git.apps.os.sepia.ceph.com Git - ceph-ci.git/commit

author	Casey Bodley <cbodley@redhat.com>
	Fri, 1 Mar 2024 14:36:31 +0000 (09:36 -0500)
committer	Casey Bodley <cbodley@redhat.com>
	Fri, 12 Apr 2024 19:34:29 +0000 (15:34 -0400)
commit	897d4063871a233704c84c2306b733293089bb1a
tree	fcdd336de1be5ed874c6d44b4f46cd329723e13d	tree \| snapshot
parent	b27faec687d3f98610968ce082948da2c45e38bd	commit \| diff

rgw/auth: object ops use new verify_bucket_permission() overload

several object operations like PutObject, DeleteObject, etc were handling
policy evaluation manually instead of using the helper functions like
verify_user/bucket/object_permission(), so were missing the cross-policy
evaluation rules for account users

these now call the new 'custom arn' overload of verify_bucket_permission()
for equivalent functionality

the eval_identity_or_session_policies() function is no longer exposed by
rgw_common.h to prevent other ops from adding new logic that doesn't
handle cross-account access

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 315ded47868de276de644315767d9ea2fab9c845)

src/rgw/rgw_common.cc		diff \| blob \| history
src/rgw/rgw_common.h		diff \| blob \| history
src/rgw/rgw_op.cc		diff \| blob \| history
src/rgw/rgw_op.h		diff \| blob \| history
src/rgw/rgw_rest_swift.cc		diff \| blob \| history
src/rgw/rgw_rest_swift.h		diff \| blob \| history