X-Git-Url: https://gerrit.opnfv.org/gerrit/gitweb?a=blobdiff_plain;f=src%2Fceph%2Fsrc%2Frgw%2Frgw_rest_role.cc;fp=src%2Fceph%2Fsrc%2Frgw%2Frgw_rest_role.cc;h=40473fba67f49f94b14f7548ea0d24f11c8d066e;hb=812ff6ca9fcd3e629e49d4328905f33eee8ca3f5;hp=0000000000000000000000000000000000000000;hpb=15280273faafb77777eab341909a3f495cf248d9;p=stor4nfv.git diff --git a/src/ceph/src/rgw/rgw_rest_role.cc b/src/ceph/src/rgw/rgw_rest_role.cc new file mode 100644 index 0000000..40473fb --- /dev/null +++ b/src/ceph/src/rgw/rgw_rest_role.cc @@ -0,0 +1,360 @@ +// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*- +// vim: ts=8 sw=2 smarttab +#include + +#include "common/errno.h" +#include "common/Formatter.h" +#include "common/ceph_json.h" + +#include "include/types.h" +#include "rgw_string.h" + +#include "rgw_common.h" +#include "rgw_op.h" +#include "rgw_rest.h" +#include "rgw_role.h" +#include "rgw_rest_role.h" + +#define dout_subsys ceph_subsys_rgw + +void RGWRestRole::send_response() +{ + if (op_ret) { + set_req_state_err(s, op_ret); + } + dump_errno(s); + end_header(s); +} + +int RGWRoleRead::verify_permission() +{ + if (s->auth.identity->is_anonymous()) { + return -EACCES; + } + + if (!verify_user_permission(s, RGW_PERM_READ)) { + return -EACCES; + } + + return 0; +} + +int RGWRoleWrite::verify_permission() +{ + if (s->auth.identity->is_anonymous()) { + return -EACCES; + } + + if (!verify_user_permission(s, RGW_PERM_WRITE)) { + return -EACCES; + } + + return 0; +} + +int RGWCreateRole::get_params() +{ + role_name = s->info.args.get("RoleName"); + role_path = s->info.args.get("Path"); + trust_policy = s->info.args.get("AssumeRolePolicyDocument"); + + if (role_name.empty() || trust_policy.empty()) { + ldout(s->cct, 20) << "ERROR: one of role name or assume role policy document is empty" + << dendl; + return -EINVAL; + } + JSONParser p; + if (!p.parse(trust_policy.c_str(), trust_policy.length())) { + ldout(s->cct, 20) << "ERROR: failed to parse assume role policy doc" << dendl; + return -ERR_MALFORMED_DOC; + } + return 0; +} + +void RGWCreateRole::execute() +{ + op_ret = get_params(); + if (op_ret < 0) { + return; + } + RGWRole role(s->cct, store, role_name, role_path, trust_policy, s->user->user_id.tenant); + op_ret = role.create(true); + + if (op_ret == -EEXIST) { + op_ret = -ERR_ROLE_EXISTS; + } + + if (op_ret == 0) { + s->formatter->open_object_section("role"); + role.dump(s->formatter); + s->formatter->close_section(); + } +} + +int RGWDeleteRole::get_params() +{ + role_name = s->info.args.get("RoleName"); + + if (role_name.empty()) { + ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl; + return -EINVAL; + } + + return 0; +} + +void RGWDeleteRole::execute() +{ + op_ret = get_params(); + if (op_ret < 0) { + return; + } + RGWRole role(s->cct, store, role_name, s->user->user_id.tenant); + op_ret = role.delete_obj(); + + if (op_ret == -ENOENT) { + op_ret = -ERR_NO_ROLE_FOUND; + } +} + +int RGWGetRole::get_params() +{ + role_name = s->info.args.get("RoleName"); + + if (role_name.empty()) { + ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl; + return -EINVAL; + } + + return 0; +} + +void RGWGetRole::execute() +{ + op_ret = get_params(); + if (op_ret < 0) { + return; + } + RGWRole role(s->cct, store, role_name, s->user->user_id.tenant); + op_ret = role.get(); + + if (op_ret == -ENOENT) { + op_ret = -ERR_NO_ROLE_FOUND; + } + + if (op_ret == 0) { + s->formatter->open_object_section("role"); + role.dump(s->formatter); + s->formatter->close_section(); + } +} + +int RGWModifyRole::get_params() +{ + role_name = s->info.args.get("RoleName"); + trust_policy = s->info.args.get("PolicyDocument"); + + if (role_name.empty() || trust_policy.empty()) { + ldout(s->cct, 20) << "ERROR: One of role name or trust policy is empty"<< dendl; + return -EINVAL; + } + JSONParser p; + if (!p.parse(trust_policy.c_str(), trust_policy.length())) { + ldout(s->cct, 20) << "ERROR: failed to parse assume role policy doc" << dendl; + return -ERR_MALFORMED_DOC; + } + + return 0; +} + +void RGWModifyRole::execute() +{ + op_ret = get_params(); + if (op_ret < 0) { + return; + } + RGWRole role(s->cct, store, role_name, s->user->user_id.tenant); + op_ret = role.get(); + if (op_ret == -ENOENT) { + op_ret = -ERR_NO_ROLE_FOUND; + } + + if (op_ret == 0) { + role.update_trust_policy(trust_policy); + op_ret = role.update(); + } +} + +int RGWListRoles::get_params() +{ + path_prefix = s->info.args.get("PathPrefix"); + + return 0; +} + +void RGWListRoles::execute() +{ + op_ret = get_params(); + if (op_ret < 0) { + return; + } + vector result; + op_ret = RGWRole::get_roles_by_path_prefix(store, s->cct, path_prefix, s->user->user_id.tenant, result); + + if (op_ret == 0) { + s->formatter->open_array_section("Roles"); + for (const auto& it : result) { + s->formatter->open_object_section("role"); + it.dump(s->formatter); + s->formatter->close_section(); + } + s->formatter->close_section(); + } +} + +int RGWPutRolePolicy::get_params() +{ + role_name = s->info.args.get("RoleName"); + policy_name = s->info.args.get("PolicyName"); + perm_policy = s->info.args.get("PolicyDocument"); + + if (role_name.empty() || policy_name.empty() || perm_policy.empty()) { + ldout(s->cct, 20) << "ERROR: One of role name, policy name or perm policy is empty"<< dendl; + return -EINVAL; + } + JSONParser p; + if (!p.parse(perm_policy.c_str(), perm_policy.length())) { + ldout(s->cct, 20) << "ERROR: failed to parse perm role policy doc" << dendl; + return -ERR_MALFORMED_DOC; + } + + return 0; +} + +void RGWPutRolePolicy::execute() +{ + op_ret = get_params(); + if (op_ret < 0) { + return; + } + + RGWRole role(s->cct, store, role_name, s->user->user_id.tenant); + op_ret = role.get(); + if (op_ret == 0) { + role.set_perm_policy(policy_name, perm_policy); + op_ret = role.update(); + } +} + +int RGWGetRolePolicy::get_params() +{ + role_name = s->info.args.get("RoleName"); + policy_name = s->info.args.get("PolicyName"); + + if (role_name.empty() || policy_name.empty()) { + ldout(s->cct, 20) << "ERROR: One of role name or policy name is empty"<< dendl; + return -EINVAL; + } + return 0; +} + +void RGWGetRolePolicy::execute() +{ + op_ret = get_params(); + if (op_ret < 0) { + return; + } + + RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant); + op_ret = role.get(); + + if (op_ret == -ENOENT) { + op_ret = -ERR_NO_ROLE_FOUND; + } + + if (op_ret == 0) { + string perm_policy; + op_ret = role.get_role_policy(policy_name, perm_policy); + + if (op_ret == 0) { + s->formatter->open_object_section("GetRolePolicyResult"); + s->formatter->dump_string("PolicyName", policy_name); + s->formatter->dump_string("RoleName", role_name); + s->formatter->dump_string("Permission policy", perm_policy); + s->formatter->close_section(); + } + } +} + +int RGWListRolePolicies::get_params() +{ + role_name = s->info.args.get("RoleName"); + + if (role_name.empty()) { + ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl; + return -EINVAL; + } + return 0; +} + +void RGWListRolePolicies::execute() +{ + op_ret = get_params(); + if (op_ret < 0) { + return; + } + + RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant); + op_ret = role.get(); + + if (op_ret == -ENOENT) { + op_ret = -ERR_NO_ROLE_FOUND; + } + + if (op_ret == 0) { + std::vector policy_names = role.get_role_policy_names(); + s->formatter->open_array_section("PolicyNames"); + for (const auto& it : policy_names) { + s->formatter->dump_string("member", it); + } + s->formatter->close_section(); + } +} + +int RGWDeleteRolePolicy::get_params() +{ + role_name = s->info.args.get("RoleName"); + policy_name = s->info.args.get("PolicyName"); + + if (role_name.empty() || policy_name.empty()) { + ldout(s->cct, 20) << "ERROR: One of role name or policy name is empty"<< dendl; + return -EINVAL; + } + return 0; +} + +void RGWDeleteRolePolicy::execute() +{ + op_ret = get_params(); + if (op_ret < 0) { + return; + } + + RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant); + op_ret = role.get(); + + if (op_ret == -ENOENT) { + op_ret = -ERR_NO_ROLE_FOUND; + } + + if (op_ret == 0) { + op_ret = role.delete_policy(policy_name); + if (op_ret == -ENOENT) { + op_ret = -ERR_NO_ROLE_FOUND; + } + + if (op_ret == 0) { + op_ret = role.update(); + } + } +}