]> git-server-git.apps.pok.os.sepia.ceph.com Git - ceph.git/commitdiff
projects / ceph.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 6cc359a)
rgw: use object ARN for InitMultipart permissions 62154/head
authorCasey Bodley <cbodley@redhat.com>
Wed, 26 Feb 2025 21:42:43 +0000 (16:42 -0500)
committerCasey Bodley <cbodley@redhat.com>
Thu, 6 Mar 2025 14:17:34 +0000 (09:17 -0500)
from https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpuoverview.html#mpuAndPermissions:
> You must be allowed to perform the s3:PutObject action on an object to create a multipart upload request.

but it was calling the verify_bucket_permission() overload which
defaulted to the bucket ARN. pass the object ARN instead, like we do for
RGWPutObj and RGWCompleteMultipart

Fixes: https://tracker.ceph.com/issues/70191
Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 64ab3a3e49d0e7bc716ee5301e15a1ba61127bb4)

src/rgw/rgw_op.cc patch | blob | history

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 414e1196691e992b40a2dfda00d22d976305a43e..04ebe88371809faa13a65a774d1c061fd45c4294 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -6204,7 +6204,8 @@ int RGWInitMultipart::verify_permission(optional_yield y)
   // add server-side encryption headers
   rgw_iam_add_crypt_attrs(s->env, s->info.crypt_attribute_map);
 
-  if (!verify_bucket_permission(this, s, rgw::IAM::s3PutObject)) {
+  if (!verify_bucket_permission(this, s, ARN(s->object->get_obj()),
+                                rgw::IAM::s3PutObject)) {
     return -EACCES;
   }
 
Unnamed repository; edit this file 'description' to name the repository.