const DoutPrefixProvider* dpp,
const rgw::IAM::Environment& env,
const rgw::auth::Identity& identity,
- uint64_t op, const rgw::ARN& arn,
+ bool account_root, uint64_t op, const rgw::ARN& arn,
const boost::optional<Policy>& resource_policy,
const vector<Policy>& identity_policies,
const vector<Policy>& session_policies)
return Effect::Allow;
}
+ if (account_root) {
+ ldpp_dout(dpp, 10) << __func__ << ": granted to account root" << dendl;
+ return Effect::Allow;
+ }
+
ldpp_dout(dpp, 10) << __func__ << ": implicit deny from identity-based policy" << dendl;
return Effect::Pass;
}
const uint64_t op,
bool mandatory_policy)
{
- const auto effect = evaluate_iam_policies(dpp, s->env, *s->identity, op, res,
- {}, user_policies, session_policies);
+ const bool account_root = (s->identity->get_identity_type() == TYPE_ROOT);
+ const auto effect = evaluate_iam_policies(dpp, s->env, *s->identity,
+ account_root, op, res, {},
+ user_policies, session_policies);
if (effect == Effect::Deny) {
return false;
}
bool verify_bucket_permission(const DoutPrefixProvider* dpp,
struct perm_state_base * const s,
const rgw_bucket& bucket,
+ bool account_root,
const RGWAccessControlPolicy& user_acl,
const RGWAccessControlPolicy& bucket_acl,
const boost::optional<Policy>& bucket_policy,
<< " resource: " << ARN(bucket) << dendl;
}
const auto effect = evaluate_iam_policies(
- dpp, s->env, *s->identity, op, ARN(bucket), bucket_policy,
- identity_policies, session_policies);
+ dpp, s->env, *s->identity, account_root, op, ARN(bucket),
+ bucket_policy, identity_policies, session_policies);
if (effect == Effect::Deny) {
return false;
}
perm_state_from_req_state ps(s);
if (std::holds_alternative<rgw_account_id>(s->owner.id)) {
+ const bool account_root = (ps.identity->get_identity_type() == TYPE_ROOT);
if (!ps.identity->is_owner_of(s->bucket_owner.id)) {
ldpp_dout(dpp, 4) << "cross-account request for bucket owner "
<< s->bucket_owner.id << " != " << s->owner.id << dendl;
// cross-account requests evaluate the identity-based policies separately
// from the resource-based policies and require Allow from both
- return verify_bucket_permission(dpp, &ps, bucket, {}, {}, {},
+ return verify_bucket_permission(dpp, &ps, bucket, account_root, {}, {}, {},
user_policies, session_policies, op)
- && verify_bucket_permission(dpp, &ps, bucket, user_acl,
+ && verify_bucket_permission(dpp, &ps, bucket, false, user_acl,
bucket_acl, bucket_policy, {}, {}, op);
} else {
// don't consult acls for same-account access. require an Allow from
// either identity- or resource-based policy
- return verify_bucket_permission(dpp, &ps, bucket, {}, {},
+ return verify_bucket_permission(dpp, &ps, bucket, account_root, {}, {},
bucket_policy, user_policies,
session_policies, op);
}
}
- return verify_bucket_permission(dpp, &ps, bucket,
+ constexpr bool account_root = false;
+ return verify_bucket_permission(dpp, &ps, bucket, account_root,
user_acl, bucket_acl,
bucket_policy, user_policies,
session_policies, op);
int verify_bucket_owner_or_policy(const DoutPrefixProvider* dpp,
req_state* const s, const uint64_t op)
{
+ constexpr bool account_root = false; // just match owner below
const auto arn = ARN(s->bucket->get_key());
const auto effect = evaluate_iam_policies(
- dpp, s->env, *s->auth.identity, op, arn,
+ dpp, s->env, *s->auth.identity, account_root, op, arn,
s->iam_policy, s->iam_user_policies, s->session_policies);
if (effect == Effect::Deny) {
return -EACCES;
}
bool verify_object_permission(const DoutPrefixProvider* dpp, struct perm_state_base * const s,
- const rgw_obj& obj,
+ const rgw_obj& obj, bool account_root,
const RGWAccessControlPolicy& user_acl,
const RGWAccessControlPolicy& bucket_acl,
const RGWAccessControlPolicy& object_acl,
return false;
const auto effect = evaluate_iam_policies(
- dpp, s->env, *s->identity, op, ARN(obj), bucket_policy,
- identity_policies, session_policies);
+ dpp, s->env, *s->identity, account_root, op, ARN(obj),
+ bucket_policy, identity_policies, session_policies);
if (effect == Effect::Deny) {
return false;
}
perm_state_from_req_state ps(s);
if (std::holds_alternative<rgw_account_id>(s->owner.id)) {
+ const bool account_root = (ps.identity->get_identity_type() == TYPE_ROOT);
+
const rgw_owner& object_owner = !object_acl.get_owner().empty() ?
object_acl.get_owner().id : s->bucket_owner.id;
if (!ps.identity->is_owner_of(object_owner)) {
<< object_owner << " != " << s->owner.id << dendl;
// cross-account requests evaluate the identity-based policies separately
// from the resource-based policies and require Allow from both
- return verify_object_permission(dpp, &ps, obj, {}, {}, {}, {},
+ return verify_object_permission(dpp, &ps, obj, account_root, {}, {}, {}, {},
identity_policies, session_policies, op)
- && verify_object_permission(dpp, &ps, obj,
+ && verify_object_permission(dpp, &ps, obj, false,
user_acl, bucket_acl, object_acl,
bucket_policy, {}, {}, op);
} else {
// don't consult acls for same-account access. require an Allow from
// either identity- or resource-based policy
- return verify_object_permission(dpp, &ps, obj, {}, {}, {},
+ return verify_object_permission(dpp, &ps, obj, account_root, {}, {}, {},
bucket_policy, identity_policies,
session_policies, op);
}
}
- return verify_object_permission(dpp, &ps, obj,
+ constexpr bool account_root = false;
+ return verify_object_permission(dpp, &ps, obj, account_root,
user_acl, bucket_acl,
object_acl, bucket_policy,
identity_policies, session_policies, op);
projects / ceph.git / commitdiff