rgw/auth: add is_root and is_root_of to identities

clwluvw · clwluvw · commit 01caaa3d3764 · 2025-02-18T14:51:00.000+01:00
The is_root() function helps to make sure the identity is either
the root account of the account if there is any ccount linked to the user,
or is the user has full control permission.

The is_root_of() will check whether whether a given identity is the rgw_owner
and is also is_root().

Signed-off-by: Seena Fallah &lt;seenafallah@gmail.com&gt;
diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
@@ -246,6 +246,13 @@ static auto transform_old_authinfo(const RGWUserInfo& user,
       return match_owner(o, id, account);
     }
 
+    bool is_root() const override {
+      if (account)
+        return get_identity_type() == TYPE_ROOT;
+
+      return get_perm_mask() == RGW_PERM_FULL_CONTROL;
+    }
+
     bool is_identity(const Principal& p) const override {
       if (p.is_wildcard()) {
         return true;
@@ -838,6 +845,11 @@ bool rgw::auth::RemoteApplier::is_owner_of(const rgw_owner& o) const
   return info.acct_user == *uid;
 }
 
+bool rgw::auth::RemoteApplier::is_root() const
+{
+  return get_perm_mask() == RGW_PERM_FULL_CONTROL;
+}
+
 bool rgw::auth::RemoteApplier::is_identity(const Principal& p) const {
   // We also need to cover cases where rgw_keystone_implicit_tenants
   // was enabled.
@@ -1062,6 +1074,14 @@ bool rgw::auth::LocalApplier::is_owner_of(const rgw_owner& o) const
   return match_owner(o, user_info.user_id, account);
 }
 
+bool rgw::auth::LocalApplier::is_root() const
+{
+  if (account)
+    return get_identity_type() == TYPE_ROOT;
+
+  return get_perm_mask() == RGW_PERM_FULL_CONTROL;
+}
+
 bool rgw::auth::LocalApplier::is_identity(const Principal& p) const {
   if (p.is_wildcard()) {
     return true;
diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
@@ -56,6 +56,15 @@ class Identity {
    * On internal error throws rgw::auth::Exception storing the reason. */
   virtual bool is_owner_of(const rgw_owner& o) const = 0;
 
+  /* Verify whether a given identity is the root user. */
+  virtual bool is_root() const = 0;
+
+  /* Verify whether a given identity is the root user and the owner of the
+   * rgw_owner specified in @o. */
+  virtual bool is_root_of(const rgw_owner& o) const {
+    return is_root() && is_owner_of(o);
+  }
+
   /* Return the permission mask that is used to narrow down the set of
    * operations allowed for a given identity. This method reflects the idea
    * of subuser tied to RGWUserInfo. On  error throws rgw::auth::Exception
@@ -477,6 +486,10 @@ class WebIdentityApplier : public IdentityApplier {
 
   bool is_owner_of(const rgw_owner& o) const override;
 
+  bool is_root() const override {
+    return false;
+  }
+
   uint32_t get_perm_mask() const override {
     return RGW_PERM_NONE;
   }
@@ -653,6 +666,7 @@ class RemoteApplier : public IdentityApplier {
   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override;
   bool is_admin_of(const rgw_owner& o) const override;
   bool is_owner_of(const rgw_owner& o) const override;
+  bool is_root() const override;
   bool is_identity(const Principal& p) const override;
 
   uint32_t get_perm_mask() const override { return info.perm_mask; }
@@ -718,6 +732,7 @@ class LocalApplier : public IdentityApplier {
   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override;
   bool is_admin_of(const rgw_owner& o) const override;
   bool is_owner_of(const rgw_owner& o) const override;
+  bool is_root() const override;
   bool is_identity(const Principal& p) const override;
   uint32_t get_perm_mask() const override {
     if (this->perm_mask == RGW_PERM_INVALID) {
@@ -798,6 +813,9 @@ class RoleApplier : public IdentityApplier {
     return false;
   }
   bool is_owner_of(const rgw_owner& o) const override;
+  bool is_root() const override {
+    return false;
+  }
   bool is_identity(const Principal& p) const override;
   uint32_t get_perm_mask() const override {
     return RGW_PERM_NONE; 
diff --git a/src/rgw/rgw_auth_filters.h b/src/rgw/rgw_auth_filters.h
@@ -81,6 +81,10 @@ class DecoratedApplier : public rgw::auth::IdentityApplier {
     return get_decoratee().is_owner_of(o);
   }
 
+  bool is_root() const override {
+    return get_decoratee().is_root();
+  }
+
   bool is_anonymous() const override {
     return get_decoratee().is_anonymous();
   }
diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc
@@ -168,6 +168,11 @@ class FakeIdentity : public Identity {
     return false;
   }
 
+  bool is_root() const override {
+    ceph_abort();
+    return false;
+  }
+
   virtual uint32_t get_perm_mask() const override {
     ceph_abort();
     return 0;
diff --git a/src/test/rgw/test_rgw_lua.cc b/src/test/rgw/test_rgw_lua.cc
@@ -50,6 +50,10 @@ class FakeIdentity : public Identity {
     return false;
   }
 
+  bool is_root() const override {
+    return false;
+  }
+
   virtual uint32_t get_perm_mask() const override {
     return 0;
   }

Original file line number	Diff line number	Diff line change
`@@ -81,6 +81,10 @@ class DecoratedApplier : public rgw::auth::IdentityApplier {`
`81`	`81`	`return get_decoratee().is_owner_of(o);`
`82`	`82`	`}`
`83`	`83`
	`84`	`+ bool is_root() const override {`
	`85`	`+ return get_decoratee().is_root();`
	`86`	`+ }`
	`87`	`+`
`84`	`88`	`bool is_anonymous() const override {`
`85`	`89`	`return get_decoratee().is_anonymous();`
`86`	`90`	`}`
Original file line number	Diff line number	Diff line change
`@@ -50,6 +50,10 @@ class FakeIdentity : public Identity {`
`50`	`50`	`return false;`
`51`	`51`	`}`
`52`	`52`
	`53`	`+ bool is_root() const override {`
	`54`	`+ return false;`
	`55`	`+ }`
	`56`	`+`
`53`	`57`	`virtual uint32_t get_perm_mask() const override {`
`54`	`58`	`return 0;`
`55`	`59`	`}`