1 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
2 // vim: ts=8 sw=2 smarttab
5 #include "common/errno.h"
6 #include "common/Formatter.h"
7 #include "common/ceph_json.h"
9 #include "include/types.h"
10 #include "rgw_string.h"
12 #include "rgw_common.h"
16 #include "rgw_rest_role.h"
18 #define dout_subsys ceph_subsys_rgw
20 void RGWRestRole::send_response()
23 set_req_state_err(s, op_ret);
29 int RGWRoleRead::verify_permission()
31 if (s->auth.identity->is_anonymous()) {
35 if (!verify_user_permission(s, RGW_PERM_READ)) {
42 int RGWRoleWrite::verify_permission()
44 if (s->auth.identity->is_anonymous()) {
48 if (!verify_user_permission(s, RGW_PERM_WRITE)) {
55 int RGWCreateRole::get_params()
57 role_name = s->info.args.get("RoleName");
58 role_path = s->info.args.get("Path");
59 trust_policy = s->info.args.get("AssumeRolePolicyDocument");
61 if (role_name.empty() || trust_policy.empty()) {
62 ldout(s->cct, 20) << "ERROR: one of role name or assume role policy document is empty"
67 if (!p.parse(trust_policy.c_str(), trust_policy.length())) {
68 ldout(s->cct, 20) << "ERROR: failed to parse assume role policy doc" << dendl;
69 return -ERR_MALFORMED_DOC;
74 void RGWCreateRole::execute()
76 op_ret = get_params();
80 RGWRole role(s->cct, store, role_name, role_path, trust_policy, s->user->user_id.tenant);
81 op_ret = role.create(true);
83 if (op_ret == -EEXIST) {
84 op_ret = -ERR_ROLE_EXISTS;
88 s->formatter->open_object_section("role");
89 role.dump(s->formatter);
90 s->formatter->close_section();
94 int RGWDeleteRole::get_params()
96 role_name = s->info.args.get("RoleName");
98 if (role_name.empty()) {
99 ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl;
106 void RGWDeleteRole::execute()
108 op_ret = get_params();
112 RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
113 op_ret = role.delete_obj();
115 if (op_ret == -ENOENT) {
116 op_ret = -ERR_NO_ROLE_FOUND;
120 int RGWGetRole::get_params()
122 role_name = s->info.args.get("RoleName");
124 if (role_name.empty()) {
125 ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl;
132 void RGWGetRole::execute()
134 op_ret = get_params();
138 RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
141 if (op_ret == -ENOENT) {
142 op_ret = -ERR_NO_ROLE_FOUND;
146 s->formatter->open_object_section("role");
147 role.dump(s->formatter);
148 s->formatter->close_section();
152 int RGWModifyRole::get_params()
154 role_name = s->info.args.get("RoleName");
155 trust_policy = s->info.args.get("PolicyDocument");
157 if (role_name.empty() || trust_policy.empty()) {
158 ldout(s->cct, 20) << "ERROR: One of role name or trust policy is empty"<< dendl;
162 if (!p.parse(trust_policy.c_str(), trust_policy.length())) {
163 ldout(s->cct, 20) << "ERROR: failed to parse assume role policy doc" << dendl;
164 return -ERR_MALFORMED_DOC;
170 void RGWModifyRole::execute()
172 op_ret = get_params();
176 RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
178 if (op_ret == -ENOENT) {
179 op_ret = -ERR_NO_ROLE_FOUND;
183 role.update_trust_policy(trust_policy);
184 op_ret = role.update();
188 int RGWListRoles::get_params()
190 path_prefix = s->info.args.get("PathPrefix");
195 void RGWListRoles::execute()
197 op_ret = get_params();
201 vector<RGWRole> result;
202 op_ret = RGWRole::get_roles_by_path_prefix(store, s->cct, path_prefix, s->user->user_id.tenant, result);
205 s->formatter->open_array_section("Roles");
206 for (const auto& it : result) {
207 s->formatter->open_object_section("role");
208 it.dump(s->formatter);
209 s->formatter->close_section();
211 s->formatter->close_section();
215 int RGWPutRolePolicy::get_params()
217 role_name = s->info.args.get("RoleName");
218 policy_name = s->info.args.get("PolicyName");
219 perm_policy = s->info.args.get("PolicyDocument");
221 if (role_name.empty() || policy_name.empty() || perm_policy.empty()) {
222 ldout(s->cct, 20) << "ERROR: One of role name, policy name or perm policy is empty"<< dendl;
226 if (!p.parse(perm_policy.c_str(), perm_policy.length())) {
227 ldout(s->cct, 20) << "ERROR: failed to parse perm role policy doc" << dendl;
228 return -ERR_MALFORMED_DOC;
234 void RGWPutRolePolicy::execute()
236 op_ret = get_params();
241 RGWRole role(s->cct, store, role_name, s->user->user_id.tenant);
244 role.set_perm_policy(policy_name, perm_policy);
245 op_ret = role.update();
249 int RGWGetRolePolicy::get_params()
251 role_name = s->info.args.get("RoleName");
252 policy_name = s->info.args.get("PolicyName");
254 if (role_name.empty() || policy_name.empty()) {
255 ldout(s->cct, 20) << "ERROR: One of role name or policy name is empty"<< dendl;
261 void RGWGetRolePolicy::execute()
263 op_ret = get_params();
268 RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant);
271 if (op_ret == -ENOENT) {
272 op_ret = -ERR_NO_ROLE_FOUND;
277 op_ret = role.get_role_policy(policy_name, perm_policy);
280 s->formatter->open_object_section("GetRolePolicyResult");
281 s->formatter->dump_string("PolicyName", policy_name);
282 s->formatter->dump_string("RoleName", role_name);
283 s->formatter->dump_string("Permission policy", perm_policy);
284 s->formatter->close_section();
289 int RGWListRolePolicies::get_params()
291 role_name = s->info.args.get("RoleName");
293 if (role_name.empty()) {
294 ldout(s->cct, 20) << "ERROR: Role name is empty"<< dendl;
300 void RGWListRolePolicies::execute()
302 op_ret = get_params();
307 RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant);
310 if (op_ret == -ENOENT) {
311 op_ret = -ERR_NO_ROLE_FOUND;
315 std::vector<string> policy_names = role.get_role_policy_names();
316 s->formatter->open_array_section("PolicyNames");
317 for (const auto& it : policy_names) {
318 s->formatter->dump_string("member", it);
320 s->formatter->close_section();
324 int RGWDeleteRolePolicy::get_params()
326 role_name = s->info.args.get("RoleName");
327 policy_name = s->info.args.get("PolicyName");
329 if (role_name.empty() || policy_name.empty()) {
330 ldout(s->cct, 20) << "ERROR: One of role name or policy name is empty"<< dendl;
336 void RGWDeleteRolePolicy::execute()
338 op_ret = get_params();
343 RGWRole role(g_ceph_context, store, role_name, s->user->user_id.tenant);
346 if (op_ret == -ENOENT) {
347 op_ret = -ERR_NO_ROLE_FOUND;
351 op_ret = role.delete_policy(policy_name);
352 if (op_ret == -ENOENT) {
353 op_ret = -ERR_NO_ROLE_FOUND;
357 op_ret = role.update();