]> git-server-git.apps.pok.os.sepia.ceph.com Git - ceph.git/commitdiff
projects / ceph.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 5a4850c)
rgw: Check bucket GetBucketLocation in policy 18443/head
authorAdam C. Emerson <aemerson@redhat.com>
Wed, 27 Sep 2017 20:08:56 +0000 (16:08 -0400)
committerAbhishek Lekshmanan <abhishek@suse.com>
Fri, 20 Oct 2017 15:04:05 +0000 (17:04 +0200)
Add code to check s3:GetBucketLocation against bucket policy.

Fixes: http://tracker.ceph.com/issues/21582
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1493934
Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
(cherry picked from commit 79188d679edeb6e2f7ca852fdc4224368412cb72)

src/rgw/rgw_op.cc patch | blob | history

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index f7e5caf67f51dd45763bc8c3eec39391ab2ae005..f27c22f6d9e54561a07443362beb1a6cc0ded93c 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -2289,11 +2289,16 @@ int RGWGetBucketLogging::verify_permission()
 
 int RGWGetBucketLocation::verify_permission()
 {
-  if (false == s->auth.identity->is_owner_of(s->bucket_owner.get_id())) {
-    return -EACCES;
+  if (s->iam_policy) {
+    if (s->iam_policy->eval(s->env, *s->auth.identity,
+                           rgw::IAM::s3GetBucketLocation,
+                           ARN(s->bucket)) == Effect::Allow) {
+      return 0;
+    }
+  } else if (s->auth.identity->is_owner_of(s->bucket_owner.get_id())) {
+    return 0;
   }
-
-  return 0;
+  return -EACCES;
 }
 
 int RGWCreateBucket::verify_permission()
Unnamed repository; edit this file 'description' to name the repository.