PKGBUILDs/extra/ceph/03-Revert-rgw-ldap-fix-ldap-bindpw-parsing.patch

310 lines
9 KiB
Diff
Raw Normal View History

2016-10-30 20:37:21 +00:00
From b1099e8edcda1ab658eaac424bd2e09d6e7cbabd Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?S=C3=A9bastien=20Luttringer?= <seblu@seblu.net>
Date: Sun, 9 Oct 2016 01:53:36 +0200
Subject: [PATCH] Revert "rgw ldap: fix ldap bindpw parsing"
This reverts commit fe57aceeb02ad9163feb2d196589b5927cedfa0f.
---
src/rgw/librgw.cc | 6 ++--
src/rgw/rgw_ldap.cc | 35 ---------------------
src/rgw/rgw_ldap.h | 54 ++++++++-------------------------
src/rgw/rgw_rest_s3.cc | 77 +++++++++++------------------------------------
src/test/test_rgw_ldap.cc | 4 +--
5 files changed, 34 insertions(+), 142 deletions(-)
diff --git a/src/rgw/librgw.cc b/src/rgw/librgw.cc
index c476129..37414fc 100644
--- a/src/rgw/librgw.cc
+++ b/src/rgw/librgw.cc
@@ -52,7 +52,6 @@
#include <string.h>
#include <mutex>
-
#define dout_subsys ceph_subsys_rgw
bool global_stop = false;
@@ -470,10 +469,9 @@ namespace rgw {
const string& ldap_searchdn = store->ctx()->_conf->rgw_ldap_searchdn;
const string& ldap_dnattr =
store->ctx()->_conf->rgw_ldap_dnattr;
- std::string ldap_bindpw = parse_rgw_ldap_bindpw(store->ctx());
- ldh = new rgw::LDAPHelper(ldap_uri, ldap_binddn, ldap_bindpw.c_str(),
- ldap_searchdn, ldap_dnattr);
+ ldh = new rgw::LDAPHelper(ldap_uri, ldap_binddn, ldap_searchdn,
+ ldap_dnattr);
ldh->init();
ldh->bind();
diff --git a/src/rgw/rgw_ldap.cc b/src/rgw/rgw_ldap.cc
index 6cca3b8..ac420e3 100644
--- a/src/rgw/rgw_ldap.cc
+++ b/src/rgw/rgw_ldap.cc
@@ -2,38 +2,3 @@
// vim: ts=8 sw=2 smarttab
#include "rgw_ldap.h"
-
-#include "common/ceph_context.h"
-#include "common/common_init.h"
-#include "common/dout.h"
-#include "common/safe_io.h"
-#include <boost/algorithm/string.hpp>
-
-#include "include/assert.h"
-
-#define dout_subsys ceph_subsys_rgw
-
-std::string parse_rgw_ldap_bindpw(CephContext* ctx)
-{
- string ldap_bindpw;
- string ldap_secret = ctx->_conf->rgw_ldap_secret;
-
- if (ldap_secret.empty()) {
- ldout(ctx, 10)
- << __func__ << " LDAP auth no rgw_ldap_secret file found in conf"
- << dendl;
- } else {
- char bindpw[1024];
- memset(bindpw, 0, 1024);
- int pwlen = safe_read_file("" /* base */, ldap_secret.c_str(),
- bindpw, 1023);
- if (pwlen) {
- ldap_bindpw = bindpw;
- boost::algorithm::trim(ldap_bindpw);
- if (ldap_bindpw.back() == '\n')
- ldap_bindpw.pop_back();
- }
- }
-
- return std::move(ldap_bindpw);
-}
diff --git a/src/rgw/rgw_ldap.h b/src/rgw/rgw_ldap.h
index b29e33ad..02eb61e 100644
--- a/src/rgw/rgw_ldap.h
+++ b/src/rgw/rgw_ldap.h
@@ -23,38 +23,27 @@ namespace rgw {
{
std::string uri;
std::string binddn;
- std::string bindpw;
std::string searchdn;
std::string dnattr;
LDAP *ldap;
- bool msad = false; /* TODO: possible future specialization */
public:
- LDAPHelper(std::string _uri, std::string _binddn, std::string _bindpw,
- std::string _searchdn, std::string _dnattr)
- : uri(std::move(_uri)), binddn(std::move(_binddn)),
- bindpw(std::move(_bindpw)), searchdn(_searchdn), dnattr(_dnattr),
- ldap(nullptr) {
+ LDAPHelper(std::string _uri, std::string _binddn, std::string _searchdn,
+ std::string _dnattr)
+ : uri(std::move(_uri)), binddn(std::move(_binddn)), searchdn(_searchdn),
+ dnattr(_dnattr), ldap(nullptr) {
// nothing
}
int init() {
int ret;
ret = ldap_initialize(&ldap, uri.c_str());
- if (ret == LDAP_SUCCESS) {
- unsigned long ldap_ver = LDAP_VERSION3;
- ret = ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION,
- (void*) &ldap_ver);
- }
- if (ret == LDAP_SUCCESS) {
- ret = ldap_set_option(ldap, LDAP_OPT_REFERRALS, LDAP_OPT_OFF);
- }
return (ret == LDAP_SUCCESS) ? ret : -EINVAL;
}
int bind() {
int ret;
- ret = ldap_simple_bind_s(ldap, binddn.c_str(), bindpw.c_str());
+ ret = ldap_simple_bind_s(ldap, nullptr, nullptr);
return (ret == LDAP_SUCCESS) ? ret : -EINVAL;
}
@@ -71,18 +60,11 @@ namespace rgw {
int auth(const std::string uid, const std::string pwd) {
int ret;
std::string filter;
- if (msad) {
- filter = "(&(objectClass=user)(sAMAccountName=";
- filter += uid;
- filter += "))";
- } else {
- /* openldap */
- filter = "(";
- filter += dnattr;
- filter += "=";
- filter += uid;
- filter += ")";
- }
+ filter = "(";
+ filter += dnattr;
+ filter += "=";
+ filter += uid;
+ filter += ")";
char *attrs[] = { const_cast<char*>(dnattr.c_str()), nullptr };
LDAPMessage *answer = nullptr, *entry = nullptr;
ret = ldap_search_s(ldap, searchdn.c_str(), LDAP_SCOPE_SUBTREE,
@@ -113,8 +95,8 @@ namespace rgw {
class LDAPHelper
{
public:
- LDAPHelper(std::string _uri, std::string _binddn, std::string _bindpw,
- std::string _searchdn, std::string _dnattr)
+ LDAPHelper(std::string _uri, std::string _binddn, std::string _searchdn,
+ std::string _dnattr)
{}
int init() {
@@ -135,17 +117,7 @@ namespace rgw {
#endif /* HAVE_OPENLDAP */
-
-} /* namespace rgw */
-
-#include "common/ceph_context.h"
-#include "common/common_init.h"
-#include "common/dout.h"
-#include "common/safe_io.h"
-#include <boost/algorithm/string.hpp>
-#include "include/assert.h"
-
-std::string parse_rgw_ldap_bindpw(CephContext* ctx);
+} /* namespace rgw */
#endif /* RGW_LDAP_H */
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index e9f24f3..bd952db 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -8,8 +8,6 @@
#include "common/Formatter.h"
#include "common/utf8.h"
#include "common/ceph_json.h"
-#include "common/safe_io.h"
-#include <boost/algorithm/string.hpp>
#include "rgw_rest.h"
#include "rgw_rest_s3.h"
@@ -1747,32 +1745,10 @@ int RGWPostObj_ObjStore_S3::get_policy()
s->perm_mask = RGW_PERM_FULL_CONTROL;
}
} else if (store->ctx()->_conf->rgw_s3_auth_use_ldap &&
- (! store->ctx()->_conf->rgw_ldap_uri.empty())) {
-
- ldout(store->ctx(), 15)
- << __func__ << " LDAP auth uri="
- << store->ctx()->_conf->rgw_ldap_uri
- << dendl;
-
+ store->ctx()->_conf->rgw_ldap_uri.empty()) {
RGWToken token{from_base64(s3_access_key)};
- if (! token.valid())
- return -EACCES;
-
rgw::LDAPHelper *ldh = RGW_Auth_S3::get_ldap_ctx(store);
- if (unlikely(!ldh)) {
- ldout(store->ctx(), 0)
- << __func__ << " RGW_Auth_S3::get_ldap_ctx() failed"
- << dendl;
- return -EACCES;
- }
-
- ldout(store->ctx(), 10)
- << __func__ << " try LDAP auth uri="
- << store->ctx()->_conf->rgw_ldap_uri
- << " token.id=" << token.id
- << dendl;
-
- if (ldh->auth(token.id, token.key) != 0)
+ if ((! token.valid()) || ldh->auth(token.id, token.key) != 0)
return -EACCES;
/* ok, succeeded */
@@ -3091,10 +3067,9 @@ void RGW_Auth_S3::init_impl(RGWRados* store)
const string& ldap_searchdn = store->ctx()->_conf->rgw_ldap_searchdn;
const string& ldap_dnattr =
store->ctx()->_conf->rgw_ldap_dnattr;
- std::string ldap_bindpw = parse_rgw_ldap_bindpw(store->ctx());
- ldh = new rgw::LDAPHelper(ldap_uri, ldap_binddn, ldap_bindpw,
- ldap_searchdn, ldap_dnattr);
+ ldh = new rgw::LDAPHelper(ldap_uri, ldap_binddn, ldap_searchdn,
+ ldap_dnattr);
ldh->init();
ldh->bind();
@@ -3935,45 +3910,29 @@ int RGW_Auth_S3::authorize_v2(RGWRados *store, struct req_state *s)
RGW_Auth_S3::init(store);
- ldout(store->ctx(), 15)
- << __func__ << " LDAP auth uri="
- << store->ctx()->_conf->rgw_ldap_uri
- << dendl;
-
RGWToken token{from_base64(auth_id)};
-
- if (! token.valid())
+ if ((! token.valid()) || ldh->auth(token.id, token.key) != 0)
external_auth_result = -EACCES;
else {
- ldout(store->ctx(), 10)
- << __func__ << " try LDAP auth uri="
- << store->ctx()->_conf->rgw_ldap_uri
- << " token.id=" << token.id
- << dendl;
-
- if (ldh->auth(token.id, token.key) != 0)
- external_auth_result = -EACCES;
- else {
- /* ok, succeeded */
- external_auth_result = 0;
+ /* ok, succeeded */
+ external_auth_result = 0;
- /* create local account, if none exists */
- s->user->user_id = token.id;
- s->user->display_name = token.id; // cn?
- int ret = rgw_get_user_info_by_uid(store, s->user->user_id, *(s->user));
+ /* create local account, if none exists */
+ s->user->user_id = token.id;
+ s->user->display_name = token.id; // cn?
+ int ret = rgw_get_user_info_by_uid(store, s->user->user_id, *(s->user));
+ if (ret < 0) {
+ ret = rgw_store_user_info(store, *(s->user), nullptr, nullptr,
+ real_time(), true);
if (ret < 0) {
- ret = rgw_store_user_info(store, *(s->user), nullptr, nullptr,
- real_time(), true);
- if (ret < 0) {
- dout(10) << "NOTICE: failed to store new user's info: ret=" << ret
- << dendl;
- }
+ dout(10) << "NOTICE: failed to store new user's info: ret=" << ret
+ << dendl;
}
+ }
/* set request perms */
s->perm_mask = RGW_PERM_FULL_CONTROL;
- } /* success */
- } /* token */
+ } /* success */
} /* ldap */
/* keystone failed (or not enabled); check if we want to use rados backend */
--
2.10.0