rgw: use is_admin() for permission checks

Signed-off-by: Seena Fallah <seenafallah@gmail.com>
(cherry picked from commit cc033cb16ff2971d215a92fab3038b185251cc22)

diff --git a/src/rgw/rgw_lib.cc b/src/rgw/rgw_lib.cc
index 471a6373c93e84bd9422aa45e2ff94adeef5ced7..bcf686de3d286e5dc4f169a0eab9e01ca5a49cee 100644 (file)
--- a/src/rgw/rgw_lib.cc
+++ b/src/rgw/rgw_lib.cc
@@ -281,9 +281,7 @@ namespace rgw {
       ldpp_dout(s, 2) << "verifying op permissions" << dendl;
       ret = op->verify_permission(null_yield);
       if (ret < 0) {
-       if (s->system_request) {
-         ldpp_dout(op, 2) << "overriding permissions due to system operation" << dendl;
-       } else if (s->auth.identity->is_admin()) {
+       if (s->auth.identity->is_admin()) {
          ldpp_dout(op, 2) << "overriding permissions due to admin operation" << dendl;
        } else {
          abort_req(s, op, ret);
@@ -418,9 +416,7 @@ namespace rgw {
     ldpp_dout(s, 2) << "verifying op permissions" << dendl;
     ret = op->verify_permission(null_yield);
     if (ret < 0) {
-      if (s->system_request) {
-       ldpp_dout(op, 2) << "overriding permissions due to system operation" << dendl;
-      } else if (s->auth.identity->is_admin()) {
+      if (s->auth.identity->is_admin()) {
        ldpp_dout(op, 2) << "overriding permissions due to admin operation" << dendl;
       } else {
        abort_req(s, op, ret);

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index c5a18ed0802538b1efcb8b0bbcc1f8956a217c9a..5811156afa254927997f8c64e7e0318f1139e220 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -360,7 +360,7 @@ static int read_bucket_policy(const DoutPrefixProvider *dpp,
                               rgw_bucket& bucket,
                              optional_yield y)
 {
-  if (!s->system_request && bucket_info.flags & BUCKET_SUSPENDED) {
+  if (!s->auth.identity->is_admin() && bucket_info.flags & BUCKET_SUSPENDED) {
     ldpp_dout(dpp, 0) << "NOTICE: bucket " << bucket_info.bucket.name
         << " is suspended" << dendl;
     return -ERR_USER_SUSPENDED;
@@ -397,7 +397,7 @@ static int read_obj_policy(const DoutPrefixProvider *dpp,
   std::unique_ptr<rgw::sal::Object> mpobj;
   rgw_obj obj;
 
-  if (!s->system_request && bucket_info.flags & BUCKET_SUSPENDED) {
+  if (!s->auth.identity->is_admin() && bucket_info.flags & BUCKET_SUSPENDED) {
     ldpp_dout(dpp, 0) << "NOTICE: bucket " << bucket_info.bucket.name
         << " is suspended" << dendl;
     return -ERR_USER_SUSPENDED;
@@ -604,7 +604,7 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d
     // send a PutBucketPolicy or DeleteBucketPolicy request as an admin/system
     // user. We can allow such requests, because even if the policy denied
     // access, admin/system users override that error from verify_permission().
-    if (!s->system_request) {
+    if (!s->auth.identity->is_admin()) {
       ret = -EACCES;
     }
   }
@@ -1856,9 +1856,7 @@ int RGWGetObj::read_user_manifest_part(rgw::sal::Bucket* bucket,
 
   /* We can use global user_acl because LOs cannot have segments
    * stored inside different accounts. */
-  if (s->system_request) {
-    ldpp_dout(this, 2) << "overriding permissions due to system operation" << dendl;
-  } else if (s->auth.identity->is_admin()) {
+  if (s->auth.identity->is_admin()) {
     ldpp_dout(this, 2) << "overriding permissions due to admin operation" << dendl;
   } else if (!verify_object_permission(this, s, part->get_obj(), s->user_acl,
                                       bucket_acl, obj_policy, bucket_policy,