rgw/auth: account users also match ACL grants to their account id

ACL grants can now specify an account id for the CanonicalUser to
grant access to the entire account. this is implemented only for
LocalApplier

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 1698784e2eb72e99e3eaa477ae8e53b35a6ab377)

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index dcf835996844578a5e63745a755ce76a5ac7e58d..1daa709aa56206dd03beeab5d2c74f16a46406ee 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -68,7 +68,7 @@ transform_old_authinfo(CephContext* const cct,
     }
 
     uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
-      return rgw_perms_from_aclspec_default_strategy(id, aclspec, dpp);
+      return rgw_perms_from_aclspec_default_strategy(id.to_str(), aclspec, dpp);
     }
 
     bool is_admin_of(const rgw_user& acct_id) const override {
@@ -147,13 +147,13 @@ transform_old_authinfo(const req_state* const s)
 
 
 uint32_t rgw_perms_from_aclspec_default_strategy(
-  const rgw_user& uid,
+  const std::string& uid,
   const rgw::auth::Identity::aclspec_t& aclspec,
   const DoutPrefixProvider *dpp)
 {
   ldpp_dout(dpp, 5) << "Searching permissions for uid=" << uid <<  dendl;
 
-  const auto iter = aclspec.find(uid.to_str());
+  const auto iter = aclspec.find(uid);
   if (std::end(aclspec) != iter) {
     ldpp_dout(dpp, 5) << "Found permission: " << iter->second << dendl;
     return iter->second;
@@ -560,7 +560,7 @@ uint32_t rgw::auth::RemoteApplier::get_perms_from_aclspec(const DoutPrefixProvid
   uint32_t perm = 0;
 
   /* For backward compatibility with ACLOwner. */
-  perm |= rgw_perms_from_aclspec_default_strategy(info.acct_user,
+  perm |= rgw_perms_from_aclspec_default_strategy(info.acct_user.to_str(),
                                                   aclspec, dpp);
 
   /* We also need to cover cases where rgw_keystone_implicit_tenants
@@ -568,7 +568,7 @@ uint32_t rgw::auth::RemoteApplier::get_perms_from_aclspec(const DoutPrefixProvid
   if (info.acct_user.tenant.empty()) {
     const rgw_user tenanted_acct_user(info.acct_user.id, info.acct_user.id);
 
-    perm |= rgw_perms_from_aclspec_default_strategy(tenanted_acct_user,
+    perm |= rgw_perms_from_aclspec_default_strategy(tenanted_acct_user.to_str(),
                                                     aclspec, dpp);
   }
 
@@ -782,7 +782,19 @@ ACLOwner rgw::auth::LocalApplier::get_aclowner() const
 
 uint32_t rgw::auth::LocalApplier::get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const
 {
-  return rgw_perms_from_aclspec_default_strategy(user_info.user_id, aclspec, dpp);
+  // match acl grants to the specific user id
+  uint32_t mask = rgw_perms_from_aclspec_default_strategy(
+      user_info.user_id.to_str(), aclspec, dpp);
+
+  if (!user_info.account_id.empty()) {
+    // account users also match acl grants to the account id. in aws, grantees
+    // ONLY refer to accounts. but we continue to match user grants to preserve
+    // access when moving legacy users into new accounts
+    mask |= rgw_perms_from_aclspec_default_strategy(
+        user_info.account_id, aclspec, dpp);
+  }
+
+  return mask;
 }
 
 bool rgw::auth::LocalApplier::is_admin_of(const rgw_user& uid) const

diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
index aa81efe03dd42d2217b3220c107dee96b72f51f7..cf2d3583e876912fa1b10ce90aaad2dc0c2fe3f8 100644 (file)
--- a/src/rgw/rgw_auth.h
+++ b/src/rgw/rgw_auth.h
@@ -813,6 +813,6 @@ protected:
 
 
 uint32_t rgw_perms_from_aclspec_default_strategy(
-  const rgw_user& uid,
+  const std::string& uid,
   const rgw::auth::Identity::aclspec_t& aclspec,
   const DoutPrefixProvider *dpp);