rgw: Fixes to User Policy code for CreateBucket and ListAllBuckets.

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 16c62b2c1535c49a2203b13ea2c3155a63a0eb8f..17334ac61905bad1696741a8d2d9cea7153de6e7 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -288,7 +288,7 @@ static boost::optional<Policy> get_iam_policy_from_attr(CephContext* cct,
   }
 }
 
-static vector<Policy> get_iam_user_policy_from_attr(CephContext* cct,
+vector<Policy> get_iam_user_policy_from_attr(CephContext* cct,
                         RGWRados* store,
                         map<string, bufferlist>& attrs,
                         const string& tenant) {
@@ -2006,7 +2006,10 @@ int RGWGetObj::init_common()
 
 int RGWListBuckets::verify_permission()
 {
-  if (!verify_user_permission(this, s, ARN(), rgw::IAM::s3ListAllMyBuckets)) {
+  rgw::IAM::Partition partition = rgw::IAM::Partition::aws;
+  rgw::IAM::Service service = rgw::IAM::Service::s3;
+
+  if (!verify_user_permission(this, s, ARN(partition, service, "", s->user->user_id.tenant, "*"), rgw::IAM::s3ListAllMyBuckets)) {
     return -EACCES;
   }
 
@@ -2558,7 +2561,11 @@ int RGWCreateBucket::verify_permission()
     return -EACCES;
   }
 
-  if (!verify_user_permission(this, s, ARN(s->bucket), rgw::IAM::s3CreateBucket)) {
+  rgw_bucket bucket;
+  bucket.name = s->bucket_name;
+  bucket.tenant = s->bucket_tenant;
+  ARN arn = ARN(bucket);
+  if (!verify_user_permission(this, s, arn, rgw::IAM::s3CreateBucket)) {
     return -EACCES;
   }
 

diff --git a/src/rgw/rgw_op.h b/src/rgw/rgw_op.h
index e7f4225de1324e973949e18af37519e3d04a6175..aff24d073929432a3e204a97ee3a5a13d27f22c1 100644 (file)
--- a/src/rgw/rgw_op.h
+++ b/src/rgw/rgw_op.h
@@ -1813,7 +1813,10 @@ extern int rgw_build_object_policies(RGWRados *store, struct req_state *s,
                                     bool prefetch_data);
 extern rgw::IAM::Environment rgw_build_iam_environment(RGWRados* store,
                                                       struct req_state* s);
-
+extern vector<rgw::IAM::Policy> get_iam_user_policy_from_attr(CephContext* cct,
+                        RGWRados* store,
+                        map<string, bufferlist>& attrs,
+                        const string& tenant);
 
 static inline int get_system_versioning_params(req_state *s,
                                              uint64_t *olh_epoch,

diff --git a/src/rgw/rgw_rest.cc b/src/rgw/rgw_rest.cc
index 324d28d49998cddf0febe35d67b30ca937e713ad..7b3314b52fd6bfbdf6e6a73c2b90e2e4468fa939 100644 (file)
--- a/src/rgw/rgw_rest.cc
+++ b/src/rgw/rgw_rest.cc
@@ -1814,8 +1814,28 @@ static http_op op_from_method(const char *method)
 
 int RGWHandler_REST::init_permissions(RGWOp* op)
 {
-  if (op->get_type() == RGW_OP_CREATE_BUCKET)
+  if (op->get_type() == RGW_OP_CREATE_BUCKET) {
+    // We don't need user policies in case of STS token returned by AssumeRole, hence the check for user type
+    if (! s->user->user_id.empty() && s->user->type != TYPE_NONE) {
+      try {
+        map<string, bufferlist> uattrs;
+        if (auto ret = rgw_get_user_attrs_by_uid(store, s->user->user_id, uattrs); ! ret) {
+          if (s->iam_user_policies.empty()) {
+            s->iam_user_policies = get_iam_user_policy_from_attr(s->cct, store, uattrs, s->user->user_id.tenant);
+          } else {
+          // This scenario can happen when a STS token has a policy, then we need to append other user policies
+          // to the existing ones. (e.g. token returned by GetSessionToken)
+          auto user_policies = get_iam_user_policy_from_attr(s->cct, store, uattrs, s->user->user_id.tenant);
+          s->iam_user_policies.insert(s->iam_user_policies.end(), user_policies.begin(), user_policies.end());
+          }
+        }
+      } catch (const std::exception& e) {
+        lderr(s->cct) << "Error reading IAM User Policy: " << e.what() << dendl;
+      }
+    }
+    s->env = rgw_build_iam_environment(store, s);
     return 0;
+  }
 
   return do_init_permissions();
 }