rgw: only allow system override if identity is not impersonating
Since multisite now delegates permission checks for source objects
to the source zone (
a3f40b4), we need to avoid allowing system-level
overrides when the request is impersonating another identity.
SysReqApplier should only grant override permission if the request
is truly system-authenticated and not acting on behalf of another
user or role (i.e., no rgwx-perm-check-uid or rgwx-perm-check-role
in the request).
Signed-off-by: Seena Fallah <seenafallah@gmail.com>
(cherry picked from commit
2a0cb65076fa63439a5d4b7c8876fb551d7ab8ec)
projects / ceph.git / commit