rgw: don't allow cross-tenant bucket creation

author Yehuda Sadeh <yehuda@redhat.com>

Mon, 30 Nov 2015 21:46:05 +0000 (13:46 -0800)

committer Yehuda Sadeh <yehuda@redhat.com>

Wed, 2 Dec 2015 18:45:41 +0000 (10:45 -0800)
author Yehuda Sadeh <yehuda@redhat.com>
Mon, 30 Nov 2015 21:46:05 +0000 (13:46 -0800)
committer Yehuda Sadeh <yehuda@redhat.com>
Wed, 2 Dec 2015 18:45:41 +0000 (10:45 -0800)
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc

index 93391098aa73cdf1dea7ffd765c6db4924913661..815879d231b42beed3fab5bd8b21857fd4ff2d6a 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -1338,10 +1338,10 @@ int RGWCreateBucket::verify_permission()
    if (!rgw_user_is_authenticated(s->user))
      return -EACCES;
  
-  /* XXX: maybe we need to check ACLs here! */
-  // if ((s->perm_mask & RGW_PERM_WRITE) == 0) {
-  //   return -EACCES;
-  // }
+  if (s->user.user_id.tenant != s->bucket_tenant) {
+    ldout(s->cct, 10) << "user cannot create a bucket in a different tenant (user_id.tenant=" << s->user.user_id.tenant << " requested=" << s->bucket_tenant << ")" << dendl;
+    return -EACCES;
+  }
  
    if (s->user.max_buckets) {
      RGWUserBuckets buckets;
author	Yehuda Sadeh <yehuda@redhat.com>
	Mon, 30 Nov 2015 21:46:05 +0000 (13:46 -0800)
committer	Yehuda Sadeh <yehuda@redhat.com>
	Wed, 2 Dec 2015 18:45:41 +0000 (10:45 -0800)