const rgw_owner& bucket_owner = bucket_policy.get_owner().id;
if (bucket_owner != s->owner.id &&
!s->auth.identity->is_admin_of(bucket_owner)) {
- auto r = eval_identity_or_session_policies(dpp, s->iam_user_policies, s->env,
+ auto r = eval_identity_or_session_policies(dpp, s->iam_identity_policies, s->env,
rgw::IAM::s3ListBucket, ARN(bucket->get_key()));
if (r == Effect::Allow)
return -ENOENT;
auto user_policies = get_iam_user_policy_from_attr(s->cct,
s->user->get_attrs(),
s->user->get_tenant());
- s->iam_user_policies.insert(s->iam_user_policies.end(),
- std::make_move_iterator(user_policies.begin()),
- std::make_move_iterator(user_policies.end()));
+ s->iam_identity_policies.insert(s->iam_identity_policies.end(),
+ std::make_move_iterator(user_policies.begin()),
+ std::make_move_iterator(user_policies.end()));
} else {
if (ret == -ENOENT)
ret = 0;
}
static std::tuple<bool, bool> rgw_check_policy_condition(const DoutPrefixProvider *dpp, req_state* s, bool check_obj_exist_tag=true) {
- return rgw_check_policy_condition(dpp, s->iam_policy, s->iam_user_policies, s->session_policies, check_obj_exist_tag);
+ return rgw_check_policy_condition(dpp, s->iam_policy, s->iam_identity_policies, s->session_policies, check_obj_exist_tag);
}
static void rgw_add_grant_to_iam_environment(rgw::IAM::Environment& e, req_state *s){
ldpp_dout(this, 2) << "overriding permissions due to admin operation" << dendl;
} else if (!verify_object_permission(this, s, part->get_obj(), s->user_acl,
bucket_acl, obj_policy, bucket_policy,
- s->iam_user_policies, s->session_policies, action)) {
+ s->iam_identity_policies, s->session_policies, action)) {
return -EPERM;
}
if (ent.meta.size == 0) {
/* admin request overrides permission checks */
if (! s->auth.identity->is_admin_of(cs_acl.get_owner().id)) {
- if (policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
+ if (policy || ! s->iam_identity_policies.empty() || !s->session_policies.empty()) {
//add source object tags for permission evaluation
- auto [has_s3_existing_tag, has_s3_resource_tag] = rgw_check_policy_condition(this, policy, s->iam_user_policies, s->session_policies);
+ auto [has_s3_existing_tag, has_s3_resource_tag] = rgw_check_policy_condition(this, policy, s->iam_identity_policies, s->session_policies);
if (has_s3_existing_tag || has_s3_resource_tag)
rgw_iam_add_objtags(this, s, cs_object.get(), has_s3_existing_tag, has_s3_resource_tag);
auto usr_policy_res = Effect::Pass;
rgw::ARN obj_arn(cs_object->get_obj());
- for (auto& user_policy : s->iam_user_policies) {
+ for (auto& user_policy : s->iam_identity_policies) {
if (usr_policy_res = user_policy.eval(s->env, boost::none,
cs_object->get_instance().empty() ?
rgw::IAM::s3GetObject :
return ret;
}
- if (s->iam_policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
+ if (s->iam_policy || ! s->iam_identity_policies.empty() || !s->session_policies.empty()) {
rgw_add_grant_to_iam_environment(s->env, s);
rgw_add_to_iam_environment(s->env, "s3:x-amz-acl", s->canned_acl);
if (has_s3_resource_tag)
rgw_iam_add_buckettags(this, s);
- auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_identity_policies, s->env,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (identity_policy_res == Effect::Deny)
// add server-side encryption headers
rgw_iam_add_crypt_attrs(s->env, s->info.crypt_attribute_map);
- if (s->iam_policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
- auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
+ if (s->iam_policy || ! s->iam_identity_policies.empty() || !s->session_policies.empty()) {
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_identity_policies, s->env,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (identity_policy_res == Effect::Deny) {
if (has_s3_existing_tag || has_s3_resource_tag)
rgw_iam_add_objtags(this, s, has_s3_existing_tag, has_s3_resource_tag);
- if (s->iam_policy || ! s->iam_user_policies.empty() || ! s->session_policies.empty()) {
+ if (s->iam_policy || ! s->iam_identity_policies.empty() || ! s->session_policies.empty()) {
if (s->bucket->get_info().obj_lock_enabled() && bypass_governance_mode) {
- auto r = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
+ auto r = eval_identity_or_session_policies(this, s->iam_identity_policies, s->env,
rgw::IAM::s3BypassGovernanceRetention, ARN(s->bucket->get_key(), s->object->get_name()));
if (r == Effect::Deny) {
bypass_perm = false;
}
}
}
- auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_identity_policies, s->env,
s->object->get_instance().empty() ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
/* admin request overrides permission checks */
if (!s->auth.identity->is_admin_of(src_acl.get_owner().id)) {
- if (src_policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
- auto [has_s3_existing_tag, has_s3_resource_tag] = rgw_check_policy_condition(this, src_policy, s->iam_user_policies, s->session_policies);
+ if (src_policy || ! s->iam_identity_policies.empty() || !s->session_policies.empty()) {
+ auto [has_s3_existing_tag, has_s3_resource_tag] = rgw_check_policy_condition(this, src_policy, s->iam_identity_policies, s->session_policies);
if (has_s3_existing_tag || has_s3_resource_tag)
rgw_iam_add_objtags(this, s, s->src_object.get(), has_s3_existing_tag, has_s3_resource_tag);
ARN obj_arn(s->src_object->get_obj());
- auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_identity_policies, s->env,
s->src_object->get_instance().empty() ?
rgw::IAM::s3GetObject :
rgw::IAM::s3GetObjectVersion,
auto dest_iam_policy = get_iam_policy_from_attr(s->cct, s->bucket->get_attrs(), s->bucket->get_tenant());
/* admin request overrides permission checks */
if (! s->auth.identity->is_admin_of(dest_policy.get_owner().id)){
- if (dest_iam_policy != boost::none || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
+ if (dest_iam_policy != boost::none || ! s->iam_identity_policies.empty() || !s->session_policies.empty()) {
//Add destination bucket tags for authorization
- auto [has_s3_existing_tag, has_s3_resource_tag] = rgw_check_policy_condition(this, dest_iam_policy, s->iam_user_policies, s->session_policies);
+ auto [has_s3_existing_tag, has_s3_resource_tag] = rgw_check_policy_condition(this, dest_iam_policy, s->iam_identity_policies, s->session_policies);
if (has_s3_resource_tag)
rgw_iam_add_buckettags(this, s, s->bucket.get());
*md_directive);
ARN obj_arn(s->object->get_obj());
- auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies,
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_identity_policies,
s->env,
rgw::IAM::s3PutObject,
obj_arn);
// add server-side encryption headers
rgw_iam_add_crypt_attrs(s->env, s->info.crypt_attribute_map);
- if (s->iam_policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
- auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
+ if (s->iam_policy || ! s->iam_identity_policies.empty() || !s->session_policies.empty()) {
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_identity_policies, s->env,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (identity_policy_res == Effect::Deny) {
// add server-side encryption headers
rgw_iam_add_crypt_attrs(s->env, s->info.crypt_attribute_map);
- if (s->iam_policy || ! s->iam_user_policies.empty() || ! s->session_policies.empty()) {
- auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
+ if (s->iam_policy || ! s->iam_identity_policies.empty() || ! s->session_policies.empty()) {
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_identity_policies, s->env,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (identity_policy_res == Effect::Deny) {
if (has_s3_existing_tag || has_s3_resource_tag)
rgw_iam_add_objtags(this, s, has_s3_existing_tag, has_s3_resource_tag);
- if (s->iam_policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
- auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
+ if (s->iam_policy || ! s->iam_identity_policies.empty() || !s->session_policies.empty()) {
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_identity_policies, s->env,
rgw::IAM::s3AbortMultipartUpload,
s->object->get_obj());
if (identity_policy_res == Effect::Deny) {
if (has_s3_existing_tag || has_s3_resource_tag)
rgw_iam_add_objtags(this, s, has_s3_existing_tag, has_s3_resource_tag);
- if (s->iam_policy || ! s->iam_user_policies.empty() || ! s->session_policies.empty()) {
+ if (s->iam_policy || ! s->iam_identity_policies.empty() || ! s->session_policies.empty()) {
if (s->bucket->get_info().obj_lock_enabled() && bypass_governance_mode) {
ARN bucket_arn(s->bucket->get_key());
- auto r = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
+ auto r = eval_identity_or_session_policies(this, s->iam_identity_policies, s->env,
rgw::IAM::s3BypassGovernanceRetention, ARN(s->bucket->get_key()));
if (r == Effect::Deny) {
bypass_perm = false;
bool not_versioned = rgw::sal::Object::empty(s->object.get()) || s->object->get_instance().empty();
- auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_identity_policies, s->env,
not_versioned ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
{
std::string version_id;
std::unique_ptr<rgw::sal::Object> obj = bucket->get_object(o);
- if (s->iam_policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
- auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
+ if (s->iam_policy || ! s->iam_identity_policies.empty() || !s->session_policies.empty()) {
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_identity_policies, s->env,
o.instance.empty() ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
/* We can use global user_acl because each BulkDelete request is allowed
* to work on entities from a single account only. */
return verify_bucket_permission(dpp, s, binfo.bucket, s->user_acl,
- bacl, policy, s->iam_user_policies, s->session_policies, rgw::IAM::s3DeleteBucket);
+ bacl, policy, s->iam_identity_policies, s->session_policies, rgw::IAM::s3DeleteBucket);
}
bool RGWBulkDelete::Deleter::delete_single(const acct_path_t& path, optional_yield y)
auto policy = get_iam_policy_from_attr(s->cct, battrs, binfo.bucket.tenant);
bucket_owner = bacl.get_owner();
- if (policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
- auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
+ if (policy || ! s->iam_identity_policies.empty() || !s->session_policies.empty()) {
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_identity_policies, s->env,
rgw::IAM::s3PutObject, obj);
if (identity_policy_res == Effect::Deny) {
return false;
projects / ceph.git / commitdiff