rgw: fix policy enforcement for GetObjectAttributes

Per https://docs.aws.amazon.com/cli/latest/reference/s3api/get-object-attributes.html:

"If the bucket is not versioned, you need the s3:GetObject and s3:GetObjectAttributes permissions."

Fixes: https://tracker.ceph.com/issues/72915
Signed-off-by: Matt Benjamin <mbenjamin@redhat.com>

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 421c266b6d1587f291aafe4d321a0e8056cb36b5..ad72028aeb1e1c6f45da1b05529a4bc3c22bea6f 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -6209,10 +6209,7 @@ int RGWGetObjAttrs::verify_permission(optional_yield y)
       rgw_iam_add_objtags(this, s, has_s3_existing_tag, has_s3_resource_tag);
     }
 
-    /* XXXX the following conjunction should be &&--but iam_action2 is currently not
-     * hooked up and always fails (but should succeed if the requestor has READ
-     * acess to the object) */
-    perm = (verify_object_permission(this, s, iam_action1) || /* && */
+    perm = (verify_object_permission(this, s, iam_action1) &&
            verify_object_permission(this, s, iam_action2));
   }
 

diff --git a/src/rgw/rgw_op.h b/src/rgw/rgw_op.h
index ed3b79a821e48df29c5dd0e435cecfe22824a3df..c98b98ad3ec302af5d177062ee907e5015fcbc97 100644 (file)
--- a/src/rgw/rgw_op.h
+++ b/src/rgw/rgw_op.h
@@ -2170,7 +2170,6 @@ public:
   }
 };
 
-
 class RGWDeleteMultiObj : public RGWOp {
   /**
    * Handles the deletion of an individual object and uses