rgw/sts: createbucket op should take into account

author Pritha Srivastava <prsrivas@redhat.com>

Thu, 8 Jul 2021 15:54:10 +0000 (21:24 +0530)

committer Pritha Srivastava <prsrivas@redhat.com>

Thu, 8 Jul 2021 15:55:39 +0000 (21:25 +0530)
author Pritha Srivastava <prsrivas@redhat.com>
Thu, 8 Jul 2021 15:54:10 +0000 (21:24 +0530)
committer Pritha Srivastava <prsrivas@redhat.com>
Thu, 8 Jul 2021 15:55:39 +0000 (21:25 +0530)
diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc

index 39da1fdb2bb2c426cdcb428313ce882d42633bf1..9da2678fb20fc3480a66d13ffb62f296341844ef 100644 (file)
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -1082,15 +1082,28 @@ bool verify_user_permission(const DoutPrefixProvider* dpp,
                              perm_state_base * const s,
                              RGWAccessControlPolicy * const user_acl,
                              const vector<rgw::IAM::Policy>& user_policies,
+                            const vector<rgw::IAM::Policy>& session_policies,
                              const rgw::ARN& res,
                              const uint64_t op)
  {
-  auto usr_policy_res = eval_identity_or_session_policies(user_policies, s->env, boost::none, op, res);
-  if (usr_policy_res == Effect::Deny) {
+  auto identity_policy_res = eval_identity_or_session_policies(user_policies, s->env, boost::none, op, res);
+  if (identity_policy_res == Effect::Deny) {
+    return false;
+  }
+
+  if (! session_policies.empty()) {
+    auto session_policy_res = eval_identity_or_session_policies(session_policies, s->env, boost::none, op, res);
+    if (session_policy_res == Effect::Deny) {
+      return false;
+    }
+    //Intersection of identity policies and session policies
+    if (identity_policy_res == Effect::Allow && session_policy_res == Effect::Allow) {
+      return true;
+    }
      return false;
    }
  
-  if (usr_policy_res == Effect::Allow) {
+  if (identity_policy_res == Effect::Allow) {
      return true;
    }
  
@@ -1127,7 +1140,7 @@ bool verify_user_permission(const DoutPrefixProvider* dpp,
                              const uint64_t op)
  {
    perm_state_from_req_state ps(s);
-  return verify_user_permission(dpp, &ps, s->user_acl.get(), s->iam_user_policies, res, op);
+  return verify_user_permission(dpp, &ps, s->user_acl.get(), s->iam_user_policies, s->session_policies, res, op);
  }
  
  bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp, 
diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h

index dbe647f5817ccb3c08dbb49a4c23727474e8089b..2be5b1db1d9cdbec2910c8f86b39fe11e4033933 100644 (file)
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -2113,6 +2113,7 @@ bool verify_user_permission(const DoutPrefixProvider* dpp,
                              struct req_state * const s,
                              RGWAccessControlPolicy * const user_acl,
                              const vector<rgw::IAM::Policy>& user_policies,
+                            const vector<rgw::IAM::Policy>& session_policies,
                              const rgw::ARN& res,
                              const uint64_t op);
  bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
author	Pritha Srivastava <prsrivas@redhat.com>
	Thu, 8 Jul 2021 15:54:10 +0000 (21:24 +0530)
committer	Pritha Srivastava <prsrivas@redhat.com>
	Thu, 8 Jul 2021 15:55:39 +0000 (21:25 +0530)
src/rgw/rgw_common.cc		patch \| blob \| history
src/rgw/rgw_common.h		patch \| blob \| history