RGW: When using Keystone auth for RGW, include the Keystone user in ops log

AliMasarweh · AliMasarweh · commit 47166556c5bb · 2025-04-21T15:56:03.000+03:00
Signed-off-by: Ali Masarwa &lt;ali.saed.masarwa@gmail.com&gt;
Signed-off-by: Ali Masarwa &lt;amasarwa@redhat.com&gt;
diff --git a/qa/workunits/rgw/keystone-service-token.sh b/qa/workunits/rgw/keystone-service-token.sh
@@ -13,6 +13,24 @@
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 # GNU Library Public License for more details.
+#
+<<comment Running this script with vstart should be should have these options
+MON=1 OSD=1 MDS=0 MGR=0 RGW=1 ../src/vstart.sh -n -d -o 'rgw_keystone_accepted_admin_roles="admin"
+	rgw_keystone_accepted_roles="admin,Member"
+	rgw_keystone_admin_domain="Default"
+	rgw_keystone_admin_password="ADMIN"
+	rgw_keystone_admin_project="admin"
+	rgw_keystone_admin_user="admin"
+	rgw_keystone_api_version=3
+	rgw_keystone_expired_token_cache_expiration=10
+	rgw_keystone_implicit_tenants=true
+	rgw_keystone_service_token_accepted_roles="admin"
+	rgw_keystone_service_token_enabled=true
+	rgw_keystone_url="http://localhost:5000"
+	rgw_swift_account_in_url=true
+	rgw_swift_enforce_content_length=true
+	rgw_swift_versioning_enabled=true'
+comment
 
 source $CEPH_ROOT/qa/standalone/ceph-helpers.sh
 
diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
@@ -782,6 +782,7 @@ bool rgw::auth::WebIdentityApplier::is_identity(const Principal& p) const
 
 const std::string rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER;
 const std::string rgw::auth::RemoteApplier::AuthInfo::NO_ACCESS_KEY;
+const std::string rgw::auth::RemoteApplier::AuthInfo::NO_KEYSTONE_USER;
 
 /* rgw::auth::RemoteAuthApplier */
 ACLOwner rgw::auth::RemoteApplier::get_aclowner() const
@@ -954,6 +955,7 @@ void rgw::auth::RemoteApplier::write_ops_log_entry(rgw_log_entry& entry) const
   if (account) {
     entry.account_id = account->id;
   }
+  entry.user = info.keystone_user;
 }
 
 /* TODO(rzarzynski): we need to handle display_name changes. */
diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
@@ -590,6 +590,7 @@ class RemoteApplier : public IdentityApplier {
     const uint32_t acct_type;
     const std::string access_key_id;
     const std::string subuser;
+    const std::string keystone_user;
 
   public:
     enum class acct_privilege_t {
@@ -599,21 +600,24 @@ class RemoteApplier : public IdentityApplier {
 
     static const std::string NO_SUBUSER;
     static const std::string NO_ACCESS_KEY;
+    static const std::string NO_KEYSTONE_USER;
 
     AuthInfo(const rgw_user& acct_user,
              const std::string& acct_name,
              const uint32_t perm_mask,
              const acct_privilege_t level,
              const std::string access_key_id,
              const std::string subuser,
+             const std::string keystone_user,
              const uint32_t acct_type=TYPE_NONE)
     : acct_user(acct_user),
       acct_name(acct_name),
       perm_mask(perm_mask),
       is_admin(acct_privilege_t::IS_ADMIN_ACCT == level),
       acct_type(acct_type),
       access_key_id(access_key_id),
-      subuser(subuser) {
+      subuser(subuser),
+      keystone_user(keystone_user) {
     }
   };
 
diff --git a/src/rgw/rgw_auth_keystone.cc b/src/rgw/rgw_auth_keystone.cc
@@ -159,6 +159,7 @@ TokenEngine::get_creds_info(const TokenEngine::token_envelope_t& token
     level,
     rgw::auth::RemoteApplier::AuthInfo::NO_ACCESS_KEY,
     rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER,
+    token.get_user_name(),
     TYPE_KEYSTONE
 };
 }
@@ -665,6 +666,7 @@ EC2Engine::get_creds_info(const EC2Engine::token_envelope_t& token,
     level,
     access_key_id,
     rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER,
+    token.get_user_name(),
     TYPE_KEYSTONE
   };
 }
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
@@ -6749,6 +6749,7 @@ rgw::auth::s3::LDAPEngine::get_creds_info(const rgw::RGWToken& token) const noex
     acct_privilege_t::IS_PLAIN_ACCT,
     rgw::auth::RemoteApplier::AuthInfo::NO_ACCESS_KEY,
     rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER,
+    rgw::auth::RemoteApplier::AuthInfo::NO_KEYSTONE_USER,
     TYPE_LDAP
   };
 }
@@ -6893,6 +6894,7 @@ rgw::auth::s3::STSEngine::get_creds_info(const STS::SessionToken& token) const n
     (token.is_admin) ? acct_privilege_t::IS_ADMIN_ACCT: acct_privilege_t::IS_PLAIN_ACCT,
     token.access_key_id,
     rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER,
+    rgw::auth::RemoteApplier::AuthInfo::NO_KEYSTONE_USER,
     token.acct_type
   };
 }

Original file line number	Diff line number	Diff line change
`@@ -782,6 +782,7 @@ bool rgw::auth::WebIdentityApplier::is_identity(const Principal& p) const`
`782`	`782`
`783`	`783`	`const std::string rgw::auth::RemoteApplier::AuthInfo::NO_SUBUSER;`
`784`	`784`	`const std::string rgw::auth::RemoteApplier::AuthInfo::NO_ACCESS_KEY;`
	`785`	`+const std::string rgw::auth::RemoteApplier::AuthInfo::NO_KEYSTONE_USER;`
`785`	`786`
`786`	`787`	`/* rgw::auth::RemoteAuthApplier */`
`787`	`788`	`ACLOwner rgw::auth::RemoteApplier::get_aclowner() const`
`@@ -954,6 +955,7 @@ void rgw::auth::RemoteApplier::write_ops_log_entry(rgw_log_entry& entry) const`
`954`	`955`	`if (account) {`
`955`	`956`	`entry.account_id = account->id;`
`956`	`957`	`}`
	`958`	`+ entry.user = info.keystone_user;`
`957`	`959`	`}`
`958`	`960`
`959`	`961`	`/* TODO(rzarzynski): we need to handle display_name changes. */`