summaryrefslogtreecommitdiffstats
path: root/src
diff options
context:
space:
mode:
authorTobias Urdin <tobias.urdin@binero.se>2022-05-02 11:48:15 +0200
committerTobias Urdin <tobias.urdin@binero.se>2022-09-21 22:33:29 +0200
commit7ead219d726f63f55d793ebb0c059acbb310a15e (patch)
tree8e0ad39b53146d1c789aa2e2010af5820ec8b296 /src
parentrgw/auth: Set see_also backreferences for service token opts (diff)
downloadceph-7ead219d726f63f55d793ebb0c059acbb310a15e.tar.xz
ceph-7ead219d726f63f55d793ebb0c059acbb310a15e.zip
rgw/auth: Deny request if service token does not have accepted roles
The default behavior should be that an invalid service token makes the request invalid even though we have not checked the X-Auth-Token yet. This is not required but should reflect the same behavior as other keystonemiddleware implemented services have. Signed-off-by: Tobias Urdin <tobias.urdin@binero.com>
Diffstat (limited to 'src')
-rw-r--r--src/rgw/rgw_auth_keystone.cc1
1 files changed, 1 insertions, 0 deletions
diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc
index 9976449f28b..c42b0604ceb 100644
--- a/src/rgw/rgw_auth_keystone.cc
+++ b/src/rgw/rgw_auth_keystone.cc
@@ -300,6 +300,7 @@ TokenEngine::authenticate(const DoutPrefixProvider* dpp,
if (!allow_expired) {
ldpp_dout(dpp, 0) << "service token user does not hold a matching role; required roles: "
<< g_conf()->rgw_keystone_service_token_accepted_roles << dendl;
+ return result_t::deny(-EPERM);
}
}
}