rgw/auth: RoleApplier matches paths in role arns

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 731bdbc150967bf77a6649d084f0e9a74e6df65b)

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index dd9337818c79efa2010bb579f3a1050c66b95ee8..b5227aecf47cd9cc7049ff63c0ea97dbd2dfbd47 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -980,8 +980,10 @@ bool rgw::auth::RoleApplier::is_identity(const Principal& p) const {
     return match_account_or_tenant(role.account_id, role.tenant,
                                    p.get_account());
   } else if (p.is_role()) {
-    return p.get_id() == role.name // TODO: match path/name
-        && p.get_account() == role.tenant;
+    std::string_view no_subuser;
+    // account roles can match both account- and tenant-based arns
+    return match_account_or_tenant(role.account_id, role.tenant, p.get_account())
+        && match_principal(role.path, role.name, no_subuser, p.get_id());
   } else if (p.is_assumed_role()) {
     string role_session = role.name + "/" + token_attrs.role_session_name; //role/role-session
     return p.get_account() == role.tenant

diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h
index e2249e5fdf00e2b21a0ccd7c1f4ee89a3a419491..64e55d532f0613a4f46cb2e7f095a995004ca052 100644 (file)
--- a/src/rgw/rgw_auth.h
+++ b/src/rgw/rgw_auth.h
@@ -726,6 +726,7 @@ public:
   struct Role {
     std::string id;
     std::string name;
+    std::string path;
     std::string tenant;
     rgw_account_id account_id;
     std::vector<std::string> inline_policies;

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index b854c70a48f2ef5fbac8ed84ca467cc7562ebad7..073b9bf9013f852cac8fb083c24aaec1edbf3688 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -6456,6 +6456,7 @@ rgw::auth::s3::STSEngine::authenticate(
     }
     r.id = token.roleId;
     r.name = role->get_name();
+    r.path = role->get_path();
     r.tenant = role->get_tenant();
     r.account_id = role->get_account_id();