rgw: utilize is_impersonating for forwarded sts requests

clwluvw · clwluvw · commit 995dc6284ea3 · 2025-04-28T19:44:10.000+02:00
With the introduction of is_impersonating in SysReqApplier,
RoleApplier can now use the same mechanism to mark when a request
has been forwarded by a system user on behalf of another role (e.g.,
through STS) to mark it as a system request (s-&gt;system_request).

Signed-off-by: Seena Fallah &lt;seenafallah@gmail.com&gt;
diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
@@ -1307,9 +1307,6 @@ void rgw::auth::RoleApplier::modify_request_state(const DoutPrefixProvider *dpp,
   for (auto& it : token_attrs.token_claims) {
     s->token_claims.emplace_back(it);
   }
-  if (is_system_request) {
-    s->system_request = true;
-  }
 }
 
 rgw::auth::Engine::result_t
diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
@@ -798,20 +798,17 @@ class RoleApplier : public IdentityApplier {
   rgw::sal::Driver* driver;
   Role role;
   TokenAttrs token_attrs;
-  bool is_system_request;
 
 public:
 
   RoleApplier(CephContext* const cct,
                rgw::sal::Driver* driver,
                const Role& role,
-               const TokenAttrs& token_attrs,
-               bool is_system_request)
+               const TokenAttrs& token_attrs)
     : cct(cct),
       driver(driver),
       role(role),
-      token_attrs(token_attrs),
-      is_system_request(is_system_request) {}
+      token_attrs(token_attrs) {}
 
   ACLOwner get_aclowner() const override;
   uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
@@ -847,7 +844,7 @@ class RoleApplier : public IdentityApplier {
                                       const req_state* s,
                                       Role role,
                                       TokenAttrs token_attrs,
-                                      bool is_system_request) const = 0;
+                                      bool is_impersonating) const = 0;
     };
 };
 
diff --git a/src/rgw/rgw_auth_s3.h b/src/rgw/rgw_auth_s3.h
@@ -72,9 +72,9 @@ class STSAuthStrategy : public rgw::auth::Strategy,
                             const req_state* const s,
                             RoleApplier::Role role,
                             RoleApplier::TokenAttrs token_attrs,
-                            bool is_system_request) const override {
+                            bool is_impersonating) const override {
     auto apl = rgw::auth::add_sysreq(cct, driver, s,
-      rgw::auth::RoleApplier(cct, driver, std::move(role), std::move(token_attrs), is_system_request));
+      rgw::auth::RoleApplier(cct, driver, std::move(role), std::move(token_attrs)), is_impersonating);
     return aplptr_t(new decltype(apl)(std::move(apl)));
   }
 
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
@@ -7024,7 +7024,6 @@ rgw::auth::s3::STSEngine::authenticate(
   const req_state* const s,
   optional_yield y) const
 {
-  bool is_system_request{false};
   if (! s->info.args.exists("x-amz-security-token") &&
       ! s->info.env->exists("HTTP_X_AMZ_SECURITY_TOKEN") &&
       s->auth.s3_postobj_creds.x_amz_security_token.empty()) {
@@ -7036,6 +7035,7 @@ rgw::auth::s3::STSEngine::authenticate(
     return result_t::reject(ret);
   }
   //Authentication
+  bool is_impersonating = false;
   std::string secret_access_key;
   //Check if access key is not the same passed in by client
   if (token.access_key_id != _access_key_id) {
@@ -7059,7 +7059,7 @@ rgw::auth::s3::STSEngine::authenticate(
       }
       const RGWAccessKey& k = iter->second;
       secret_access_key = k.key;
-      is_system_request = true;
+      is_impersonating = true;
     } else {
       ldpp_dout(dpp, 0) << "Invalid access key" << dendl;
       return result_t::reject(-EPERM);
@@ -7150,7 +7150,7 @@ rgw::auth::s3::STSEngine::authenticate(
     t_attrs.token_issued_at = std::move(token.issued_at);
     t_attrs.principal_tags = std::move(token.principal_tags);
     auto apl = role_apl_factory->create_apl_role(cct, s, std::move(r),
-                                                 std::move(t_attrs), is_system_request);
+                                                 std::move(t_attrs), is_impersonating);
     return result_t::grant(std::move(apl), completer_factory(token.secret_access_key));
   } else { // This is for all local users of type TYPE_RGW|ROOT|NONE
     if (token.user.empty()) {

Original file line number	Diff line number	Diff line change
`@@ -1307,9 +1307,6 @@ void rgw::auth::RoleApplier::modify_request_state(const DoutPrefixProvider *dpp,`
`1307`	`1307`	`for (auto& it : token_attrs.token_claims) {`
`1308`	`1308`	`s->token_claims.emplace_back(it);`
`1309`	`1309`	`}`
`1310`		`- if (is_system_request) {`
`1311`		`- s->system_request = true;`
`1312`		`- }`
`1313`	`1310`	`}`
`1314`	`1311`
`1315`	`1312`	`rgw::auth::Engine::result_t`