RepoMirrors/ceph
1
0
Fork 0
mirror of https://github.com/ceph/ceph synced 2025-02-20 17:37:29 +00:00
Code Issues Packages Projects Releases Wiki Activity

rgw: add Control::FALLBACK mode to rgw::auth::AuthStrategy.

Browse Source 
Signed-off-by: Radoslaw Zarzynski <rzarzynski@mirantis.com>
This commit is contained in:
Radoslaw Zarzynski 2017-01-11 15:57:40 +01:00
parent aeb26c22c3
commit d912f9e0ae
2 changed files with 12 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/rgw/rgw_auth.cc
View File

@ -522,6 +522,7 @@ RGWAuthApplier::aplptr_t RGWKeystoneAuthEngine::authenticate() const
rgw::auth::Engine::result_t
rgw::auth::Strategy::authenticate(const req_state* const s) const
{
int previous_error = 0;
for (const stack_item_t& kv : auth_stack) {
const rgw::auth::Engine& engine = kv.first;
const auto& policy = kv.second;
@ -529,8 +530,8 @@ rgw::auth::Strategy::authenticate(const req_state* const s) const
rgw::auth::Engine::result_t res;
try {
res = engine.authenticate(s);
} catch (int err) {
/* NOP */
} catch (const int err) {
previous_error = err;
}
const auto& applier = res.first;
@ -544,6 +545,8 @@ rgw::auth::Strategy::authenticate(const req_state* const s) const
case Control::SUFFICIENT:
/* Just try next. */
continue;
case Control::FALLBACK:
throw previous_error;
default:
/* Huh, memory corruption? */
abort();

8
src/rgw/rgw_auth.h
View File

@ -534,7 +534,7 @@ public:
class Strategy : public Engine {
public:
/* Specifiers controlling what happens when an associated engine fails.
* The names and semantic has been borrowed from libpam. */
* The names and semantic has been borrowed mostly from libpam. */
enum class Control {
/* Failure of an engine injected with the REQUISITE specifier aborts
* the whole authentication process immediately. No other engine will
@ -546,6 +546,12 @@ public:
* doesn't abort it - there will be fall-back to following engine
* it the one that failed wasn't the last. */
SUFFICIENT,
/* Like SUFFICIENT with the exception that on failure the reason code
* is not overridden. Instead, it's taken directly from the last tried
* non-FALLBACK engine. If there was no previous non-FALLBACK engine
* in a Strategy, then the result_t::deny(reason = -EACCES) is used. */
FALLBACK,
};
Engine::result_t authenticate(const req_state* s) const override final;