summaryrefslogtreecommitdiffstats
path: root/src/rgw/rgw_common.h
diff options
context:
space:
mode:
Diffstat (limited to 'src/rgw/rgw_common.h')
-rw-r--r--src/rgw/rgw_common.h1842
1 files changed, 1842 insertions, 0 deletions
diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
new file mode 100644
index 000000000..648b2e087
--- /dev/null
+++ b/src/rgw/rgw_common.h
@@ -0,0 +1,1842 @@
+// -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:t -*-
+// vim: ts=8 sw=2 smarttab ft=cpp
+
+/*
+ * Ceph - scalable distributed file system
+ *
+ * Copyright (C) 2004-2009 Sage Weil <sage@newdream.net>
+ * Copyright (C) 2015 Yehuda Sadeh <yehuda@redhat.com>
+ *
+ * This is free software; you can redistribute it and/or
+ * modify it under the terms of the GNU Lesser General Public
+ * License version 2.1, as published by the Free Software
+ * Foundation. See file COPYING.
+ *
+ */
+
+#pragma once
+
+#include <array>
+#include <string_view>
+#include <atomic>
+#include <unordered_map>
+
+#include <fmt/format.h>
+
+#include "common/ceph_crypto.h"
+#include "common/random_string.h"
+#include "rgw_acl.h"
+#include "rgw_bucket_layout.h"
+#include "rgw_cors.h"
+#include "rgw_basic_types.h"
+#include "rgw_iam_policy.h"
+#include "rgw_quota_types.h"
+#include "rgw_string.h"
+#include "common/async/yield_context.h"
+#include "rgw_website.h"
+#include "rgw_object_lock.h"
+#include "rgw_tag.h"
+#include "rgw_op_type.h"
+#include "rgw_sync_policy.h"
+#include "cls/version/cls_version_types.h"
+#include "cls/user/cls_user_types.h"
+#include "cls/rgw/cls_rgw_types.h"
+#include "include/rados/librados.hpp"
+#include "rgw_public_access.h"
+#include "common/tracer.h"
+#include "rgw_sal_fwd.h"
+
+namespace ceph {
+ class Formatter;
+}
+
+namespace rgw::sal {
+ using Attrs = std::map<std::string, ceph::buffer::list>;
+}
+
+namespace rgw::lua {
+ class Background;
+}
+
+struct RGWProcessEnv;
+
+using ceph::crypto::MD5;
+
+#define RGW_ATTR_PREFIX "user.rgw."
+
+#define RGW_HTTP_RGWX_ATTR_PREFIX "RGWX_ATTR_"
+#define RGW_HTTP_RGWX_ATTR_PREFIX_OUT "Rgwx-Attr-"
+
+#define RGW_AMZ_PREFIX "x-amz-"
+#define RGW_AMZ_META_PREFIX RGW_AMZ_PREFIX "meta-"
+#define RGW_AMZ_WEBSITE_REDIRECT_LOCATION RGW_AMZ_PREFIX "website-redirect-location"
+#define RGW_AMZ_TAG_COUNT RGW_AMZ_PREFIX "tagging-count"
+
+#define RGW_SYS_PARAM_PREFIX "rgwx-"
+
+#define RGW_ATTR_ACL RGW_ATTR_PREFIX "acl"
+#define RGW_ATTR_RATELIMIT RGW_ATTR_PREFIX "ratelimit"
+#define RGW_ATTR_LC RGW_ATTR_PREFIX "lc"
+#define RGW_ATTR_CORS RGW_ATTR_PREFIX "cors"
+#define RGW_ATTR_ETAG RGW_ATTR_PREFIX "etag"
+#define RGW_ATTR_BUCKETS RGW_ATTR_PREFIX "buckets"
+#define RGW_ATTR_META_PREFIX RGW_ATTR_PREFIX RGW_AMZ_META_PREFIX
+#define RGW_ATTR_CONTENT_TYPE RGW_ATTR_PREFIX "content_type"
+#define RGW_ATTR_CACHE_CONTROL RGW_ATTR_PREFIX "cache_control"
+#define RGW_ATTR_CONTENT_DISP RGW_ATTR_PREFIX "content_disposition"
+#define RGW_ATTR_CONTENT_ENC RGW_ATTR_PREFIX "content_encoding"
+#define RGW_ATTR_CONTENT_LANG RGW_ATTR_PREFIX "content_language"
+#define RGW_ATTR_EXPIRES RGW_ATTR_PREFIX "expires"
+#define RGW_ATTR_DELETE_AT RGW_ATTR_PREFIX "delete_at"
+#define RGW_ATTR_ID_TAG RGW_ATTR_PREFIX "idtag"
+#define RGW_ATTR_TAIL_TAG RGW_ATTR_PREFIX "tail_tag"
+#define RGW_ATTR_SHADOW_OBJ RGW_ATTR_PREFIX "shadow_name"
+#define RGW_ATTR_MANIFEST RGW_ATTR_PREFIX "manifest"
+#define RGW_ATTR_USER_MANIFEST RGW_ATTR_PREFIX "user_manifest"
+#define RGW_ATTR_AMZ_WEBSITE_REDIRECT_LOCATION RGW_ATTR_PREFIX RGW_AMZ_WEBSITE_REDIRECT_LOCATION
+#define RGW_ATTR_SLO_MANIFEST RGW_ATTR_PREFIX "slo_manifest"
+/* Information whether an object is SLO or not must be exposed to
+ * user through custom HTTP header named X-Static-Large-Object. */
+#define RGW_ATTR_SLO_UINDICATOR RGW_ATTR_META_PREFIX "static-large-object"
+#define RGW_ATTR_X_ROBOTS_TAG RGW_ATTR_PREFIX "x-robots-tag"
+#define RGW_ATTR_STORAGE_CLASS RGW_ATTR_PREFIX "storage_class"
+
+/* S3 Object Lock*/
+#define RGW_ATTR_OBJECT_LOCK RGW_ATTR_PREFIX "object-lock"
+#define RGW_ATTR_OBJECT_RETENTION RGW_ATTR_PREFIX "object-retention"
+#define RGW_ATTR_OBJECT_LEGAL_HOLD RGW_ATTR_PREFIX "object-legal-hold"
+
+
+#define RGW_ATTR_PG_VER RGW_ATTR_PREFIX "pg_ver"
+#define RGW_ATTR_SOURCE_ZONE RGW_ATTR_PREFIX "source_zone"
+#define RGW_ATTR_TAGS RGW_ATTR_PREFIX RGW_AMZ_PREFIX "tagging"
+
+#define RGW_ATTR_TEMPURL_KEY1 RGW_ATTR_META_PREFIX "temp-url-key"
+#define RGW_ATTR_TEMPURL_KEY2 RGW_ATTR_META_PREFIX "temp-url-key-2"
+
+/* Account/container quota of the Swift API. */
+#define RGW_ATTR_QUOTA_NOBJS RGW_ATTR_META_PREFIX "quota-count"
+#define RGW_ATTR_QUOTA_MSIZE RGW_ATTR_META_PREFIX "quota-bytes"
+
+/* Static Web Site of Swift API. */
+#define RGW_ATTR_WEB_INDEX RGW_ATTR_META_PREFIX "web-index"
+#define RGW_ATTR_WEB_ERROR RGW_ATTR_META_PREFIX "web-error"
+#define RGW_ATTR_WEB_LISTINGS RGW_ATTR_META_PREFIX "web-listings"
+#define RGW_ATTR_WEB_LIST_CSS RGW_ATTR_META_PREFIX "web-listings-css"
+#define RGW_ATTR_SUBDIR_MARKER RGW_ATTR_META_PREFIX "web-directory-type"
+
+#define RGW_ATTR_OLH_PREFIX RGW_ATTR_PREFIX "olh."
+
+#define RGW_ATTR_OLH_INFO RGW_ATTR_OLH_PREFIX "info"
+#define RGW_ATTR_OLH_VER RGW_ATTR_OLH_PREFIX "ver"
+#define RGW_ATTR_OLH_ID_TAG RGW_ATTR_OLH_PREFIX "idtag"
+#define RGW_ATTR_OLH_PENDING_PREFIX RGW_ATTR_OLH_PREFIX "pending."
+
+#define RGW_ATTR_COMPRESSION RGW_ATTR_PREFIX "compression"
+
+#define RGW_ATTR_APPEND_PART_NUM RGW_ATTR_PREFIX "append_part_num"
+
+/* Attrs to store cloudtier config information. These are used internally
+ * for the replication of cloudtiered objects but not stored as xattrs in
+ * the head object. */
+#define RGW_ATTR_CLOUD_TIER_TYPE RGW_ATTR_PREFIX "cloud_tier_type"
+#define RGW_ATTR_CLOUD_TIER_CONFIG RGW_ATTR_PREFIX "cloud_tier_config"
+
+#define RGW_ATTR_OBJ_REPLICATION_STATUS RGW_ATTR_PREFIX "amz-replication-status"
+#define RGW_ATTR_OBJ_REPLICATION_TRACE RGW_ATTR_PREFIX "replication-trace"
+
+/* IAM Policy */
+#define RGW_ATTR_IAM_POLICY RGW_ATTR_PREFIX "iam-policy"
+#define RGW_ATTR_USER_POLICY RGW_ATTR_PREFIX "user-policy"
+#define RGW_ATTR_PUBLIC_ACCESS RGW_ATTR_PREFIX "public-access"
+
+/* RGW File Attributes */
+#define RGW_ATTR_UNIX_KEY1 RGW_ATTR_PREFIX "unix-key1"
+#define RGW_ATTR_UNIX1 RGW_ATTR_PREFIX "unix1"
+
+#define RGW_ATTR_CRYPT_PREFIX RGW_ATTR_PREFIX "crypt."
+#define RGW_ATTR_CRYPT_MODE RGW_ATTR_CRYPT_PREFIX "mode"
+#define RGW_ATTR_CRYPT_KEYMD5 RGW_ATTR_CRYPT_PREFIX "keymd5"
+#define RGW_ATTR_CRYPT_KEYID RGW_ATTR_CRYPT_PREFIX "keyid"
+#define RGW_ATTR_CRYPT_KEYSEL RGW_ATTR_CRYPT_PREFIX "keysel"
+#define RGW_ATTR_CRYPT_CONTEXT RGW_ATTR_CRYPT_PREFIX "context"
+#define RGW_ATTR_CRYPT_DATAKEY RGW_ATTR_CRYPT_PREFIX "datakey"
+#define RGW_ATTR_CRYPT_PARTS RGW_ATTR_CRYPT_PREFIX "part-lengths"
+
+/* SSE-S3 Encryption Attributes */
+#define RGW_ATTR_BUCKET_ENCRYPTION_PREFIX RGW_ATTR_PREFIX "sse-s3."
+#define RGW_ATTR_BUCKET_ENCRYPTION_POLICY RGW_ATTR_BUCKET_ENCRYPTION_PREFIX "policy"
+#define RGW_ATTR_BUCKET_ENCRYPTION_KEY_ID RGW_ATTR_BUCKET_ENCRYPTION_PREFIX "key-id"
+
+#define RGW_ATTR_TRACE RGW_ATTR_PREFIX "trace"
+
+enum class RGWFormat : int8_t {
+ BAD_FORMAT = -1,
+ PLAIN = 0,
+ XML,
+ JSON,
+ HTML,
+};
+
+static inline const char* to_mime_type(const RGWFormat f)
+{
+ switch (f) {
+ case RGWFormat::XML:
+ return "application/xml";
+ break;
+ case RGWFormat::JSON:
+ return "application/json";
+ break;
+ case RGWFormat::HTML:
+ return "text/html";
+ break;
+ case RGWFormat::PLAIN:
+ return "text/plain";
+ break;
+ default:
+ return "invalid format";
+ }
+}
+
+#define RGW_CAP_READ 0x1
+#define RGW_CAP_WRITE 0x2
+#define RGW_CAP_ALL (RGW_CAP_READ | RGW_CAP_WRITE)
+
+#define RGW_REST_SWIFT 0x1
+#define RGW_REST_SWIFT_AUTH 0x2
+#define RGW_REST_S3 0x4
+#define RGW_REST_WEBSITE 0x8
+#define RGW_REST_STS 0x10
+#define RGW_REST_IAM 0x20
+#define RGW_REST_SNS 0x30
+
+#define RGW_SUSPENDED_USER_AUID (uint64_t)-2
+
+#define RGW_OP_TYPE_READ 0x01
+#define RGW_OP_TYPE_WRITE 0x02
+#define RGW_OP_TYPE_DELETE 0x04
+
+#define RGW_OP_TYPE_MODIFY (RGW_OP_TYPE_WRITE | RGW_OP_TYPE_DELETE)
+#define RGW_OP_TYPE_ALL (RGW_OP_TYPE_READ | RGW_OP_TYPE_WRITE | RGW_OP_TYPE_DELETE)
+
+#define RGW_DEFAULT_MAX_BUCKETS 1000
+
+#define RGW_DEFER_TO_BUCKET_ACLS_RECURSE 1
+#define RGW_DEFER_TO_BUCKET_ACLS_FULL_CONTROL 2
+
+#define STATUS_CREATED 1900
+#define STATUS_ACCEPTED 1901
+#define STATUS_NO_CONTENT 1902
+#define STATUS_PARTIAL_CONTENT 1903
+#define STATUS_REDIRECT 1904
+#define STATUS_NO_APPLY 1905
+#define STATUS_APPLIED 1906
+
+#define ERR_INVALID_BUCKET_NAME 2000
+#define ERR_INVALID_OBJECT_NAME 2001
+#define ERR_NO_SUCH_BUCKET 2002
+#define ERR_METHOD_NOT_ALLOWED 2003
+#define ERR_INVALID_DIGEST 2004
+#define ERR_BAD_DIGEST 2005
+#define ERR_UNRESOLVABLE_EMAIL 2006
+#define ERR_INVALID_PART 2007
+#define ERR_INVALID_PART_ORDER 2008
+#define ERR_NO_SUCH_UPLOAD 2009
+#define ERR_REQUEST_TIMEOUT 2010
+#define ERR_LENGTH_REQUIRED 2011
+#define ERR_REQUEST_TIME_SKEWED 2012
+#define ERR_BUCKET_EXISTS 2013
+#define ERR_BAD_URL 2014
+#define ERR_PRECONDITION_FAILED 2015
+#define ERR_NOT_MODIFIED 2016
+#define ERR_INVALID_UTF8 2017
+#define ERR_UNPROCESSABLE_ENTITY 2018
+#define ERR_TOO_LARGE 2019
+#define ERR_TOO_MANY_BUCKETS 2020
+#define ERR_INVALID_REQUEST 2021
+#define ERR_TOO_SMALL 2022
+#define ERR_NOT_FOUND 2023
+#define ERR_PERMANENT_REDIRECT 2024
+#define ERR_LOCKED 2025
+#define ERR_QUOTA_EXCEEDED 2026
+#define ERR_SIGNATURE_NO_MATCH 2027
+#define ERR_INVALID_ACCESS_KEY 2028
+#define ERR_MALFORMED_XML 2029
+#define ERR_USER_EXIST 2030
+#define ERR_NOT_SLO_MANIFEST 2031
+#define ERR_EMAIL_EXIST 2032
+#define ERR_KEY_EXIST 2033
+#define ERR_INVALID_SECRET_KEY 2034
+#define ERR_INVALID_KEY_TYPE 2035
+#define ERR_INVALID_CAP 2036
+#define ERR_INVALID_TENANT_NAME 2037
+#define ERR_WEBSITE_REDIRECT 2038
+#define ERR_NO_SUCH_WEBSITE_CONFIGURATION 2039
+#define ERR_AMZ_CONTENT_SHA256_MISMATCH 2040
+#define ERR_NO_SUCH_LC 2041
+#define ERR_NO_SUCH_USER 2042
+#define ERR_NO_SUCH_SUBUSER 2043
+#define ERR_MFA_REQUIRED 2044
+#define ERR_NO_SUCH_CORS_CONFIGURATION 2045
+#define ERR_NO_SUCH_OBJECT_LOCK_CONFIGURATION 2046
+#define ERR_INVALID_RETENTION_PERIOD 2047
+#define ERR_NO_SUCH_BUCKET_ENCRYPTION_CONFIGURATION 2048
+#define ERR_USER_SUSPENDED 2100
+#define ERR_INTERNAL_ERROR 2200
+#define ERR_NOT_IMPLEMENTED 2201
+#define ERR_SERVICE_UNAVAILABLE 2202
+#define ERR_ROLE_EXISTS 2203
+#define ERR_MALFORMED_DOC 2204
+#define ERR_NO_ROLE_FOUND 2205
+#define ERR_DELETE_CONFLICT 2206
+#define ERR_NO_SUCH_BUCKET_POLICY 2207
+#define ERR_INVALID_LOCATION_CONSTRAINT 2208
+#define ERR_TAG_CONFLICT 2209
+#define ERR_INVALID_TAG 2210
+#define ERR_ZERO_IN_URL 2211
+#define ERR_MALFORMED_ACL_ERROR 2212
+#define ERR_ZONEGROUP_DEFAULT_PLACEMENT_MISCONFIGURATION 2213
+#define ERR_INVALID_ENCRYPTION_ALGORITHM 2214
+#define ERR_INVALID_CORS_RULES_ERROR 2215
+#define ERR_NO_CORS_FOUND 2216
+#define ERR_INVALID_WEBSITE_ROUTING_RULES_ERROR 2217
+#define ERR_RATE_LIMITED 2218
+#define ERR_POSITION_NOT_EQUAL_TO_LENGTH 2219
+#define ERR_OBJECT_NOT_APPENDABLE 2220
+#define ERR_INVALID_BUCKET_STATE 2221
+#define ERR_INVALID_OBJECT_STATE 2222
+
+#define ERR_BUSY_RESHARDING 2300
+#define ERR_NO_SUCH_ENTITY 2301
+#define ERR_LIMIT_EXCEEDED 2302
+
+// STS Errors
+#define ERR_PACKED_POLICY_TOO_LARGE 2400
+#define ERR_INVALID_IDENTITY_TOKEN 2401
+
+#define ERR_NO_SUCH_TAG_SET 2402
+
+#ifndef UINT32_MAX
+#define UINT32_MAX (0xffffffffu)
+#endif
+
+typedef void *RGWAccessHandle;
+
+/* Helper class used for RGWHTTPArgs parsing */
+class NameVal
+{
+ const std::string str;
+ std::string name;
+ std::string val;
+ public:
+ explicit NameVal(const std::string& nv) : str(nv) {}
+
+ int parse();
+
+ std::string& get_name() { return name; }
+ std::string& get_val() { return val; }
+};
+
+/** Stores the XML arguments associated with the HTTP request in req_state*/
+class RGWHTTPArgs {
+ std::string str, empty_str;
+ std::map<std::string, std::string> val_map;
+ std::map<std::string, std::string> sys_val_map;
+ std::map<std::string, std::string> sub_resources;
+ bool has_resp_modifier = false;
+ bool admin_subresource_added = false;
+ public:
+ RGWHTTPArgs() = default;
+ explicit RGWHTTPArgs(const std::string& s, const DoutPrefixProvider *dpp) {
+ set(s);
+ parse(dpp);
+ }
+
+ /** Set the arguments; as received */
+ void set(const std::string& s) {
+ has_resp_modifier = false;
+ val_map.clear();
+ sub_resources.clear();
+ str = s;
+ }
+ /** parse the received arguments */
+ int parse(const DoutPrefixProvider *dpp);
+ void append(const std::string& name, const std::string& val);
+ void remove(const std::string& name);
+ /** Get the value for a specific argument parameter */
+ const std::string& get(const std::string& name, bool *exists = NULL) const;
+ boost::optional<const std::string&>
+ get_optional(const std::string& name) const;
+ int get_bool(const std::string& name, bool *val, bool *exists) const;
+ int get_bool(const char *name, bool *val, bool *exists) const;
+ void get_bool(const char *name, bool *val, bool def_val) const;
+ int get_int(const char *name, int *val, int def_val) const;
+
+ /** Get the value for specific system argument parameter */
+ std::string sys_get(const std::string& name, bool *exists = nullptr) const;
+
+ /** see if a parameter is contained in this RGWHTTPArgs */
+ bool exists(const char *name) const {
+ return (val_map.find(name) != std::end(val_map));
+ }
+ bool sub_resource_exists(const char *name) const {
+ return (sub_resources.find(name) != std::end(sub_resources));
+ }
+ bool exist_obj_excl_sub_resource() const {
+ const char* const obj_sub_resource[] = {"append", "torrent", "uploadId",
+ "partNumber", "versionId"};
+ for (unsigned i = 0; i != std::size(obj_sub_resource); i++) {
+ if (sub_resource_exists(obj_sub_resource[i])) return true;
+ }
+ return false;
+ }
+
+ std::map<std::string, std::string>& get_params() {
+ return val_map;
+ }
+ const std::map<std::string, std::string>& get_params() const {
+ return val_map;
+ }
+ std::map<std::string, std::string>& get_sys_params() {
+ return sys_val_map;
+ }
+ const std::map<std::string, std::string>& get_sys_params() const {
+ return sys_val_map;
+ }
+ const std::map<std::string, std::string>& get_sub_resources() const {
+ return sub_resources;
+ }
+ unsigned get_num_params() const {
+ return val_map.size();
+ }
+ bool has_response_modifier() const {
+ return has_resp_modifier;
+ }
+ void set_system() { /* make all system params visible */
+ std::map<std::string, std::string>::iterator iter;
+ for (iter = sys_val_map.begin(); iter != sys_val_map.end(); ++iter) {
+ val_map[iter->first] = iter->second;
+ }
+ }
+ const std::string& get_str() {
+ return str;
+ }
+}; // RGWHTTPArgs
+
+const char *rgw_conf_get(const std::map<std::string, std::string, ltstr_nocase>& conf_map, const char *name, const char *def_val);
+boost::optional<const std::string&> rgw_conf_get_optional(const std::map<std::string, std::string, ltstr_nocase>& conf_map, const std::string& name);
+int rgw_conf_get_int(const std::map<std::string, std::string, ltstr_nocase>& conf_map, const char *name, int def_val);
+bool rgw_conf_get_bool(const std::map<std::string, std::string, ltstr_nocase>& conf_map, const char *name, bool def_val);
+
+class RGWEnv;
+
+class RGWConf {
+ friend class RGWEnv;
+ int enable_ops_log;
+ int enable_usage_log;
+ uint8_t defer_to_bucket_acls;
+ void init(CephContext *cct);
+public:
+ RGWConf()
+ : enable_ops_log(1),
+ enable_usage_log(1),
+ defer_to_bucket_acls(0) {
+ }
+};
+
+class RGWEnv {
+ std::map<std::string, std::string, ltstr_nocase> env_map;
+ RGWConf conf;
+public:
+ void init(CephContext *cct);
+ void init(CephContext *cct, char **envp);
+ void set(std::string name, std::string val);
+ const char *get(const char *name, const char *def_val = nullptr) const;
+ boost::optional<const std::string&>
+ get_optional(const std::string& name) const;
+ int get_int(const char *name, int def_val = 0) const;
+ bool get_bool(const char *name, bool def_val = 0);
+ size_t get_size(const char *name, size_t def_val = 0) const;
+ bool exists(const char *name) const;
+ bool exists_prefix(const char *prefix) const;
+ void remove(const char *name);
+ const std::map<std::string, std::string, ltstr_nocase>& get_map() const { return env_map; }
+ int get_enable_ops_log() const {
+ return conf.enable_ops_log;
+ }
+
+ int get_enable_usage_log() const {
+ return conf.enable_usage_log;
+ }
+
+ int get_defer_to_bucket_acls() const {
+ return conf.defer_to_bucket_acls;
+ }
+};
+
+// return true if the connection is secure. this either means that the
+// connection arrived via ssl, or was forwarded as https by a trusted proxy
+bool rgw_transport_is_secure(CephContext *cct, const RGWEnv& env);
+
+enum http_op {
+ OP_GET,
+ OP_PUT,
+ OP_DELETE,
+ OP_HEAD,
+ OP_POST,
+ OP_COPY,
+ OP_OPTIONS,
+ OP_UNKNOWN,
+};
+
+class RGWAccessControlPolicy;
+class JSONObj;
+
+void encode_json(const char *name, const obj_version& v, Formatter *f);
+void encode_json(const char *name, const RGWUserCaps& val, Formatter *f);
+
+void decode_json_obj(obj_version& v, JSONObj *obj);
+
+enum RGWIdentityType
+{
+ TYPE_NONE=0,
+ TYPE_RGW=1,
+ TYPE_KEYSTONE=2,
+ TYPE_LDAP=3,
+ TYPE_ROLE=4,
+ TYPE_WEB=5,
+};
+
+void encode_json(const char *name, const rgw_placement_rule& val, ceph::Formatter *f);
+void decode_json_obj(rgw_placement_rule& v, JSONObj *obj);
+
+inline std::ostream& operator<<(std::ostream& out, const rgw_placement_rule& rule) {
+ return out << rule.to_str();
+}
+
+class RateLimiter;
+struct RGWRateLimitInfo {
+ int64_t max_write_ops;
+ int64_t max_read_ops;
+ int64_t max_write_bytes;
+ int64_t max_read_bytes;
+ bool enabled = false;
+ RGWRateLimitInfo()
+ : max_write_ops(0), max_read_ops(0), max_write_bytes(0), max_read_bytes(0) {}
+
+ void encode(bufferlist& bl) const {
+ ENCODE_START(1, 1, bl);
+ encode(max_write_ops, bl);
+ encode(max_read_ops, bl);
+ encode(max_write_bytes, bl);
+ encode(max_read_bytes, bl);
+ encode(enabled, bl);
+ ENCODE_FINISH(bl);
+ }
+ void decode(bufferlist::const_iterator& bl) {
+ DECODE_START(1, bl);
+ decode(max_write_ops,bl);
+ decode(max_read_ops, bl);
+ decode(max_write_bytes,bl);
+ decode(max_read_bytes, bl);
+ decode(enabled, bl);
+ DECODE_FINISH(bl);
+ }
+
+ void dump(Formatter *f) const;
+
+ void decode_json(JSONObj *obj);
+
+};
+WRITE_CLASS_ENCODER(RGWRateLimitInfo)
+
+struct RGWUserInfo
+{
+ rgw_user user_id;
+ std::string display_name;
+ std::string user_email;
+ std::map<std::string, RGWAccessKey> access_keys;
+ std::map<std::string, RGWAccessKey> swift_keys;
+ std::map<std::string, RGWSubUser> subusers;
+ __u8 suspended;
+ int32_t max_buckets;
+ uint32_t op_mask;
+ RGWUserCaps caps;
+ __u8 admin;
+ __u8 system;
+ rgw_placement_rule default_placement;
+ std::list<std::string> placement_tags;
+ std::map<int, std::string> temp_url_keys;
+ RGWQuota quota;
+ uint32_t type;
+ std::set<std::string> mfa_ids;
+
+ RGWUserInfo()
+ : suspended(0),
+ max_buckets(RGW_DEFAULT_MAX_BUCKETS),
+ op_mask(RGW_OP_TYPE_ALL),
+ admin(0),
+ system(0),
+ type(TYPE_NONE) {
+ }
+
+ RGWAccessKey* get_key(const std::string& access_key) {
+ if (access_keys.empty())
+ return nullptr;
+
+ auto k = access_keys.find(access_key);
+ if (k == access_keys.end())
+ return nullptr;
+ else
+ return &(k->second);
+ }
+
+ void encode(bufferlist& bl) const {
+ ENCODE_START(22, 9, bl);
+ encode((uint64_t)0, bl); // old auid
+ std::string access_key;
+ std::string secret_key;
+ if (!access_keys.empty()) {
+ std::map<std::string, RGWAccessKey>::const_iterator iter = access_keys.begin();
+ const RGWAccessKey& k = iter->second;
+ access_key = k.id;
+ secret_key = k.key;
+ }
+ encode(access_key, bl);
+ encode(secret_key, bl);
+ encode(display_name, bl);
+ encode(user_email, bl);
+ std::string swift_name;
+ std::string swift_key;
+ if (!swift_keys.empty()) {
+ std::map<std::string, RGWAccessKey>::const_iterator iter = swift_keys.begin();
+ const RGWAccessKey& k = iter->second;
+ swift_name = k.id;
+ swift_key = k.key;
+ }
+ encode(swift_name, bl);
+ encode(swift_key, bl);
+ encode(user_id.id, bl);
+ encode(access_keys, bl);
+ encode(subusers, bl);
+ encode(suspended, bl);
+ encode(swift_keys, bl);
+ encode(max_buckets, bl);
+ encode(caps, bl);
+ encode(op_mask, bl);
+ encode(system, bl);
+ encode(default_placement, bl);
+ encode(placement_tags, bl);
+ encode(quota.bucket_quota, bl);
+ encode(temp_url_keys, bl);
+ encode(quota.user_quota, bl);
+ encode(user_id.tenant, bl);
+ encode(admin, bl);
+ encode(type, bl);
+ encode(mfa_ids, bl);
+ {
+ std::string assumed_role_arn; // removed
+ encode(assumed_role_arn, bl);
+ }
+ encode(user_id.ns, bl);
+ ENCODE_FINISH(bl);
+ }
+ void decode(bufferlist::const_iterator& bl) {
+ DECODE_START_LEGACY_COMPAT_LEN_32(22, 9, 9, bl);
+ if (struct_v >= 2) {
+ uint64_t old_auid;
+ decode(old_auid, bl);
+ }
+ std::string access_key;
+ std::string secret_key;
+ decode(access_key, bl);
+ decode(secret_key, bl);
+ if (struct_v < 6) {
+ RGWAccessKey k;
+ k.id = access_key;
+ k.key = secret_key;
+ access_keys[access_key] = k;
+ }
+ decode(display_name, bl);
+ decode(user_email, bl);
+ /* We populate swift_keys map later nowadays, but we have to decode. */
+ std::string swift_name;
+ std::string swift_key;
+ if (struct_v >= 3) decode(swift_name, bl);
+ if (struct_v >= 4) decode(swift_key, bl);
+ if (struct_v >= 5)
+ decode(user_id.id, bl);
+ else
+ user_id.id = access_key;
+ if (struct_v >= 6) {
+ decode(access_keys, bl);
+ decode(subusers, bl);
+ }
+ suspended = 0;
+ if (struct_v >= 7) {
+ decode(suspended, bl);
+ }
+ if (struct_v >= 8) {
+ decode(swift_keys, bl);
+ }
+ if (struct_v >= 10) {
+ decode(max_buckets, bl);
+ } else {
+ max_buckets = RGW_DEFAULT_MAX_BUCKETS;
+ }
+ if (struct_v >= 11) {
+ decode(caps, bl);
+ }
+ if (struct_v >= 12) {
+ decode(op_mask, bl);
+ } else {
+ op_mask = RGW_OP_TYPE_ALL;
+ }
+ if (struct_v >= 13) {
+ decode(system, bl);
+ decode(default_placement, bl);
+ decode(placement_tags, bl); /* tags of allowed placement rules */
+ }
+ if (struct_v >= 14) {
+ decode(quota.bucket_quota, bl);
+ }
+ if (struct_v >= 15) {
+ decode(temp_url_keys, bl);
+ }
+ if (struct_v >= 16) {
+ decode(quota.user_quota, bl);
+ }
+ if (struct_v >= 17) {
+ decode(user_id.tenant, bl);
+ } else {
+ user_id.tenant.clear();
+ }
+ if (struct_v >= 18) {
+ decode(admin, bl);
+ }
+ if (struct_v >= 19) {
+ decode(type, bl);
+ }
+ if (struct_v >= 20) {
+ decode(mfa_ids, bl);
+ }
+ if (struct_v >= 21) {
+ std::string assumed_role_arn; // removed
+ decode(assumed_role_arn, bl);
+ }
+ if (struct_v >= 22) {
+ decode(user_id.ns, bl);
+ } else {
+ user_id.ns.clear();
+ }
+ DECODE_FINISH(bl);
+ }
+ void dump(Formatter *f) const;
+ static void generate_test_instances(std::list<RGWUserInfo*>& o);
+
+ void decode_json(JSONObj *obj);
+};
+WRITE_CLASS_ENCODER(RGWUserInfo)
+
+/// `RGWObjVersionTracker`
+/// ======================
+///
+/// What and why is this?
+/// ---------------------
+///
+/// This is a wrapper around `cls_version` functionality. If two RGWs
+/// (or two non-synchronized threads in the same RGW) are accessing
+/// the same object, they may race and overwrite each other's work.
+///
+/// This class solves this issue by tracking and recording an object's
+/// version in the extended attributes. Operations are failed with
+/// ECANCELED if the version is not what we expect.
+///
+/// How to Use It
+/// -------------
+///
+/// When preparing a read operation, call `prepare_op_for_read`.
+/// For a write, call `prepare_op_for_write` when preparing the
+/// operation, and `apply_write` after it succeeds.
+///
+/// Adhere to the following guidelines:
+///
+/// - Each RGWObjVersionTracker should be used with only one object.
+///
+/// - If you receive `ECANCELED`, throw away whatever you were doing
+/// based on the content of the versioned object, re-read, and
+/// restart as appropriate.
+///
+/// - If one code path uses RGWObjVersionTracker, then they all
+/// should. In a situation where a writer should unconditionally
+/// overwrite an object, call `generate_new_write_ver` on a default
+/// constructed `RGWObjVersionTracker`.
+///
+/// - If we have a version from a previous read, we will check against
+/// it and fail the read if it doesn't match. Thus, if we want to
+/// re-read a new version of the object, call `clear()` on the
+/// `RGWObjVersionTracker`.
+///
+/// - This type is not thread-safe. Every thread must have its own
+/// instance.
+///
+struct RGWObjVersionTracker {
+ obj_version read_version; //< The version read from an object. If
+ // set, this value is used to check the
+ // stored version.
+ obj_version write_version; //< Set the object to this version on
+ // write, if set.
+
+ /// Pointer to the read version.
+ obj_version* version_for_read() {
+ return &read_version;
+ }
+
+ /// If we have a write version, return a pointer to it. Otherwise
+ /// return null. This is used in `prepare_op_for_write` to treat the
+ /// `write_version` as effectively an `option` type.
+ obj_version* version_for_write() {
+ if (write_version.ver == 0)
+ return nullptr;
+
+ return &write_version;
+ }
+
+ /// If read_version is non-empty, return a pointer to it, otherwise
+ /// null. This is used internally by `prepare_op_for_read` and
+ /// `prepare_op_for_write` to treat the `read_version` as
+ /// effectively an `option` type.
+ obj_version* version_for_check() {
+ if (read_version.ver == 0)
+ return nullptr;
+
+ return &read_version;
+ }
+
+ /// This function is to be called on any read operation. If we have
+ /// a non-empty `read_version`, assert on the OSD that the object
+ /// has the same version. Also reads the version into `read_version`.
+ ///
+ /// This function is defined in `rgw_rados.cc` rather than `rgw_common.cc`.
+ void prepare_op_for_read(librados::ObjectReadOperation* op);
+
+ /// This function is to be called on any write operation. If we have
+ /// a non-empty read operation, assert on the OSD that the object
+ /// has the same version. If we have a non-empty `write_version`,
+ /// set the object to it. Otherwise increment the version on the OSD.
+ ///
+ /// This function is defined in `rgw_rados.cc` rather than
+ /// `rgw_common.cc`.
+ void prepare_op_for_write(librados::ObjectWriteOperation* op);
+
+ /// This function is to be called after the completion of any write
+ /// operation on which `prepare_op_for_write` was called. If we did
+ /// not set the write version explicitly, it increments
+ /// `read_version`. If we did, it sets `read_version` to
+ /// `write_version`. In either case, it clears `write_version`.
+ ///
+ /// RADOS write operations, at least those not using the relatively
+ /// new RETURNVEC flag, cannot return more information than an error
+ /// code. Thus, write operations can't simply fill in the read
+ /// version the way read operations can, so prepare_op_for_write`
+ /// instructs the OSD to increment the object as stored in RADOS and
+ /// `apply_write` increments our `read_version` in RAM.
+ ///
+ /// This function is defined in `rgw_rados.cc` rather than
+ /// `rgw_common.cc`.
+ void apply_write();
+
+ /// Clear `read_version` and `write_version`, making the instance
+ /// identical to a default-constructed instance.
+ void clear() {
+ read_version = obj_version();
+ write_version = obj_version();
+ }
+
+ /// Set `write_version` to a new, unique version.
+ ///
+ /// An `obj_version` contains an opaque, random tag and a
+ /// sequence. If the tags of two `obj_version`s don't match, the
+ /// versions are unordered and unequal. This function creates a
+ /// version with a new tag, ensuring that any other process
+ /// operating on the object will receive `ECANCELED` and will know
+ /// to re-read the object and restart whatever it was doing.
+ void generate_new_write_ver(CephContext* cct);
+};
+
+inline std::ostream& operator<<(std::ostream& out, const obj_version &v)
+{
+ out << v.tag << ":" << v.ver;
+ return out;
+}
+
+inline std::ostream& operator<<(std::ostream& out, const RGWObjVersionTracker &ot)
+{
+ out << "{r=" << ot.read_version << ",w=" << ot.write_version << "}";
+ return out;
+}
+
+enum RGWBucketFlags {
+ BUCKET_SUSPENDED = 0x1,
+ BUCKET_VERSIONED = 0x2,
+ BUCKET_VERSIONS_SUSPENDED = 0x4,
+ BUCKET_DATASYNC_DISABLED = 0X8,
+ BUCKET_MFA_ENABLED = 0X10,
+ BUCKET_OBJ_LOCK_ENABLED = 0X20,
+};
+
+class RGWSI_Zone;
+
+struct RGWBucketInfo {
+ rgw_bucket bucket;
+ rgw_user owner;
+ uint32_t flags{0};
+ std::string zonegroup;
+ ceph::real_time creation_time;
+ rgw_placement_rule placement_rule;
+ bool has_instance_obj{false};
+ RGWObjVersionTracker objv_tracker; /* we don't need to serialize this, for runtime tracking */
+ RGWQuotaInfo quota;
+
+ // layout of bucket index objects
+ rgw::BucketLayout layout;
+
+ // Represents the shard number for blind bucket.
+ const static uint32_t NUM_SHARDS_BLIND_BUCKET;
+
+ bool requester_pays{false};
+
+ bool has_website{false};
+ RGWBucketWebsiteConf website_conf;
+
+ bool swift_versioning{false};
+ std::string swift_ver_location;
+
+ std::map<std::string, uint32_t> mdsearch_config;
+
+ // resharding
+ cls_rgw_reshard_status reshard_status{cls_rgw_reshard_status::NOT_RESHARDING};
+ std::string new_bucket_instance_id;
+
+ RGWObjectLock obj_lock;
+
+ std::optional<rgw_sync_policy_info> sync_policy;
+
+ void encode(bufferlist& bl) const;
+ void decode(bufferlist::const_iterator& bl);
+
+ void dump(Formatter *f) const;
+ static void generate_test_instances(std::list<RGWBucketInfo*>& o);
+
+ void decode_json(JSONObj *obj);
+
+ bool versioned() const { return (flags & BUCKET_VERSIONED) != 0; }
+ int versioning_status() const { return flags & (BUCKET_VERSIONED | BUCKET_VERSIONS_SUSPENDED | BUCKET_MFA_ENABLED); }
+ bool versioning_enabled() const { return (versioning_status() & (BUCKET_VERSIONED | BUCKET_VERSIONS_SUSPENDED)) == BUCKET_VERSIONED; }
+ bool mfa_enabled() const { return (versioning_status() & BUCKET_MFA_ENABLED) != 0; }
+ bool datasync_flag_enabled() const { return (flags & BUCKET_DATASYNC_DISABLED) == 0; }
+ bool obj_lock_enabled() const { return (flags & BUCKET_OBJ_LOCK_ENABLED) != 0; }
+
+ bool has_swift_versioning() const {
+ /* A bucket may be versioned through one mechanism only. */
+ return swift_versioning && !versioned();
+ }
+
+ void set_sync_policy(rgw_sync_policy_info&& policy);
+
+ bool empty_sync_policy() const;
+
+ bool is_indexless() const {
+ return rgw::is_layout_indexless(layout.current_index);
+ }
+ const rgw::bucket_index_layout_generation& get_current_index() const {
+ return layout.current_index;
+ }
+ rgw::bucket_index_layout_generation& get_current_index() {
+ return layout.current_index;
+ }
+
+ RGWBucketInfo();
+ ~RGWBucketInfo();
+};
+WRITE_CLASS_ENCODER(RGWBucketInfo)
+
+struct RGWBucketEntryPoint
+{
+ rgw_bucket bucket;
+ rgw_user owner;
+ ceph::real_time creation_time;
+ bool linked;
+
+ bool has_bucket_info;
+ RGWBucketInfo old_bucket_info;
+
+ RGWBucketEntryPoint() : linked(false), has_bucket_info(false) {}
+
+ void encode(bufferlist& bl) const {
+ ENCODE_START(10, 8, bl);
+ encode(bucket, bl);
+ encode(owner.id, bl);
+ encode(linked, bl);
+ uint64_t ctime = (uint64_t)real_clock::to_time_t(creation_time);
+ encode(ctime, bl);
+ encode(owner, bl);
+ encode(creation_time, bl);
+ ENCODE_FINISH(bl);
+ }
+ void decode(bufferlist::const_iterator& bl) {
+ auto orig_iter = bl;
+ DECODE_START_LEGACY_COMPAT_LEN_32(10, 4, 4, bl);
+ if (struct_v < 8) {
+ /* ouch, old entry, contains the bucket info itself */
+ old_bucket_info.decode(orig_iter);
+ has_bucket_info = true;
+ return;
+ }
+ has_bucket_info = false;
+ decode(bucket, bl);
+ decode(owner.id, bl);
+ decode(linked, bl);
+ uint64_t ctime;
+ decode(ctime, bl);
+ if (struct_v < 10) {
+ creation_time = real_clock::from_time_t((time_t)ctime);
+ }
+ if (struct_v >= 9) {
+ decode(owner, bl);
+ }
+ if (struct_v >= 10) {
+ decode(creation_time, bl);
+ }
+ DECODE_FINISH(bl);
+ }
+
+ void dump(Formatter *f) const;
+ void decode_json(JSONObj *obj);
+ static void generate_test_instances(std::list<RGWBucketEntryPoint*>& o);
+};
+WRITE_CLASS_ENCODER(RGWBucketEntryPoint)
+
+struct RGWStorageStats
+{
+ RGWObjCategory category;
+ uint64_t size;
+ uint64_t size_rounded;
+ uint64_t num_objects;
+ uint64_t size_utilized{0}; //< size after compression, encryption
+ bool dump_utilized; // whether dump should include utilized values
+
+ RGWStorageStats(bool _dump_utilized=true)
+ : category(RGWObjCategory::None),
+ size(0),
+ size_rounded(0),
+ num_objects(0),
+ dump_utilized(_dump_utilized)
+ {}
+
+ void dump(Formatter *f) const;
+}; // RGWStorageStats
+
+class RGWEnv;
+
+/* Namespaced forward declarations. */
+namespace rgw {
+ namespace auth {
+ namespace s3 {
+ class AWSBrowserUploadAbstractor;
+ class STSEngine;
+ }
+ class Completer;
+ }
+ namespace io {
+ class BasicClient;
+ }
+}
+
+using meta_map_t = boost::container::flat_map <std::string, std::string>;
+
+struct req_info {
+ const RGWEnv *env;
+ RGWHTTPArgs args;
+ meta_map_t x_meta_map;
+ meta_map_t crypt_attribute_map;
+
+ std::string host;
+ const char *method;
+ std::string script_uri;
+ std::string request_uri;
+ std::string request_uri_aws4;
+ std::string effective_uri;
+ std::string request_params;
+ std::string domain;
+ std::string storage_class;
+
+ req_info(CephContext *cct, const RGWEnv *env);
+ void rebuild_from(req_info& src);
+ void init_meta_info(const DoutPrefixProvider *dpp, bool *found_bad_meta);
+};
+
+struct req_init_state {
+ /* Keeps [[tenant]:]bucket until we parse the token. */
+ std::string url_bucket;
+ std::string src_bucket;
+};
+
+#include "rgw_auth.h"
+
+class RGWObjectCtx;
+
+/** Store all the state necessary to complete and respond to an HTTP request*/
+struct req_state : DoutPrefixProvider {
+ CephContext *cct;
+ const RGWProcessEnv& penv;
+ rgw::io::BasicClient *cio{nullptr};
+ http_op op{OP_UNKNOWN};
+ RGWOpType op_type{};
+ std::shared_ptr<RateLimiter> ratelimit_data;
+ RGWRateLimitInfo user_ratelimit;
+ RGWRateLimitInfo bucket_ratelimit;
+ std::string ratelimit_bucket_marker;
+ std::string ratelimit_user_name;
+ bool content_started{false};
+ RGWFormat format{RGWFormat::PLAIN};
+ ceph::Formatter *formatter{nullptr};
+ std::string decoded_uri;
+ std::string relative_uri;
+ const char *length{nullptr};
+ int64_t content_length{0};
+ std::map<std::string, std::string> generic_attrs;
+ rgw_err err;
+ bool expect_cont{false};
+ uint64_t obj_size{0};
+ bool enable_ops_log;
+ bool enable_usage_log;
+ uint8_t defer_to_bucket_acls;
+ uint32_t perm_mask{0};
+
+ /* Set once when url_bucket is parsed and not violated thereafter. */
+ std::string account_name;
+
+ std::string bucket_tenant;
+ std::string bucket_name;
+
+ /* bucket is only created in rgw_build_bucket_policies() and should never be
+ * overwritten */
+ std::unique_ptr<rgw::sal::Bucket> bucket;
+ std::unique_ptr<rgw::sal::Object> object;
+ std::string src_tenant_name;
+ std::string src_bucket_name;
+ std::unique_ptr<rgw::sal::Object> src_object;
+ ACLOwner bucket_owner;
+ ACLOwner owner;
+
+ std::string zonegroup_name;
+ std::string zonegroup_endpoint;
+ std::string bucket_instance_id;
+ int bucket_instance_shard_id{-1};
+ std::string redirect_zone_endpoint;
+
+ std::string redirect;
+
+ real_time bucket_mtime;
+ std::map<std::string, ceph::bufferlist> bucket_attrs;
+ bool bucket_exists{false};
+ rgw_placement_rule dest_placement;
+
+ bool has_bad_meta{false};
+
+ std::unique_ptr<rgw::sal::User> user;
+
+ struct {
+ /* TODO(rzarzynski): switch out to the static_ptr for both members. */
+
+ /* Object having the knowledge about an authenticated identity and allowing
+ * to apply it during the authorization phase (verify_permission() methods
+ * of a given RGWOp). Thus, it bounds authentication and authorization steps
+ * through a well-defined interface. For more details, see rgw_auth.h. */
+ std::unique_ptr<rgw::auth::Identity> identity;
+
+ std::shared_ptr<rgw::auth::Completer> completer;
+
+ /* A container for credentials of the S3's browser upload. It's necessary
+ * because: 1) the ::authenticate() method of auth engines and strategies
+ * take req_state only; 2) auth strategies live much longer than RGWOps -
+ * there is no way to pass additional data dependencies through ctors. */
+ class {
+ /* Writer. */
+ friend class RGWPostObj_ObjStore_S3;
+ /* Reader. */
+ friend class rgw::auth::s3::AWSBrowserUploadAbstractor;
+ friend class rgw::auth::s3::STSEngine;
+
+ std::string access_key;
+ std::string signature;
+ std::string x_amz_algorithm;
+ std::string x_amz_credential;
+ std::string x_amz_date;
+ std::string x_amz_security_token;
+ ceph::bufferlist encoded_policy;
+ } s3_postobj_creds;
+ } auth;
+
+ std::unique_ptr<RGWAccessControlPolicy> user_acl;
+ std::unique_ptr<RGWAccessControlPolicy> bucket_acl;
+ std::unique_ptr<RGWAccessControlPolicy> object_acl;
+
+ rgw::IAM::Environment env;
+ boost::optional<rgw::IAM::Policy> iam_policy;
+ boost::optional<PublicAccessBlockConfiguration> bucket_access_conf;
+ std::vector<rgw::IAM::Policy> iam_user_policies;
+
+ /* Is the request made by an user marked as a system one?
+ * Being system user means we also have the admin status. */
+ bool system_request{false};
+
+ std::string canned_acl;
+ bool has_acl_header{false};
+ bool local_source{false}; /* source is local */
+
+ int prot_flags{0};
+
+ /* Content-Disposition override for TempURL of Swift API. */
+ struct {
+ std::string override;
+ std::string fallback;
+ } content_disp;
+
+ std::string host_id;
+
+ req_info info;
+ req_init_state init_state;
+
+ using Clock = ceph::coarse_real_clock;
+ Clock::time_point time;
+
+ Clock::duration time_elapsed() const { return Clock::now() - time; }
+
+ std::string dialect;
+ std::string req_id;
+ std::string trans_id;
+ uint64_t id;
+
+ RGWObjTags tagset;
+
+ bool mfa_verified{false};
+
+ /// optional coroutine context
+ optional_yield yield{null_yield};
+
+ //token claims from STS token for ops log (can be used for Keystone token also)
+ std::vector<std::string> token_claims;
+
+ std::vector<rgw::IAM::Policy> session_policies;
+
+ jspan trace;
+ bool trace_enabled = false;
+
+ //Principal tags that come in as part of AssumeRoleWithWebIdentity
+ std::vector<std::pair<std::string, std::string>> principal_tags;
+
+ req_state(CephContext* _cct, const RGWProcessEnv& penv, RGWEnv* e, uint64_t id);
+ ~req_state();
+
+
+ void set_user(std::unique_ptr<rgw::sal::User>& u) { user.swap(u); }
+ bool is_err() const { return err.is_err(); }
+
+ // implements DoutPrefixProvider
+ std::ostream& gen_prefix(std::ostream& out) const override;
+ CephContext* get_cct() const override { return cct; }
+ unsigned get_subsys() const override { return ceph_subsys_rgw; }
+};
+
+void set_req_state_err(req_state*, int);
+void set_req_state_err(req_state*, int, const std::string&);
+void set_req_state_err(struct rgw_err&, int, const int);
+void dump(req_state*);
+
+/** Store basic data on bucket */
+struct RGWBucketEnt {
+ rgw_bucket bucket;
+ size_t size;
+ size_t size_rounded;
+ ceph::real_time creation_time;
+ uint64_t count;
+
+ /* The placement_rule is necessary to calculate per-storage-policy statics
+ * of the Swift API. Although the info available in RGWBucketInfo, we need
+ * to duplicate it here to not affect the performance of buckets listing. */
+ rgw_placement_rule placement_rule;
+
+ RGWBucketEnt()
+ : size(0),
+ size_rounded(0),
+ count(0) {
+ }
+ RGWBucketEnt(const RGWBucketEnt&) = default;
+ RGWBucketEnt(RGWBucketEnt&&) = default;
+ explicit RGWBucketEnt(const rgw_user& u, cls_user_bucket_entry&& e)
+ : bucket(u, std::move(e.bucket)),
+ size(e.size),
+ size_rounded(e.size_rounded),
+ creation_time(e.creation_time),
+ count(e.count) {
+ }
+
+ RGWBucketEnt& operator=(const RGWBucketEnt&) = default;
+
+ void convert(cls_user_bucket_entry *b) const {
+ bucket.convert(&b->bucket);
+ b->size = size;
+ b->size_rounded = size_rounded;
+ b->creation_time = creation_time;
+ b->count = count;
+ }
+
+ void encode(bufferlist& bl) const {
+ ENCODE_START(7, 5, bl);
+ uint64_t s = size;
+ __u32 mt = ceph::real_clock::to_time_t(creation_time);
+ std::string empty_str; // originally had the bucket name here, but we encode bucket later
+ encode(empty_str, bl);
+ encode(s, bl);
+ encode(mt, bl);
+ encode(count, bl);
+ encode(bucket, bl);
+ s = size_rounded;
+ encode(s, bl);
+ encode(creation_time, bl);
+ encode(placement_rule, bl);
+ ENCODE_FINISH(bl);
+ }
+ void decode(bufferlist::const_iterator& bl) {
+ DECODE_START_LEGACY_COMPAT_LEN(7, 5, 5, bl);
+ __u32 mt;
+ uint64_t s;
+ std::string empty_str; // backward compatibility
+ decode(empty_str, bl);
+ decode(s, bl);
+ decode(mt, bl);
+ size = s;
+ if (struct_v < 6) {
+ creation_time = ceph::real_clock::from_time_t(mt);
+ }
+ if (struct_v >= 2)
+ decode(count, bl);
+ if (struct_v >= 3)
+ decode(bucket, bl);
+ if (struct_v >= 4)
+ decode(s, bl);
+ size_rounded = s;
+ if (struct_v >= 6)
+ decode(creation_time, bl);
+ if (struct_v >= 7)
+ decode(placement_rule, bl);
+ DECODE_FINISH(bl);
+ }
+ void dump(Formatter *f) const;
+ static void generate_test_instances(std::list<RGWBucketEnt*>& o);
+};
+WRITE_CLASS_ENCODER(RGWBucketEnt)
+
+struct rgw_cache_entry_info {
+ std::string cache_locator;
+ uint64_t gen;
+
+ rgw_cache_entry_info() : gen(0) {}
+};
+
+inline std::ostream& operator<<(std::ostream& out, const rgw_obj &o) {
+ return out << o.bucket.name << ":" << o.get_oid();
+}
+
+struct multipart_upload_info
+{
+ rgw_placement_rule dest_placement;
+
+ void encode(bufferlist& bl) const {
+ ENCODE_START(1, 1, bl);
+ encode(dest_placement, bl);
+ ENCODE_FINISH(bl);
+ }
+
+ void decode(bufferlist::const_iterator& bl) {
+ DECODE_START(1, bl);
+ decode(dest_placement, bl);
+ DECODE_FINISH(bl);
+ }
+};
+WRITE_CLASS_ENCODER(multipart_upload_info)
+
+static inline void buf_to_hex(const unsigned char* const buf,
+ const size_t len,
+ char* const str)
+{
+ str[0] = '\0';
+ for (size_t i = 0; i < len; i++) {
+ ::sprintf(&str[i*2], "%02x", static_cast<int>(buf[i]));
+ }
+}
+
+template<size_t N> static inline std::array<char, N * 2 + 1>
+buf_to_hex(const std::array<unsigned char, N>& buf)
+{
+ static_assert(N > 0, "The input array must be at least one element long");
+
+ std::array<char, N * 2 + 1> hex_dest;
+ buf_to_hex(buf.data(), N, hex_dest.data());
+ return hex_dest;
+}
+
+static inline int hexdigit(char c)
+{
+ if (c >= '0' && c <= '9')
+ return (c - '0');
+ c = toupper(c);
+ if (c >= 'A' && c <= 'F')
+ return c - 'A' + 0xa;
+ return -EINVAL;
+}
+
+static inline int hex_to_buf(const char *hex, char *buf, int len)
+{
+ int i = 0;
+ const char *p = hex;
+ while (*p) {
+ if (i >= len)
+ return -EINVAL;
+ buf[i] = 0;
+ int d = hexdigit(*p);
+ if (d < 0)
+ return d;
+ buf[i] = d << 4;
+ p++;
+ if (!*p)
+ return -EINVAL;
+ d = hexdigit(*p);
+ if (d < 0)
+ return d;
+ buf[i] += d;
+ i++;
+ p++;
+ }
+ return i;
+}
+
+static inline int rgw_str_to_bool(const char *s, int def_val)
+{
+ if (!s)
+ return def_val;
+
+ return (strcasecmp(s, "true") == 0 ||
+ strcasecmp(s, "on") == 0 ||
+ strcasecmp(s, "yes") == 0 ||
+ strcasecmp(s, "1") == 0);
+}
+
+static inline void append_rand_alpha(CephContext *cct, const std::string& src, std::string& dest, int len)
+{
+ dest = src;
+ char buf[len + 1];
+ gen_rand_alphanumeric(cct, buf, len);
+ dest.append("_");
+ dest.append(buf);
+}
+
+static inline uint64_t rgw_rounded_kb(uint64_t bytes)
+{
+ return (bytes + 1023) / 1024;
+}
+
+static inline uint64_t rgw_rounded_objsize(uint64_t bytes)
+{
+ return ((bytes + 4095) & ~4095);
+}
+
+static inline uint64_t rgw_rounded_objsize_kb(uint64_t bytes)
+{
+ return ((bytes + 4095) & ~4095) / 1024;
+}
+
+/* implement combining step, S3 header canonicalization; k is a
+ * valid header and in lc form */
+void rgw_add_amz_meta_header(
+ meta_map_t& x_meta_map,
+ const std::string& k,
+ const std::string& v);
+
+enum rgw_set_action_if_set {
+ DISCARD=0, OVERWRITE, APPEND
+};
+
+bool rgw_set_amz_meta_header(
+ meta_map_t& x_meta_map,
+ const std::string& k,
+ const std::string& v, rgw_set_action_if_set f);
+
+extern std::string rgw_string_unquote(const std::string& s);
+extern void parse_csv_string(const std::string& ival, std::vector<std::string>& ovals);
+extern int parse_key_value(std::string& in_str, std::string& key, std::string& val);
+extern int parse_key_value(std::string& in_str, const char *delim, std::string& key, std::string& val);
+
+extern boost::optional<std::pair<std::string_view,std::string_view>>
+parse_key_value(const std::string_view& in_str,
+ const std::string_view& delim);
+extern boost::optional<std::pair<std::string_view,std::string_view>>
+parse_key_value(const std::string_view& in_str);
+
+struct rgw_name_to_flag {
+ const char *type_name;
+ uint32_t flag;
+};
+
+/** time parsing */
+extern int parse_time(const char *time_str, real_time *time);
+extern bool parse_rfc2616(const char *s, struct tm *t);
+extern bool parse_iso8601(const char *s, struct tm *t, uint32_t *pns = NULL, bool extended_format = true);
+extern std::string rgw_trim_whitespace(const std::string& src);
+extern std::string_view rgw_trim_whitespace(const std::string_view& src);
+extern std::string rgw_trim_quotes(const std::string& val);
+
+extern void rgw_to_iso8601(const real_time& t, char *dest, int buf_size);
+extern void rgw_to_iso8601(const real_time& t, std::string *dest);
+extern std::string rgw_to_asctime(const utime_t& t);
+
+struct perm_state_base {
+ CephContext *cct;
+ const rgw::IAM::Environment& env;
+ rgw::auth::Identity *identity;
+ const RGWBucketInfo bucket_info;
+ int perm_mask;
+ bool defer_to_bucket_acls;
+ boost::optional<PublicAccessBlockConfiguration> bucket_access_conf;
+
+ perm_state_base(CephContext *_cct,
+ const rgw::IAM::Environment& _env,
+ rgw::auth::Identity *_identity,
+ const RGWBucketInfo& _bucket_info,
+ int _perm_mask,
+ bool _defer_to_bucket_acls,
+ boost::optional<PublicAccessBlockConfiguration> _bucket_acess_conf = boost::none) :
+ cct(_cct),
+ env(_env),
+ identity(_identity),
+ bucket_info(_bucket_info),
+ perm_mask(_perm_mask),
+ defer_to_bucket_acls(_defer_to_bucket_acls),
+ bucket_access_conf(_bucket_acess_conf)
+ {}
+
+ virtual ~perm_state_base() {}
+
+ virtual const char *get_referer() const = 0;
+ virtual std::optional<bool> get_request_payer() const = 0; /*
+ * empty state means that request_payer param was not passed in
+ */
+
+};
+
+struct perm_state : public perm_state_base {
+ const char *referer;
+ bool request_payer;
+
+ perm_state(CephContext *_cct,
+ const rgw::IAM::Environment& _env,
+ rgw::auth::Identity *_identity,
+ const RGWBucketInfo& _bucket_info,
+ int _perm_mask,
+ bool _defer_to_bucket_acls,
+ const char *_referer,
+ bool _request_payer) : perm_state_base(_cct,
+ _env,
+ _identity,
+ _bucket_info,
+ _perm_mask,
+ _defer_to_bucket_acls),
+ referer(_referer),
+ request_payer(_request_payer) {}
+
+ const char *get_referer() const override {
+ return referer;
+ }
+
+ std::optional<bool> get_request_payer() const override {
+ return request_payer;
+ }
+};
+
+/** Check if the req_state's user has the necessary permissions
+ * to do the requested action */
+bool verify_bucket_permission_no_policy(
+ const DoutPrefixProvider* dpp,
+ struct perm_state_base * const s,
+ RGWAccessControlPolicy * const user_acl,
+ RGWAccessControlPolicy * const bucket_acl,
+ const int perm);
+
+bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
+ struct perm_state_base * const s,
+ RGWAccessControlPolicy * const user_acl,
+ const int perm);
+
+bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp,
+ struct perm_state_base * const s,
+ RGWAccessControlPolicy * const user_acl,
+ RGWAccessControlPolicy * const bucket_acl,
+ RGWAccessControlPolicy * const object_acl,
+ const int perm);
+
+/** Check if the req_state's user has the necessary permissions
+ * to do the requested action */
+rgw::IAM::Effect eval_identity_or_session_policies(const DoutPrefixProvider* dpp,
+ const std::vector<rgw::IAM::Policy>& user_policies,
+ const rgw::IAM::Environment& env,
+ const uint64_t op,
+ const rgw::ARN& arn);
+bool verify_user_permission(const DoutPrefixProvider* dpp,
+ req_state * const s,
+ RGWAccessControlPolicy * const user_acl,
+ const std::vector<rgw::IAM::Policy>& user_policies,
+ const std::vector<rgw::IAM::Policy>& session_policies,
+ const rgw::ARN& res,
+ const uint64_t op,
+ bool mandatory_policy=true);
+bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
+ req_state * const s,
+ RGWAccessControlPolicy * const user_acl,
+ const int perm);
+bool verify_user_permission(const DoutPrefixProvider* dpp,
+ req_state * const s,
+ const rgw::ARN& res,
+ const uint64_t op,
+ bool mandatory_policy=true);
+bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
+ req_state * const s,
+ int perm);
+bool verify_bucket_permission(
+ const DoutPrefixProvider* dpp,
+ req_state * const s,
+ const rgw_bucket& bucket,
+ RGWAccessControlPolicy * const user_acl,
+ RGWAccessControlPolicy * const bucket_acl,
+ const boost::optional<rgw::IAM::Policy>& bucket_policy,
+ const std::vector<rgw::IAM::Policy>& identity_policies,
+ const std::vector<rgw::IAM::Policy>& session_policies,
+ const uint64_t op);
+bool verify_bucket_permission(const DoutPrefixProvider* dpp, req_state * const s, const uint64_t op);
+bool verify_bucket_permission_no_policy(
+ const DoutPrefixProvider* dpp,
+ req_state * const s,
+ RGWAccessControlPolicy * const user_acl,
+ RGWAccessControlPolicy * const bucket_acl,
+ const int perm);
+bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp,
+ req_state * const s,
+ const int perm);
+int verify_bucket_owner_or_policy(req_state* const s,
+ const uint64_t op);
+extern bool verify_object_permission(
+ const DoutPrefixProvider* dpp,
+ req_state * const s,
+ const rgw_obj& obj,
+ RGWAccessControlPolicy * const user_acl,
+ RGWAccessControlPolicy * const bucket_acl,
+ RGWAccessControlPolicy * const object_acl,
+ const boost::optional<rgw::IAM::Policy>& bucket_policy,
+ const std::vector<rgw::IAM::Policy>& identity_policies,
+ const std::vector<rgw::IAM::Policy>& session_policies,
+ const uint64_t op);
+extern bool verify_object_permission(const DoutPrefixProvider* dpp, req_state *s, uint64_t op);
+extern bool verify_object_permission_no_policy(
+ const DoutPrefixProvider* dpp,
+ req_state * const s,
+ RGWAccessControlPolicy * const user_acl,
+ RGWAccessControlPolicy * const bucket_acl,
+ RGWAccessControlPolicy * const object_acl,
+ int perm);
+extern bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, req_state *s,
+ int perm);
+extern int verify_object_lock(
+ const DoutPrefixProvider* dpp,
+ const rgw::sal::Attrs& attrs,
+ const bool bypass_perm,
+ const bool bypass_governance_mode);
+
+/** Convert an input URL into a sane object name
+ * by converting %-escaped std::strings into characters, etc*/
+extern void rgw_uri_escape_char(char c, std::string& dst);
+extern std::string url_decode(const std::string_view& src_str,
+ bool in_query = false);
+extern void url_encode(const std::string& src, std::string& dst,
+ bool encode_slash = true);
+extern std::string url_encode(const std::string& src, bool encode_slash = true);
+extern std::string url_remove_prefix(const std::string& url); // Removes hhtp, https and www from url
+/* destination should be CEPH_CRYPTO_HMACSHA1_DIGESTSIZE bytes long */
+extern void calc_hmac_sha1(const char *key, int key_len,
+ const char *msg, int msg_len, char *dest);
+
+static inline sha1_digest_t
+calc_hmac_sha1(const std::string_view& key, const std::string_view& msg) {
+ sha1_digest_t dest;
+ calc_hmac_sha1(key.data(), key.size(), msg.data(), msg.size(),
+ reinterpret_cast<char*>(dest.v));
+ return dest;
+}
+
+/* destination should be CEPH_CRYPTO_HMACSHA256_DIGESTSIZE bytes long */
+extern void calc_hmac_sha256(const char *key, int key_len,
+ const char *msg, int msg_len,
+ char *dest);
+
+static inline sha256_digest_t
+calc_hmac_sha256(const char *key, const int key_len,
+ const char *msg, const int msg_len) {
+ sha256_digest_t dest;
+ calc_hmac_sha256(key, key_len, msg, msg_len,
+ reinterpret_cast<char*>(dest.v));
+ return dest;
+}
+
+static inline sha256_digest_t
+calc_hmac_sha256(const std::string_view& key, const std::string_view& msg) {
+ sha256_digest_t dest;
+ calc_hmac_sha256(key.data(), key.size(),
+ msg.data(), msg.size(),
+ reinterpret_cast<char*>(dest.v));
+ return dest;
+}
+
+static inline sha256_digest_t
+calc_hmac_sha256(const sha256_digest_t &key,
+ const std::string_view& msg) {
+ sha256_digest_t dest;
+ calc_hmac_sha256(reinterpret_cast<const char*>(key.v), sha256_digest_t::SIZE,
+ msg.data(), msg.size(),
+ reinterpret_cast<char*>(dest.v));
+ return dest;
+}
+
+static inline sha256_digest_t
+calc_hmac_sha256(const std::vector<unsigned char>& key,
+ const std::string_view& msg) {
+ sha256_digest_t dest;
+ calc_hmac_sha256(reinterpret_cast<const char*>(key.data()), key.size(),
+ msg.data(), msg.size(),
+ reinterpret_cast<char*>(dest.v));
+ return dest;
+}
+
+template<size_t KeyLenN>
+static inline sha256_digest_t
+calc_hmac_sha256(const std::array<unsigned char, KeyLenN>& key,
+ const std::string_view& msg) {
+ sha256_digest_t dest;
+ calc_hmac_sha256(reinterpret_cast<const char*>(key.data()), key.size(),
+ msg.data(), msg.size(),
+ reinterpret_cast<char*>(dest.v));
+ return dest;
+}
+
+extern sha256_digest_t calc_hash_sha256(const std::string_view& msg);
+
+extern ceph::crypto::SHA256* calc_hash_sha256_open_stream();
+extern void calc_hash_sha256_update_stream(ceph::crypto::SHA256* hash,
+ const char* msg,
+ int len);
+extern std::string calc_hash_sha256_close_stream(ceph::crypto::SHA256** phash);
+extern std::string calc_hash_sha256_restart_stream(ceph::crypto::SHA256** phash);
+
+extern int rgw_parse_op_type_list(const std::string& str, uint32_t *perm);
+
+static constexpr uint32_t MATCH_POLICY_ACTION = 0x01;
+static constexpr uint32_t MATCH_POLICY_RESOURCE = 0x02;
+static constexpr uint32_t MATCH_POLICY_ARN = 0x04;
+static constexpr uint32_t MATCH_POLICY_STRING = 0x08;
+
+extern bool match_policy(std::string_view pattern, std::string_view input,
+ uint32_t flag);
+
+extern std::string camelcase_dash_http_attr(const std::string& orig);
+extern std::string lowercase_dash_http_attr(const std::string& orig);
+
+void rgw_setup_saved_curl_handles();
+void rgw_release_all_curl_handles();
+
+static inline void rgw_escape_str(const std::string& s, char esc_char,
+ char special_char, std::string *dest)
+{
+ const char *src = s.c_str();
+ char dest_buf[s.size() * 2 + 1];
+ char *destp = dest_buf;
+
+ for (size_t i = 0; i < s.size(); i++) {
+ char c = src[i];
+ if (c == esc_char || c == special_char) {
+ *destp++ = esc_char;
+ }
+ *destp++ = c;
+ }
+ *destp++ = '\0';
+ *dest = dest_buf;
+}
+
+static inline ssize_t rgw_unescape_str(const std::string& s, ssize_t ofs,
+ char esc_char, char special_char,
+ std::string *dest)
+{
+ const char *src = s.c_str();
+ char dest_buf[s.size() + 1];
+ char *destp = dest_buf;
+ bool esc = false;
+
+ dest_buf[0] = '\0';
+
+ for (size_t i = ofs; i < s.size(); i++) {
+ char c = src[i];
+ if (!esc && c == esc_char) {
+ esc = true;
+ continue;
+ }
+ if (!esc && c == special_char) {
+ *destp = '\0';
+ *dest = dest_buf;
+ return (ssize_t)i + 1;
+ }
+ *destp++ = c;
+ esc = false;
+ }
+ *destp = '\0';
+ *dest = dest_buf;
+ return std::string::npos;
+}
+
+static inline std::string rgw_bl_str(ceph::buffer::list& raw)
+{
+ size_t len = raw.length();
+ std::string s(raw.c_str(), len);
+ while (len && !s[len - 1]) {
+ --len;
+ s.resize(len);
+ }
+ return s;
+}
+
+template <typename T>
+int decode_bl(bufferlist& bl, T& t)
+{
+ auto iter = bl.cbegin();
+ try {
+ decode(t, iter);
+ } catch (buffer::error& err) {
+ return -EIO;
+ }
+ return 0;
+}
+
+extern int rgw_bucket_parse_bucket_instance(const std::string& bucket_instance, std::string *bucket_name, std::string *bucket_id, int *shard_id);
+
+boost::intrusive_ptr<CephContext>
+rgw_global_init(const std::map<std::string,std::string> *defaults,
+ std::vector < const char* >& args,
+ uint32_t module_type, code_environment_t code_env,
+ int flags);