git-server-git.apps.pok.os.sepia.ceph.com Git

author	Oguzhan Ozmen <oozmen@bloomberg.net>
	Sat, 7 Oct 2023 01:41:58 +0000 (21:41 -0400)
committer	Oguzhan Ozmen <oozmen@bloomberg.net>
	Fri, 20 Oct 2023 20:07:13 +0000 (16:07 -0400)
commit	ebbc50c90794f6d8eef6dbf9b55fbc68e01c7b15
tree	aa0d5b422e2b403c531f90677f5ca6823a8af193	tree \| snapshot
parent	f0804064d67a2a63dbabf1801ff452580a050cfc	commit \| diff

RGW/Roles: use the target/new max-session-duration value when validating it

If we validate before updating the role's max-session-duration, the
validator function wrongly uses the on-disk (existing/old) value for
validation. Note that the "role" object being updated is in-memory and
only after validation passes, it's persisted on-disk. So, calling role
object's update_max_session_duration API function is OK before the
role->validate_max_session_duration call.

validate_max_session_duration is used by both "role creation" and "role
update". The latter wrongly uses existing role's max_session_duration
value for validation instead of the new/target duration:

$ radosgw-admin ... role create --role-name=myrole ...
$ radosgw-admin ... role get --role-name=myrole | jq
'.MaxSessionDuration'
3600

where 3600 seconds is the default value.

$ radosgw-admin ... role update --role-name=myrole
--max_session_duration=100000
Max session duration updated successfully for role: myrole

Although above update call should have failed since 100K is higher than
43200 (the default max), it succeeded.

$ radosgw-admin ... role get --role-name=myrole | jq
'.MaxSessionDuration'
100000

Fixes: https://tracker.ceph.com/issues/63109
Signed-off-by: Oguzhan Ozmen <oozmen@bloomberg.net>

src/rgw/rgw_admin.cc		diff \| blob \| history
src/rgw/rgw_rest_role.cc		diff \| blob \| history