const boost::optional<Policy>& bucket_policy,
const vector<Policy>& identity_policies,
const vector<Policy>& session_policies,
- const uint64_t op, bool* granted_by_acl)
+ const uint64_t op,
+ bool* granted_by_acl,
+ bool bucket_owner_comptability)
{
if (!verify_requester_payer_permission(s))
return false;
return true;
}
+ //For backward compatibility with 7.1, return false when
+ //session policy evaluation returns Effect::Pass and when
+ //all entities are in a tenant model(user/role/bucket etc)
+ auto& conf = dpp->get_cct()->_conf;
+ if (!s->identity->get_account() &&
+ conf->rgw_sts_backward_compatibility_7_1 &&
+ effect == Effect::Pass &&
+ !session_policies.empty()) {
+ ldpp_dout(dpp, 10) << __func__ << ": explicit deny from session policy for backward compatibility" << dendl;
+ return false;
+ }
+
+ //check for bucket ownership in case of a tenant for backward compatibility
+ if (!s->identity->get_account() &&
+ conf->rgw_sts_backward_compatibility_7_1 &&
+ bucket_owner_comptability) {
+ if (s->identity->is_owner_of(s->bucket_info.owner)) {
+ ldpp_dout(dpp, 10) << __func__ << ": backward compatibility check, it is a bucket owner, returning true" << dendl;
+ return true;
+ } else {
+ ldpp_dout(dpp, 10) << __func__ << ": backward compatibility check, it is NOT a bucket owner, returning false" << dendl;
+ return false;
+ }
+ }
+
const auto perm = op_to_perm(op);
return verify_bucket_permission_no_policy(dpp, s, user_acl, bucket_acl, perm, granted_by_acl);
}
const boost::optional<Policy>& bucket_policy,
const vector<Policy>& user_policies,
const vector<Policy>& session_policies,
- const uint64_t op)
+ const uint64_t op,
+ bool bucket_owner_comptability)
{
perm_state_from_req_state ps(s);
auto expected = s->info.env->get("HTTP_X_AMZ_EXPECTED_BUCKET_OWNER");
return verify_bucket_permission(dpp, &ps, arn, account_root,
user_acl, bucket_acl,
bucket_policy, user_policies,
- session_policies, op, &s->granted_by_acl);
+ session_policies, op, &s->granted_by_acl, bucket_owner_comptability);
}
bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp,
}
bool verify_bucket_permission(const DoutPrefixProvider* dpp, req_state* s,
- const rgw::ARN& arn, uint64_t op)
+ const rgw::ARN& arn, uint64_t op, bool bucket_owner_comptability)
{
return verify_bucket_permission(dpp, s, arn, s->user_acl, s->bucket_acl,
s->iam_policy, s->iam_identity_policies,
- s->session_policies, op);
+ s->session_policies, op, bucket_owner_comptability);
}
-bool verify_bucket_permission(const DoutPrefixProvider* dpp, req_state* s, uint64_t op)
+bool verify_bucket_permission(const DoutPrefixProvider* dpp, req_state* s, uint64_t op, bool bucket_owner_comptability)
{
if (rgw::sal::Bucket::empty(s->bucket)) {
// request is missing a bucket name
return false;
}
- return verify_bucket_permission(dpp, s, ARN(s->bucket->get_key()), op);
+ return verify_bucket_permission(dpp, s, ARN(s->bucket->get_key()), op, bucket_owner_comptability);
}
return true;
}
+ //For backward compatibility with 7.1, return false when
+ //session policy evaluation returns Effect::Pass and when
+ //all entities are in a tenant model(user/role/bucket etc)
+ auto& conf = dpp->get_cct()->_conf;
+ if (!ps->identity->get_account() &&
+ conf->rgw_sts_backward_compatibility_7_1 &&
+ effect == Effect::Pass &&
+ !session_policies.empty()) {
+ ldpp_dout(dpp, 10) << __func__ << ": explicit deny from session policy for backward compatibility" << dendl;
+ return false;
+ }
+
const auto perm = op_to_perm(op);
return verify_object_permission_no_policy(dpp, ps, user_acl, bucket_acl,
object_acl, perm, granted_by_acl);
if (has_s3_resource_tag)
rgw_iam_add_buckettags(this, s);
- if (!verify_bucket_permission(this, s, rgw::IAM::s3PutBucketTagging)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3PutBucketTagging, true)) {
return -EACCES;
}
if (has_s3_resource_tag)
rgw_iam_add_buckettags(this, s);
- if (!verify_bucket_permission(this, s, rgw::IAM::s3PutBucketTagging)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3PutBucketTagging, true)) {
return -EACCES;
}
if (has_s3_resource_tag)
rgw_iam_add_buckettags(this, s);
- if (!verify_bucket_permission(this, s, rgw::IAM::s3PutReplicationConfiguration)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3PutReplicationConfiguration, true)) {
return -EACCES;
}
if (has_s3_resource_tag)
rgw_iam_add_buckettags(this, s);
- if (!verify_bucket_permission(this, s, rgw::IAM::s3DeleteReplicationConfiguration)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3DeleteReplicationConfiguration, true)) {
return -EACCES;
}
if (has_s3_resource_tag)
rgw_iam_add_buckettags(this, s);
- if (!verify_bucket_permission(this, s, rgw::IAM::s3GetBucketVersioning)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3GetBucketVersioning, true)) {
return -EACCES;
}
if (has_s3_resource_tag)
rgw_iam_add_buckettags(this, s);
- if (!verify_bucket_permission(this, s, rgw::IAM::s3PutBucketVersioning)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3PutBucketVersioning, true)) {
return -EACCES;
}
if (has_s3_resource_tag)
rgw_iam_add_buckettags(this, s);
- if (!verify_bucket_permission(this, s, rgw::IAM::s3GetBucketWebsite)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3GetBucketWebsite, true)) {
return -EACCES;
}
if (has_s3_resource_tag)
rgw_iam_add_buckettags(this, s);
- if (!verify_bucket_permission(this, s, rgw::IAM::s3PutBucketWebsite)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3PutBucketWebsite, true)) {
return -EACCES;
}
if (has_s3_resource_tag)
rgw_iam_add_buckettags(this, s);
- if (!verify_bucket_permission(this, s, rgw::IAM::s3DeleteBucketWebsite)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3DeleteBucketWebsite, true)) {
return -EACCES;
}
if (has_s3_resource_tag)
rgw_iam_add_buckettags(this, s);
- if (!verify_bucket_permission(this, s, rgw::IAM::s3GetBucketLocation)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3GetBucketLocation, true)) {
return -EACCES;
}
}
if (s->bucket->get_info().obj_lock_enabled() && bypass_governance_mode) {
+ auto& conf = get_cct()->_conf;
+ if (!s->auth.identity->get_account() &&
+ conf->rgw_sts_backward_compatibility_7_1) {
+ Effect e = evaluate_iam_policies(
+ this, s->env, *(s->auth.identity), false, rgw::IAM::s3BypassGovernanceRetention, ARN(s->bucket->get_key()),
+ s->iam_policy, s->iam_identity_policies, s->session_policies);
+ if (e == Effect::Deny) {
+ bypass_perm = false;
+ }
+ }
// require s3BypassGovernanceRetention for x-amz-bypass-governance-retention
bypass_perm = verify_bucket_permission(this, s, arn, rgw::IAM::s3BypassGovernanceRetention);
}
if (has_s3_resource_tag)
rgw_iam_add_buckettags(this, s);
- if (!verify_bucket_permission(this, s, rgw::IAM::s3GetBucketCORS)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3GetBucketCORS, true)) {
return -EACCES;
}
if (has_s3_resource_tag)
rgw_iam_add_buckettags(this, s);
- if (!verify_bucket_permission(this, s, rgw::IAM::s3PutBucketCORS)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3PutBucketCORS, true)) {
return -EACCES;
}
rgw_iam_add_buckettags(this, s);
// No separate delete permission
- if (!verify_bucket_permission(this, s, rgw::IAM::s3PutBucketCORS)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3PutBucketCORS, true)) {
return -EACCES;
}
if (has_s3_resource_tag)
rgw_iam_add_buckettags(this, s);
- if (!verify_bucket_permission(this, s, rgw::IAM::s3GetBucketRequestPayment)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3GetBucketRequestPayment, true)) {
return -EACCES;
}
if (has_s3_resource_tag)
rgw_iam_add_buckettags(this, s);
- if (!verify_bucket_permission(this, s, rgw::IAM::s3PutBucketRequestPayment)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3PutBucketRequestPayment, true)) {
return -EACCES;
}
rgw_iam_add_objtags(this, s, has_s3_existing_tag, has_s3_resource_tag);
if (s->bucket->get_info().obj_lock_enabled() && bypass_governance_mode) {
- // require s3BypassGovernanceRetention for x-amz-bypass-governance-retention
- bypass_perm = verify_bucket_permission(this, s, rgw::IAM::s3BypassGovernanceRetention);
+ auto& conf = get_cct()->_conf;
+ if (!s->auth.identity->get_account() &&
+ conf->rgw_sts_backward_compatibility_7_1) {
+ Effect e = evaluate_iam_policies(
+ this, s->env, *(s->auth.identity), false, rgw::IAM::s3BypassGovernanceRetention, ARN(s->bucket->get_key()),
+ s->iam_policy, s->iam_identity_policies, s->session_policies);
+ if (e == Effect::Deny) {
+ bypass_perm = false;
+ }
+ } else {
+ // require s3BypassGovernanceRetention for x-amz-bypass-governance-retention
+ bypass_perm = verify_bucket_permission(this, s, rgw::IAM::s3BypassGovernanceRetention);
+ }
}
return 0;
if (has_s3_resource_tag)
rgw_iam_add_buckettags(this, s);
- if (!verify_bucket_permission(this, s, rgw::IAM::s3PutBucketObjectLockConfiguration)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3PutBucketObjectLockConfiguration, true)) {
return -EACCES;
}
if (has_s3_resource_tag)
rgw_iam_add_buckettags(this, s);
- if (!verify_bucket_permission(this, s, rgw::IAM::s3GetBucketObjectLockConfiguration)) {
+ if (!verify_bucket_permission(this, s, rgw::IAM::s3GetBucketObjectLockConfiguration, true)) {
return -EACCES;
}
projects / ceph-ci.git / commitdiff