rgw: rework authorization parts to accomodate Bulk Delete API.

Signed-off-by: Radoslaw Zarzynski <rzarzynski@mirantis.com>

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 3111880f795caa3cca0cfbeb9d20224cd1463bbd..57aaf1b7eadd7fa8afc7b6ca76a7c0463e3671c5 100644 (file)
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -727,9 +727,11 @@ bool verify_requester_payer_permission(struct req_state *s)
   return false;
 }
 
-bool verify_bucket_permission(struct req_state *s, int perm)
+bool verify_bucket_permission(struct req_state * const s,
+                              RGWAccessControlPolicy * const bucket_acl,
+                              const int perm)
 {
-  if (!s->bucket_acl)
+  if (!bucket_acl)
     return false;
 
   if ((perm & (int)s->perm_mask) != perm)
@@ -738,21 +740,33 @@ bool verify_bucket_permission(struct req_state *s, int perm)
   if (!verify_requester_payer_permission(s))
     return false;
 
-  return s->bucket_acl->verify_permission(s->user.user_id, perm, perm);
+  return bucket_acl->verify_permission(s->user.user_id, perm, perm);
 }
 
-static inline bool check_deferred_bucket_acl(struct req_state *s, uint8_t deferred_check, int perm)
+bool verify_bucket_permission(struct req_state * const s, const int perm)
 {
-  return (s->defer_to_bucket_acls == deferred_check && verify_bucket_permission(s, perm));
+  return verify_bucket_permission(s, s->bucket_acl, perm);
 }
 
-bool verify_object_permission(struct req_state *s, RGWAccessControlPolicy *bucket_acl, RGWAccessControlPolicy *object_acl, int perm)
+static inline bool check_deferred_bucket_acl(struct req_state * const s,
+                                             RGWAccessControlPolicy * const bucket_acl,
+                                             const uint8_t deferred_check,
+                                             const int perm)
 {
   if (!verify_requester_payer_permission(s))
     return false;
 
-  if (check_deferred_bucket_acl(s, RGW_DEFER_TO_BUCKET_ACLS_RECURSE, perm) ||
-      check_deferred_bucket_acl(s, RGW_DEFER_TO_BUCKET_ACLS_FULL_CONTROL, RGW_PERM_FULL_CONTROL)) {
+  return (s->defer_to_bucket_acls == deferred_check \
+              && verify_bucket_permission(s, bucket_acl, perm));
+}
+
+bool verify_object_permission(struct req_state * const s,
+                              RGWAccessControlPolicy * const bucket_acl,
+                              RGWAccessControlPolicy * const object_acl,
+                              const int perm)
+{
+  if (check_deferred_bucket_acl(s, bucket_acl, RGW_DEFER_TO_BUCKET_ACLS_RECURSE, perm) ||
+      check_deferred_bucket_acl(s, bucket_acl, RGW_DEFER_TO_BUCKET_ACLS_FULL_CONTROL, RGW_PERM_FULL_CONTROL)) {
     return true;
   }
 

diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index bff070a06ae4c62208f5fbaf528270450ce33e1d..234e4d16abd523fc2c85894a371fcbbfc7607a3e 100644 (file)
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -1651,8 +1651,14 @@ extern string rgw_trim_quotes(const string& val);
 
 /** Check if the req_state's user has the necessary permissions
  * to do the requested action */
+extern bool verify_bucket_permission(struct req_state * s,
+                                     RGWAccessControlPolicy * bucket_acl,
+                                     int perm);
 extern bool verify_bucket_permission(struct req_state *s, int perm);
-extern bool verify_object_permission(struct req_state *s, RGWAccessControlPolicy *bucket_acl, RGWAccessControlPolicy *object_acl, int perm);
+extern bool verify_object_permission(struct req_state *s,
+                                     RGWAccessControlPolicy *bucket_acl,
+                                     RGWAccessControlPolicy *object_acl,
+                                     int perm);
 extern bool verify_object_permission(struct req_state *s, int perm);
 /** Convert an input URL into a sane object name
  * by converting %-escaped strings into characters, etc*/