1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
|
#include "common/debug.h"
#include "rgw_common.h"
#include "rgw_user.h"
#include "rgw_acl_swift.h"
using namespace std;
#define dout_subsys ceph_subsys_rgw
#define SWIFT_PERM_READ RGW_PERM_READ_OBJS
#define SWIFT_PERM_WRITE RGW_PERM_WRITE_OBJS
#define SWIFT_GROUP_ALL_USERS ".r:*"
static int parse_list(string& uid_list, vector<string>& uids)
{
char *s = strdup(uid_list.c_str());
if (!s)
return -ENOMEM;
const char *p = strtok(s, " ,");
while (p) {
if (*p) {
string acl = p;
uids.push_back(acl);
}
p = strtok(NULL, " ,");
}
free(s);
return 0;
}
static bool uid_is_public(string& uid)
{
if (uid[0] != '.' || uid[1] != 'r')
return false;
int pos = uid.find(':');
if (pos < 0 || pos == (int)uid.size())
return false;
string sub = uid.substr(0, pos);
string after = uid.substr(pos + 1);
if (after.compare("*") != 0)
return false;
return sub.compare(".r") == 0 ||
sub.compare(".referer") == 0 ||
sub.compare(".referrer") == 0;
}
void RGWAccessControlPolicy_SWIFT::add_grants(RGWRados *store, vector<string>& uids, int perm)
{
vector<string>::iterator iter;
for (iter = uids.begin(); iter != uids.end(); ++iter ) {
ACLGrant grant;
RGWUserInfo grant_user;
string& uid = *iter;
if (uid_is_public(uid)) {
grant.set_group(ACL_GROUP_ALL_USERS, perm);
acl.add_grant(&grant);
} else if (rgw_get_user_info_by_uid(store, uid, grant_user) < 0) {
ldout(cct, 10) << "grant user does not exist:" << uid << dendl;
/* skipping silently */
} else {
grant.set_canon(uid, grant_user.display_name, perm);
acl.add_grant(&grant);
}
}
}
bool RGWAccessControlPolicy_SWIFT::create(RGWRados *store, string& id, string& name, string& read_list, string& write_list)
{
acl.create_default(id, name);
owner.set_id(id);
owner.set_name(name);
if (read_list.size()) {
vector<string> uids;
int r = parse_list(read_list, uids);
if (r < 0) {
ldout(cct, 0) << "ERROR: parse_list returned r=" << r << dendl;
return false;
}
add_grants(store, uids, SWIFT_PERM_READ);
}
if (write_list.size()) {
vector<string> uids;
int r = parse_list(write_list, uids);
if (r < 0) {
ldout(cct, 0) << "ERROR: parse_list returned r=" << r << dendl;
return false;
}
add_grants(store, uids, SWIFT_PERM_WRITE);
}
return true;
}
void RGWAccessControlPolicy_SWIFT::to_str(string& read, string& write)
{
multimap<string, ACLGrant>& m = acl.get_grant_map();
multimap<string, ACLGrant>::iterator iter;
for (iter = m.begin(); iter != m.end(); ++iter) {
ACLGrant& grant = iter->second;
int perm = grant.get_permission().get_permissions();
string id;
if (!grant.get_id(id)) {
if (grant.get_group() != ACL_GROUP_ALL_USERS)
continue;
id = SWIFT_GROUP_ALL_USERS;
}
if (perm & SWIFT_PERM_READ) {
if (!read.empty())
read.append(", ");
read.append(id);
} else if (perm & SWIFT_PERM_WRITE) {
if (!write.empty())
write.append(", ");
write.append(id);
}
}
}
|
