_info.account_id,
                                                          RGW_PERM_FULL_CONTROL,
                                                          false, /* system_request? */
-                                                         TYPE_RGW);
+                                                         info->user_info.type);
 
       map<string, bufferlist> uattrs;
 
diff --git a/src/rgw/driver/rados/rgw_rest_user.cc b/src/rgw/driver/rados/rgw_rest_user.cc
index 748a61c3f83..9f3ae2d03aa 100644
--- a/src/rgw/driver/rados/rgw_rest_user.cc
+++ b/src/rgw/driver/rados/rgw_rest_user.cc
@@ -159,6 +159,7 @@ void RGWOp_User_Create::execute(optional_yield y)
   bool gen_key;
   bool suspended;
   bool system;
+  bool account_root = false;
   bool exclusive;
 
   int32_t max_buckets;
@@ -181,6 +182,7 @@ void RGWOp_User_Create::execute(optional_yield y)
   RESTArgs::get_bool(s, "suspended", false, &suspended);
   RESTArgs::get_int32(s, "max-buckets", default_max_buckets, &max_buckets);
   RESTArgs::get_bool(s, "system", false, &system);
+  RESTArgs::get_bool(s, "account-root", false, &account_root);
   RESTArgs::get_bool(s, "exclusive", false, &exclusive);
   RESTArgs::get_string(s, "op-mask", op_mask_str, &op_mask_str);
   RESTArgs::get_string(s, "default-placement", default_placement_str, &default_placement_str);
@@ -238,6 +240,9 @@ void RGWOp_User_Create::execute(optional_yield y)
   if (s->info.args.exists("system"))
     op_state.set_system(system);
 
+  if (s->info.args.exists("account-root"))
+    op_state.set_account_root(account_root);
+
   if (s->info.args.exists("exclusive"))
     op_state.set_exclusive(exclusive);
 
@@ -303,6 +308,7 @@ void RGWOp_User_Modify::execute(optional_yield y)
   bool gen_key;
   bool suspended;
   bool system;
+  bool account_root = false;
   bool email_set;
   bool quota_set;
   int32_t max_buckets;
@@ -322,6 +328,7 @@ void RGWOp_User_Modify::execute(optional_yield y)
   RESTArgs::get_string(s, "key-type", key_type_str, &key_type_str);
 
   RESTArgs::get_bool(s, "system", false, &system);
+  RESTArgs::get_bool(s, "account-root", false, &account_root);
   RESTArgs::get_string(s, "op-mask", op_mask_str, &op_mask_str);
   RESTArgs::get_string(s, "default-placement", default_placement_str, &default_placement_str);
   RESTArgs::get_string(s, "placement-tags", placement_tags_str, &placement_tags_str);
@@ -375,6 +382,9 @@ void RGWOp_User_Modify::execute(optional_yield y)
   if (s->info.args.exists("system"))
     op_state.set_system(system);
 
+  if (s->info.args.exists("account-root"))
+    op_state.set_account_root(account_root);
+
   if (!op_mask_str.empty()) {
     uint32_t op_mask;
     int ret = rgw_parse_op_type_list(op_mask_str, &op_mask);
diff --git a/src/rgw/driver/rados/rgw_user.cc b/src/rgw/driver/rados/rgw_user.cc
index 1a7d43079b8..cc5cba957ed 100644
--- a/src/rgw/driver/rados/rgw_user.cc
+++ b/src/rgw/driver/rados/rgw_user.cc
@@ -164,7 +164,7 @@ static void dump_user_info(Formatter *f, RGWUserInfo &info,
   encode_json("user_quota", info.quota.user_quota, f);
   encode_json("temp_url_keys", info.temp_url_keys, f);
 
-  string user_source_type;
+  std::string_view user_source_type;
   switch ((RGWIdentityType)info.type) {
   case TYPE_RGW:
     user_source_type = "rgw";
@@ -178,6 +178,9 @@ static void dump_user_info(Formatter *f, RGWUserInfo &info,
   case TYPE_NONE:
     user_source_type = "none";
     break;
+  case TYPE_ROOT:
+    user_source_type = "root";
+    break;
   default:
     user_source_type = "none";
     break;
@@ -1716,6 +1719,14 @@ int RGWUser::execute_add(const DoutPrefixProvider *dpp, RGWUserAdminOpState& op_
     // TODO: change account on user's buckets
   }
 
+  if (op_state.account_root) {
+    if (user_info.account_id.empty()) {
+      set_err_msg(err_msg, "account-root user must belong to an account");
+      return -EINVAL;
+    }
+    user_info.type = TYPE_ROOT;
+  }
+
   // update the request
   op_state.set_user_info(user_info);
   op_state.set_populated();
@@ -2024,6 +2035,14 @@ int RGWUser::execute_modify(const DoutPrefixProvider *dpp, RGWUserAdminOpState&
     }
   }
 
+  if (op_state.account_root_specified) {
+    if (op_state.account_root && user_info.account_id.empty()) {
+      set_err_msg(err_msg, "account-root user must belong to an account");
+      return -EINVAL;
+    }
+    user_info.type = op_state.account_root ? TYPE_ROOT : TYPE_RGW;
+  }
+
   op_state.set_user_info(user_info);
 
   // if we're supposed to modify keys, do so
diff --git a/src/rgw/driver/rados/rgw_user.h b/src/rgw/driver/rados/rgw_user.h
index 906917e01e6..463857899db 100644
--- a/src/rgw/driver/rados/rgw_user.h
+++ b/src/rgw/driver/rados/rgw_user.h
@@ -115,6 +115,7 @@ struct RGWUserAdminOpState {
   __u8 suspended{0};
   __u8 admin{0};
   __u8 system{0};
+  __u8 account_root{0};
   __u8 exclusive{0};
   __u8 fetch_stats{0};
   __u8 sync_stats{0};
@@ -163,6 +164,7 @@ struct RGWUserAdminOpState {
   bool suspension_op{false};
   bool admin_specified{false};
   bool system_specified{false};
+  bool account_root_specified{false};
   bool key_op{false};
   bool temp_url_key_specified{false};
   bool found_by_uid{false};
@@ -295,6 +297,11 @@ struct RGWUserAdminOpState {
     system_specified = true;
   }
 
+  void set_account_root(__u8 is_account_root) {
+    account_root = is_account_root;
+    account_root_specified = true;
+  }
+
   void set_exclusive(__u8 is_exclusive) {
     exclusive = is_exclusive;
   }
diff --git a/src/rgw/rgw_admin.cc b/src/rgw/rgw_admin.cc
index c60b068bc7f..092011a4389 100644
--- a/src/rgw/rgw_admin.cc
+++ b/src/rgw/rgw_admin.cc
@@ -3438,6 +3438,8 @@ int main(int argc, const char **argv)
   bool admin_specified = false;
   int system = false;
   bool system_specified = false;
+  int account_root = false;
+  bool account_root_specified = false;
   int shard_id = -1;
   bool specified_shard_id = false;
   string client_id;
@@ -3695,6 +3697,8 @@ int main(int argc, const char **argv)
       admin_specified = true;
     } else if (ceph_argparse_binary_flag(args, i, &system, NULL, "--system", (char*)NULL)) {
       system_specified = true;
+    } else if (ceph_argparse_binary_flag(args, i, &account_root, NULL, "--account-root", (char*)NULL)) {
+      account_root_specified = true;
     } else if (ceph_argparse_binary_flag(args, i, &verbose, NULL, "--verbose", (char*)NULL)) {
       // do nothing
     } else if (ceph_argparse_binary_flag(args, i, &staging, NULL, "--staging", (char*)NULL)) {
@@ -6498,6 +6502,9 @@ int main(int argc, const char **argv)
   if (system_specified)
     user_op.set_system(system);
 
+  if (account_root_specified)
+    user_op.set_account_root(account_root);
+
   if (set_perm)
     user_op.set_perm(perm_mask);
 
diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
index aa95ae15496..df5f529e64b 100644
--- a/src/rgw/rgw_auth.h
+++ b/src/rgw/rgw_auth.h
@@ -701,7 +701,7 @@ public:
   }
   void to_str(std::ostream& out) const override;
   void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
-  uint32_t get_identity_type() const override { return TYPE_RGW; }
+  uint32_t get_identity_type() const override { return user_info.type; }
   std::string get_acct_name() const override { return {}; }
   std::string get_subuser() const override { return subuser; }
   const std::string& get_tenant() const override {
diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index f334bdbca21..8b6030aea2e 100644
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -2816,6 +2816,9 @@ void RGWUserInfo::dump(Formatter *f) const
   case TYPE_NONE:
     user_source_type = "none";
     break;
+  case TYPE_ROOT:
+    user_source_type = "root";
+    break;
   default:
     user_source_type = "none";
     break;
@@ -2870,6 +2873,8 @@ void RGWUserInfo::decode_json(JSONObj *obj)
     type = TYPE_KEYSTONE;
   } else if (user_source_type == "ldap") {
     type = TYPE_LDAP;
+  } else if (user_source_type == "root") {
+    type = TYPE_ROOT;
   } else if (user_source_type == "none") {
     type = TYPE_NONE;
   }
diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index 1e3d5e07bae..d1394476213 100644
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -516,6 +516,7 @@ enum RGWIdentityType
   TYPE_LDAP=3,
   TYPE_ROLE=4,
   TYPE_WEB=5,
+  TYPE_ROOT=6, // account root user
 };
 
 void encode_json(const char *name, const rgw_placement_rule& val, ceph::Formatter *f);
@@ -573,8 +574,8 @@ struct RGWUserInfo
   int32_t max_buckets;
   uint32_t op_mask;
   RGWUserCaps caps;
-  __u8 admin;
-  __u8 system;
+  __u8 admin = 0;
+  __u8 system = 0;
   rgw_placement_rule default_placement;
   std::list<std::string> placement_tags;
   std::map<int, std::string> temp_url_keys;
@@ -587,8 +588,6 @@ struct RGWUserInfo
     : suspended(0),
       max_buckets(RGW_DEFAULT_MAX_BUCKETS),
       op_mask(RGW_OP_TYPE_ALL),
-      admin(0),
-      system(0),
       type(TYPE_NONE) {
   }
 
diff --git a/src/rgw/rgw_log.cc b/src/rgw/rgw_log.cc
index 169cac4dd4d..3cf2060e7ed 100644
--- a/src/rgw/rgw_log.cc
+++ b/src/rgw/rgw_log.cc
@@ -303,6 +303,9 @@ void rgw_format_ops_log_entry(struct rgw_log_entry& entry, Formatter *formatter)
     case TYPE_ROLE:
       formatter->dump_string("authentication_type","STS");
       break;
+    case TYPE_ROOT:
+      formatter->dump_string("authentication_type", "Local Account Root");
+      break;
     default:
       break;
   }
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 24bb114987c..97c70befcce 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -6501,7 +6501,7 @@ rgw::auth::s3::STSEngine::authenticate(
     t_attrs.principal_tags = std::move(token.principal_tags);
     auto apl = role_apl_factory->create_apl_role(cct, s, r, t_attrs);
     return result_t::grant(std::move(apl), completer_factory(token.secret_access_key));
-  } else { // This is for all local users of type TYPE_RGW or TYPE_NONE
+  } else { // This is for all local users of type TYPE_RGW|ROOT|NONE
     string subuser;
     auto apl = local_apl_factory->create_apl_local(cct, s, user->get_info(), subuser, token.perm_mask, std::string(_access_key_id));
     return result_t::grant(std::move(apl), completer_factory(token.secret_access_key));
author	Casey Bodley <cbodley@redhat.com>	2023-12-17 17:11:13 +0100
committer	Casey Bodley <cbodley@redhat.com>	2024-04-10 19:09:14 +0200
commit	828aa90a2b0070d043c67464a03529105d835db2 (patch)
tree	ae8a2f67dec6e7fe980c6f0a773328a2daf557bf /src/rgw
parent	qa/rgw: create accounts for random s3test users (diff)
download	ceph-828aa90a2b0070d043c67464a03529105d835db2.tar.xz ceph-828aa90a2b0070d043c67464a03529105d835db2.zip