rgw: Add subuser to OPA request

Signed-off-by: Seena Fallah <[email protected]>
mfoliveira · Apr 8, 2020 · 793aaaa · 793aaaa
1 parent 8e093e5
commit 793aaaa
Show file tree

Hide file tree

Showing 6 changed files with 25 additions and 0 deletions.
diff --git a/doc/radosgw/opa.rst b/doc/radosgw/opa.rst
@@ -46,6 +46,7 @@ Example request::
    {
        "input": {
            "method": "GET",
+           "subuser": "subuser",
            "user_info": {
                "user_id": "john",
                "display_name": "John"  

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
@@ -92,6 +92,10 @@ transform_old_authinfo(CephContext* const cct,
       return {};
     }
 
+    string get_subuser() const override {
+      return {};
+    }
+
     void to_str(std::ostream& out) const override {
       out << "RGWDummyIdentityApplier(auth_id=" << id
           << ", perm_mask=" << perm_mask

diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
@@ -76,6 +76,9 @@ class Identity {
 
   /* Name of Account */
   virtual string get_acct_name() const = 0;
+
+  /* Subuser of Account */
+  virtual string get_subuser() const = 0;
 };
 
 inline std::ostream& operator<<(std::ostream& out,
@@ -410,6 +413,10 @@ class WebIdentityApplier : public IdentityApplier {
     return token_claims.user_name;
   }
 
+  string get_subuser() const override {
+    return {};
+  }
+
   struct Factory {
     virtual ~Factory() {}
 
@@ -541,6 +548,7 @@ class RemoteApplier : public IdentityApplier {
   void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
   uint32_t get_identity_type() const override { return info.acct_type; }
   string get_acct_name() const override { return info.acct_name; }
+  string get_subuser() const override { return {}; }
 
   struct Factory {
     virtual ~Factory() {}
@@ -602,6 +610,7 @@ class LocalApplier : public IdentityApplier {
   void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
   uint32_t get_identity_type() const override { return TYPE_RGW; }
   string get_acct_name() const override { return {}; }
+  string get_subuser() const override { return subuser; }
 
   struct Factory {
     virtual ~Factory() {}
@@ -646,6 +655,7 @@ class RoleApplier : public IdentityApplier {
   void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */
   uint32_t get_identity_type() const override { return TYPE_ROLE; }
   string get_acct_name() const override { return {}; }
+  string get_subuser() const override { return {}; }
   void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override;
 
   struct Factory {

diff --git a/src/rgw/rgw_auth_filters.h b/src/rgw/rgw_auth_filters.h
@@ -88,6 +88,10 @@ class DecoratedApplier : public rgw::auth::IdentityApplier {
     return get_decoratee().get_acct_name();
   }
 
+  string get_subuser() const override {
+    return get_decoratee().get_subuser();
+  }
+
   bool is_identity(
     const boost::container::flat_set<Principal>& ids) const override {
     return get_decoratee().is_identity(ids);

diff --git a/src/rgw/rgw_opa.cc b/src/rgw/rgw_opa.cc
@@ -45,6 +45,7 @@ int rgw_opa_authorize(RGWOp *& op,
   jf.dump_string("params", s->info.request_params.c_str());
   jf.dump_string("request_uri_aws4", s->info.request_uri_aws4.c_str());
   jf.dump_string("object_name", s->object.name.c_str());
+  jf.dump_string("subuser", s->auth.identity->get_subuser().c_str());
   jf.dump_object("user_info", s->user->get_info());
   jf.dump_object("bucket_info", s->bucket_info);
   jf.close_section();

diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc
@@ -128,6 +128,11 @@ class FakeIdentity : public Identity {
     return 0;
   }
 
+  string get_subuser() const override {
+    abort();
+    return 0;
+  }
+
   void to_str(std::ostream& out) const override {
     out << id;
   }