Add support for the subuser calls in the rgw admin interface

docs/api-status.json

@@ -1776,6 +1776,24 @@
         "comment": "LinkBucket will link a bucket to a specified user\nunlinking the bucket from any previous user\n PREVIEW\n",
         "added_in_version": "v0.15.0",
         "expected_stable_version": "v0.17.0"
+      },
+      {
+        "name": "API.CreateSubuser",
+        "comment": "CreateSubuser - https://docs.ceph.com/en/latest/radosgw/adminops/#create-subuser\n PREVIEW\n",
+        "added_in_version": "v0.15.0",
+        "expected_stable_version": "v0.17.0"
+      },
+      {
+        "name": "API.RemoveSubuser",
+        "comment": "RemoveSubuser - https://docs.ceph.com/en/latest/radosgw/adminops/#remove-subuser\n PREVIEW\n",
+        "added_in_version": "v0.15.0",
+        "expected_stable_version": "v0.17.0"
+      },
+      {
+        "name": "API.ModifySubuser",
+        "comment": "ModifySubuser - https://docs.ceph.com/en/latest/radosgw/adminops/#modify-subuser\n PREVIEW\n",
+        "added_in_version": "v0.15.0",
+        "expected_stable_version": "v0.17.0"
       }
     ],
     "stable_api": [

docs/api-status.md

@@ -59,6 +59,9 @@ Name | Added in Version | Expected Stable Version |
 ---- | ---------------- | ----------------------- | 
 API.UnlinkBucket | v0.15.0 | v0.17.0 | 
 API.LinkBucket | v0.15.0 | v0.17.0 | 
+API.CreateSubuser | v0.15.0 | v0.17.0 | 
+API.RemoveSubuser | v0.15.0 | v0.17.0 | 
+API.ModifySubuser | v0.15.0 | v0.17.0 | 
 
 ## Package: common/admin/manager
 

rgw/admin/bucket.go

@@ -98,7 +98,7 @@ func (api *API) ListBuckets(ctx context.Context) ([]string, error) {
 
 // GetBucketInfo will return various information about a specific token
 func (api *API) GetBucketInfo(ctx context.Context, bucket Bucket) (Bucket, error) {
-	body, err := api.call(ctx, http.MethodGet, "/bucket", valueToURLParams(bucket))
+	body, err := api.call(ctx, http.MethodGet, "/bucket", valueToURLParams(bucket, []string{"bucket", "uid", "stats"}))
 	if err != nil {
 		return Bucket{}, err
 	}
@@ -116,7 +116,9 @@ func (api *API) GetBucketInfo(ctx context.Context, bucket Bucket) (Bucket, error
 func (api *API) GetBucketPolicy(ctx context.Context, bucket Bucket) (Policy, error) {
 	policy := true
 	bucket.Policy = &policy
-	body, err := api.call(ctx, http.MethodGet, "/bucket", valueToURLParams(bucket))
+
+	// valid parameters not supported by go-ceph: object
+	body, err := api.call(ctx, http.MethodGet, "/bucket", valueToURLParams(bucket, []string{"bucket"}))
 	if err != nil {
 		return Policy{}, err
 	}
@@ -132,7 +134,7 @@ func (api *API) GetBucketPolicy(ctx context.Context, bucket Bucket) (Policy, err
 
 // RemoveBucket will remove a given token from the object store
 func (api *API) RemoveBucket(ctx context.Context, bucket Bucket) error {
-	_, err := api.call(ctx, http.MethodDelete, "/bucket", valueToURLParams(bucket))
+	_, err := api.call(ctx, http.MethodDelete, "/bucket", valueToURLParams(bucket, []string{"bucket", "purge-objects"}))
 	if err != nil {
 		return err
 	}

rgw/admin/caps.go

@@ -19,7 +19,7 @@ func (api *API) AddUserCap(ctx context.Context, uid, userCap string) ([]UserCapS
 	}
 
 	user := User{ID: uid, UserCaps: userCap}
-	body, err := api.call(ctx, http.MethodPut, "/user?caps", valueToURLParams(user))
+	body, err := api.call(ctx, http.MethodPut, "/user?caps", valueToURLParams(user, []string{"uid", "user-caps"}))
 	if err != nil {
 		return nil, err
 	}
@@ -45,7 +45,7 @@ func (api *API) RemoveUserCap(ctx context.Context, uid, userCap string) ([]UserC
 	}
 
 	user := User{ID: uid, UserCaps: userCap}
-	body, err := api.call(ctx, http.MethodDelete, "/user?caps", valueToURLParams(user))
+	body, err := api.call(ctx, http.MethodDelete, "/user?caps", valueToURLParams(user, []string{"uid", "user-caps"}))
 	if err != nil {
 		return nil, err
 	}

rgw/admin/errors.go

@@ -87,6 +87,7 @@ const (
 
 var (
 	errMissingUserID          = errors.New("missing user ID")
+	errMissingSubuserID       = errors.New("missing subuser ID")
 	errMissingUserAccessKey   = errors.New("missing user access key")
 	errMissingUserDisplayName = errors.New("missing user display name")
 	errMissingUserCap         = errors.New("missing user capabilities")

rgw/admin/link.go

@@ -25,7 +25,7 @@ func (api *API) UnlinkBucket(ctx context.Context, link BucketLinkInput) error {
 	if link.Bucket == "" {
 		return errMissingBucket
 	}
-	_, err := api.call(ctx, http.MethodPost, "/bucket", valueToURLParams(link))
+	_, err := api.call(ctx, http.MethodPost, "/bucket", valueToURLParams(link, []string{"uid", "bucket"}))
 	return err
 }
 
@@ -39,6 +39,7 @@ func (api *API) LinkBucket(ctx context.Context, link BucketLinkInput) error {
 	if link.Bucket == "" {
 		return errMissingBucket
 	}
-	_, err := api.call(ctx, http.MethodPut, "/bucket", valueToURLParams(link))
+	//  valid parameters not supported by go-ceph: new-bucket-name
+	_, err := api.call(ctx, http.MethodPut, "/bucket", valueToURLParams(link, []string{"uid", "bucket-id", "bucket"}))
 	return err
 }

rgw/admin/quota.go

@@ -28,7 +28,7 @@ func (api *API) GetUserQuota(ctx context.Context, quota QuotaSpec) (QuotaSpec, e
 		return QuotaSpec{}, errMissingUserID
 	}
 
-	body, err := api.call(ctx, http.MethodGet, "/user?quota", valueToURLParams(quota))
+	body, err := api.call(ctx, http.MethodGet, "/user?quota", valueToURLParams(quota, []string{"uid", "quota-type"}))
 	if err != nil {
 		return QuotaSpec{}, err
 	}
@@ -53,7 +53,7 @@ func (api *API) SetUserQuota(ctx context.Context, quota QuotaSpec) error {
 		return errMissingUserID
 	}
 
-	_, err := api.call(ctx, http.MethodPut, "/user?quota", valueToURLParams(quota))
+	_, err := api.call(ctx, http.MethodPut, "/user?quota", valueToURLParams(quota, []string{"uid", "quota-type", "enabled", "max-size", "max-size-kb", "max-objects"}))
 	if err != nil {
 		return err
 	}

rgw/admin/subuser.go

@@ -0,0 +1,107 @@
+//go:build ceph_preview
+// +build ceph_preview
+
+package admin
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+)
+
+// validateSubuserAcess - Return whether the given subuser access value is valid as input parameter
+func (s SubuserSpec) validateSubuserAccess() bool {
+	a := s.Access
+	return a == "" ||
+		a == SubuserAccessRead ||
+		a == SubuserAccessWrite ||
+		a == SubuserAccessReadWrite ||
+		a == SubuserAccessFull
+}
+
+func makeInvalidSubuserAccessLevelError(spec SubuserSpec) error {
+	return fmt.Errorf("invalid subuser access level %q", spec.Access)
+}
+
+// The following are the subuser API functions.
+//
+// We need to explain the omission of ?subuser in the API path common
+// to all three functions.
+//
+// According to the docs, this has to be included to select the
+// subuser operation, but we already have subuser as a parameter with
+// a value (and make sure it's not empty and thus included by
+// validating the SubuserSpec). The presence of this parameter
+// triggers the subuser operation.
+//
+// If we add the subuser with the empty value the API call fails as
+// having an invalid signature (and it is semantically wrong as we
+// then have *two* values for the subuser name, an empty one an the
+// relevant one, the upstream code does not seem to handle that case
+// gracefully).
+
+// CreateSubuser - https://docs.ceph.com/en/latest/radosgw/adminops/#create-subuser
+//  PREVIEW
+func (api *API) CreateSubuser(ctx context.Context, user User, subuser SubuserSpec) error {
+	if user.ID == "" {
+		return errMissingUserID
+	}
+	if subuser.Name == "" {
+		return errMissingSubuserID
+	}
+	if !subuser.validateSubuserAccess() {
+		return makeInvalidSubuserAccessLevelError(subuser)
+	}
+	// valid parameters not supported by go-ceph: access-key, gen-access-key
+	v := valueToURLParams(user, []string{"uid"})
+	addToURLParams(&v, subuser, []string{"subuser", "access", "secret-key", "generate-secret", "key-type"})
+	_, err := api.call(ctx, http.MethodPut, "/user", v)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// RemoveSubuser - https://docs.ceph.com/en/latest/radosgw/adminops/#remove-subuser
+//  PREVIEW
+func (api *API) RemoveSubuser(ctx context.Context, user User, subuser SubuserSpec) error {
+	if user.ID == "" {
+		return errMissingUserID
+	}
+	if subuser.Name == "" {
+		return errMissingSubuserID
+	}
+
+	v := valueToURLParams(user, []string{"uid"})
+	addToURLParams(&v, subuser, []string{"subuser", "purge-keys"})
+	_, err := api.call(ctx, http.MethodDelete, "/user", v)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// ModifySubuser - https://docs.ceph.com/en/latest/radosgw/adminops/#modify-subuser
+//  PREVIEW
+func (api *API) ModifySubuser(ctx context.Context, user User, subuser SubuserSpec) error {
+	if user.ID == "" {
+		return errMissingUserID
+	}
+	if subuser.Name == "" {
+		return errMissingSubuserID
+	}
+	if !subuser.validateSubuserAccess() {
+		return makeInvalidSubuserAccessLevelError(subuser)
+	}
+
+	v := valueToURLParams(user, []string{"uid"})
+	addToURLParams(&v, subuser, []string{"subuser", "access", "secret", "generate-secret", "key-type"})
+	_, err := api.call(ctx, http.MethodPost, "/user", v)
+	if err != nil {
+		return err
+	}
+
+	return nil
+}

rgw/admin/subuser_test.go

@@ -0,0 +1,72 @@
+package admin
+
+import (
+	"bytes"
+	"context"
+	"fmt"
+	"io/ioutil"
+	"net/http"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestValidateSubuserAccess(t *testing.T) {
+	assert.True(t, SubuserSpec{Access: SubuserAccessNone}.validateSubuserAccess())
+	assert.True(t, SubuserSpec{Access: SubuserAccessRead}.validateSubuserAccess())
+	assert.True(t, SubuserSpec{Access: SubuserAccessWrite}.validateSubuserAccess())
+	assert.True(t, SubuserSpec{Access: SubuserAccessReadWrite}.validateSubuserAccess())
+	assert.True(t, SubuserSpec{Access: SubuserAccessFull}.validateSubuserAccess())
+	assert.False(t, SubuserSpec{Access: SubuserAccessReplyFull}.validateSubuserAccess())
+	assert.False(t, SubuserSpec{Access: SubuserAccess("bar")}.validateSubuserAccess())
+}
+
+func TestCreateSubuserMockAPI(t *testing.T) {
+	t.Run("test create subuser validation: neither is set", func(t *testing.T) {
+		api, err := New("127.0.0.1", "accessKey", "secretKey", returnMockClientCreateSubuser())
+		assert.NoError(t, err)
+		err = api.CreateSubuser(context.TODO(), User{}, SubuserSpec{})
+		assert.Equal(t, err, errMissingUserID)
+	})
+	t.Run("test create subuser validation: no user ID", func(t *testing.T) {
+		api, err := New("127.0.0.1", "accessKey", "secretKey", returnMockClientCreateSubuser())
+		assert.NoError(t, err)
+		err = api.CreateSubuser(context.TODO(), User{}, SubuserSpec{Name: "foo"})
+		assert.Equal(t, err, errMissingUserID)
+	})
+	t.Run("test create subuser validation: no subuser ID", func(t *testing.T) {
+		api, err := New("127.0.0.1", "accessKey", "secretKey", returnMockClientCreateSubuser())
+		assert.NoError(t, err)
+		err = api.CreateSubuser(context.TODO(), User{ID: "dashboard-admin"}, SubuserSpec{})
+		assert.Equal(t, err, errMissingSubuserID)
+	})
+	t.Run("test create subuser validation: valid", func(t *testing.T) {
+		api, err := New("127.0.0.1", "accessKey", "secretKey", returnMockClientCreateSubuser())
+		assert.NoError(t, err)
+		err = api.CreateSubuser(context.TODO(), User{ID: "dashboard-admin"}, SubuserSpec{Name: "foo"})
+		assert.NoError(t, err)
+	})
+	t.Run("test create subuser validation: invalid access", func(t *testing.T) {
+		api, err := New("127.0.0.1", "accessKey", "secretKey", returnMockClientCreateSubuser())
+		assert.NoError(t, err)
+		err = api.CreateSubuser(context.TODO(), User{ID: "dashboard-admin"}, SubuserSpec{Name: "foo", Access: SubuserAccess("foo")})
+		assert.Error(t, err)
+		assert.EqualError(t, err, `invalid subuser access level "foo"`)
+	})
+}
+
+// mockClient is defined in user_test.go
+func returnMockClientCreateSubuser() *mockClient {
+	r := ioutil.NopCloser(bytes.NewReader([]byte("")))
+	return &mockClient{
+		mockDo: func(req *http.Request) (*http.Response, error) {
+			if req.Method == http.MethodPut && req.URL.Path == "127.0.0.1/admin/user" {
+				return &http.Response{
+					StatusCode: 201,
+					Body:       r,
+				}, nil
+			}
+			return nil, fmt.Errorf("unexpected request: %q. method %q. path %q", req.URL.RawQuery, req.Method, req.URL.Path)
+		},
+	}
+}

rgw/admin/usage.go

@@ -50,7 +50,8 @@ type Usage struct {
 
 // GetUsage request bandwidth usage information on the object store
 func (api *API) GetUsage(ctx context.Context, usage Usage) (Usage, error) {
-	body, err := api.call(ctx, http.MethodGet, "/usage", valueToURLParams(usage))
+	// valid parameters not supported by go-ceph: category, bucket
+	body, err := api.call(ctx, http.MethodGet, "/usage", valueToURLParams(usage, []string{"uid", "start", "end", "show-entries", "show-summary"}))
 	if err != nil {
 		return Usage{}, err
 	}
@@ -65,6 +66,7 @@ func (api *API) GetUsage(ctx context.Context, usage Usage) (Usage, error) {
 
 // TrimUsage removes bandwidth usage information. With no dates specified, removes all usage information.
 func (api *API) TrimUsage(ctx context.Context, usage Usage) error {
-	_, err := api.call(ctx, http.MethodDelete, "/usage", valueToURLParams(usage))
+	// valid parameters not supported by go-ceph: bucket
+	_, err := api.call(ctx, http.MethodDelete, "/usage", valueToURLParams(usage, []string{"uid", "start", "end", "remove-all"}))
 	return err
 }