]> git.apps.os.sepia.ceph.com Git - ceph.git/commitdiff
projects / ceph.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: f692d04)
rgw: block public access for Policies
authorAbhishek Lekshmanan <abhishek@suse.com>
Tue, 17 Sep 2019 12:07:00 +0000 (14:07 +0200)
committerAbhishek Lekshmanan <abhishek@suse.com>
Mon, 3 Feb 2020 16:53:33 +0000 (17:53 +0100)
Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>
src/rgw/rgw_op.cc patch | blob | history
src/rgw/rgw_public_access.h patch | blob | history

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index be4b6ef2822515dace2800e526c1ff46fe299796..42682a6c637bca5e06702e13555b50f0a8cf8d4e 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -5509,16 +5509,33 @@ void RGWPutACLs::execute()
     *_dout << dendl;
   }
 
-  new_policy.encode(bl);
   map<string, bufferlist> attrs;
+  attrs = s->bucket_attrs;
+  if (auto aiter = attrs.find(RGW_ATTR_PUBLIC_ACCESS);
+      aiter != attrs.end())
+  {
+    bufferlist::const_iterator iter{&aiter->second};
+    try {
+      rgw::IAM::PublicAccessConfiguration access_conf;
+      access_conf.decode(iter);
+      if (access_conf.block_public_acls() && new_policy.IsPublic()) {
+       op_ret = -EACCES;
+       return;
+      }
+    } catch (const buffer::error& e) {
+      ldpp_dout(this, 0) << __func__ <<  "decode access conf failed" << dendl;
+      op_ret = -EIO;
+      return;
+    }
+  }
 
+  new_policy.encode(bl);
   if (!s->object.empty()) {
     obj = rgw_obj(s->bucket, s->object);
     store->getRados()->set_atomic(s->obj_ctx, obj);
     //if instance is empty, we should modify the latest object
     op_ret = modify_obj_attr(store, s, obj, RGW_ATTR_ACL, bl);
   } else {
-    attrs = s->bucket_attrs;
     attrs[RGW_ATTR_ACL] = bl;
     op_ret = store->ctl()->bucket->set_bucket_instance_attrs(s->bucket_info, attrs,
                                                          &s->bucket_info.objv_tracker,
diff --git a/src/rgw/rgw_public_access.h b/src/rgw/rgw_public_access.h
index b509b9be4c5dc460c8623e7c42ccec1e8a625683..b0253a5b1b0d16ad78e6a3c96173ff81aa365574 100644 (file)
--- a/src/rgw/rgw_public_access.h
+++ b/src/rgw/rgw_public_access.h
@@ -27,8 +27,8 @@ class PublicAccessConfiguration {
   bool RestrictPublicBuckets;
  public:
  PublicAccessConfiguration():
-  BlockPublicAcls(true), IgnorePublicAcls(false),
-  BlockPublicPolicy(true), RestrictPublicBuckets(false)
+   BlockPublicAcls(false), IgnorePublicAcls(false),
+  BlockPublicPolicy(false), RestrictPublicBuckets(false)
     {}
 
   auto block_public_acls() const {
Unnamed repository; edit this file 'description' to name the repository.