rgw: implement IgnorePublicACLs

This allows for ignoring bucket/object acls that are configured to be public

Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>

diff --git a/src/rgw/rgw_acl.cc b/src/rgw/rgw_acl.cc
index ac6313f8150793baad17b98c6bb4aeb9eed60073..ff27a7ae676a5b2c64bdf7dc1c9cdb9acdda6e04 100644 (file)
--- a/src/rgw/rgw_acl.cc
+++ b/src/rgw/rgw_acl.cc
@@ -116,7 +116,8 @@ uint32_t RGWAccessControlList::get_referer_perm(const uint32_t current_perm,
 uint32_t RGWAccessControlPolicy::get_perm(const DoutPrefixProvider* dpp,
                                           const rgw::auth::Identity& auth_identity,
                                           const uint32_t perm_mask,
-                                          const char * const http_referer)
+                                          const char * const http_referer,
+                                          bool ignore_public_acls)
 {
   ldpp_dout(dpp, 20) << "-- Getting permissions begin with perm_mask=" << perm_mask
                  << dendl;
@@ -132,7 +133,7 @@ uint32_t RGWAccessControlPolicy::get_perm(const DoutPrefixProvider* dpp,
   }
 
   /* should we continue looking up? */
-  if ((perm & perm_mask) != perm_mask) {
+  if (!ignore_public_acls && ((perm & perm_mask) != perm_mask)) {
     perm |= acl.get_group_perm(ACL_GROUP_ALL_USERS, perm_mask);
 
     if (false == auth_identity.is_owner_of(rgw_user(RGW_USER_ANON_ID))) {
@@ -157,11 +158,12 @@ bool RGWAccessControlPolicy::verify_permission(const DoutPrefixProvider* dpp,
                                                const rgw::auth::Identity& auth_identity,
                                                const uint32_t user_perm_mask,
                                                const uint32_t perm,
-                                               const char * const http_referer)
+                                               const char * const http_referer,
+                                               bool ignore_public_acls)
 {
   uint32_t test_perm = perm | RGW_PERM_READ_OBJS | RGW_PERM_WRITE_OBJS;
 
-  uint32_t policy_perm = get_perm(dpp, auth_identity, test_perm, http_referer);
+  uint32_t policy_perm = get_perm(dpp, auth_identity, test_perm, http_referer, ignore_public_acls);
 
   /* the swift WRITE_OBJS perm is equivalent to the WRITE obj, just
      convert those bits. Note that these bits will only be set on

diff --git a/src/rgw/rgw_acl.h b/src/rgw/rgw_acl.h
index 0ba06ef8b6cc8bfe356e6af577dbed117bc1e1ac..278e8b4cbe936b144af98f830d99cd73d58bf7f8 100644 (file)
--- a/src/rgw/rgw_acl.h
+++ b/src/rgw/rgw_acl.h
@@ -418,12 +418,14 @@ public:
   uint32_t get_perm(const DoutPrefixProvider* dpp,
                     const rgw::auth::Identity& auth_identity,
                     uint32_t perm_mask,
-                    const char * http_referer);
+                    const char * http_referer,
+                    bool ignore_public_acls=false);
   bool verify_permission(const DoutPrefixProvider* dpp,
                          const rgw::auth::Identity& auth_identity,
                          uint32_t user_perm_mask,
                          uint32_t perm,
-                         const char * http_referer = nullptr);
+                         const char * http_referer = nullptr,
+                         bool ignore_public_acls=false);
 
   void encode(bufferlist& bl) const {
     ENCODE_START(2, 2, bl);

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index e44854bfa6421be483efc88d78186faaa5beeb97..b38f3448ca0057c6ee05f28c532ac5bea6300275 100644 (file)
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -1332,7 +1332,10 @@ bool verify_object_permission(const DoutPrefixProvider* dpp, struct perm_state_b
     return false;
   }
 
-  bool ret = object_acl->verify_permission(dpp, *s->identity, s->perm_mask, perm);
+  bool ret = object_acl->verify_permission(dpp, *s->auth.identity, s->perm_mask, perm,
+                                          nullptr, /* http_referrer */
+                                          s->bucket_access_conf &&
+                                          s->bucket_access_conf->ignore_public_acls());
   if (ret) {
     return true;
   }
@@ -1396,7 +1399,10 @@ bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp,
     return false;
   }
 
-  bool ret = object_acl->verify_permission(dpp, *s->identity, s->perm_mask, perm);
+  bool ret = object_acl->verify_permission(dpp, *s->auth.identity, s->perm_mask, perm,
+                                          nullptr, /* http referrer */
+                                          s->bucket_access_conf &&
+                                          s->bucket_access_conf->ignore_public_acls());
   if (ret) {
     return true;
   }