diff --git a/doc/radosgw/opa.rst b/doc/radosgw/opa.rst index ef26a74ad8f..f1b76b5ef78 100644 --- a/doc/radosgw/opa.rst +++ b/doc/radosgw/opa.rst @@ -46,6 +46,7 @@ Example request:: { "input": { "method": "GET", + "subuser": "subuser", "user_info": { "user_id": "john", "display_name": "John" diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index 45e44e89fce..d5415da830e 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -93,6 +93,10 @@ transform_old_authinfo(CephContext* const cct, return {}; } + string get_subuser() const override { + return {}; + } + void to_str(std::ostream& out) const override { out << "RGWDummyIdentityApplier(auth_id=" << id << ", perm_mask=" << perm_mask diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index b970f923572..6a02f8d201b 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -76,6 +76,9 @@ public: /* Name of Account */ virtual string get_acct_name() const = 0; + + /* Subuser of Account */ + virtual string get_subuser() const = 0; }; inline std::ostream& operator<<(std::ostream& out, @@ -413,6 +416,10 @@ public: return token_claims.user_name; } + string get_subuser() const override { + return {}; + } + struct Factory { virtual ~Factory() {} @@ -546,6 +553,7 @@ public: void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */ uint32_t get_identity_type() const override { return info.acct_type; } string get_acct_name() const override { return info.acct_name; } + string get_subuser() const override { return {}; } struct Factory { virtual ~Factory() {} @@ -607,6 +615,7 @@ public: void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */ uint32_t get_identity_type() const override { return TYPE_RGW; } string get_acct_name() const override { return {}; } + string get_subuser() const override { return subuser; } struct Factory { virtual ~Factory() {} @@ -660,6 +669,7 @@ public: void load_acct_info(const DoutPrefixProvider* dpp, RGWUserInfo& user_info) const override; /* out */ uint32_t get_identity_type() const override { return TYPE_ROLE; } string get_acct_name() const override { return {}; } + string get_subuser() const override { return {}; } void modify_request_state(const DoutPrefixProvider* dpp, req_state* s) const override; struct Factory { diff --git a/src/rgw/rgw_auth_filters.h b/src/rgw/rgw_auth_filters.h index 228d2cde697..8a5bf80644a 100644 --- a/src/rgw/rgw_auth_filters.h +++ b/src/rgw/rgw_auth_filters.h @@ -88,6 +88,10 @@ public: return get_decoratee().get_acct_name(); } + string get_subuser() const override { + return get_decoratee().get_subuser(); + } + bool is_identity( const boost::container::flat_set& ids) const override { return get_decoratee().is_identity(ids); diff --git a/src/rgw/rgw_opa.cc b/src/rgw/rgw_opa.cc index 79ba8784d04..96cc5841c1d 100644 --- a/src/rgw/rgw_opa.cc +++ b/src/rgw/rgw_opa.cc @@ -45,6 +45,7 @@ int rgw_opa_authorize(RGWOp *& op, jf.dump_string("params", s->info.request_params.c_str()); jf.dump_string("request_uri_aws4", s->info.request_uri_aws4.c_str()); jf.dump_string("object_name", s->object.name.c_str()); + jf.dump_string("subuser", s->auth.identity->get_subuser().c_str()); jf.dump_object("user_info", s->user->get_info()); jf.dump_object("bucket_info", s->bucket_info); jf.close_section(); diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc index 335daa6980b..9f8e585cdf1 100644 --- a/src/test/rgw/test_rgw_iam_policy.cc +++ b/src/test/rgw/test_rgw_iam_policy.cc @@ -128,6 +128,11 @@ public: return 0; } + string get_subuser() const override { + abort(); + return 0; + } + void to_str(std::ostream& out) const override { out << id; }