rgw : add check for tenant provided in RGWCreateRole

Fixes: https://tracker.ceph.com/issues/51206
Signed-off-by: caolei <halei15848934852@163.com>

diff --git a/src/rgw/rgw_rest_role.cc b/src/rgw/rgw_rest_role.cc
index a542804220d9bffe2b2a297aba461eea8ba37b4c..0abf9155b17b931ca257d5188b811671e683a6e8 100644 (file)
--- a/src/rgw/rgw_rest_role.cc
+++ b/src/rgw/rgw_rest_role.cc
@@ -131,11 +131,18 @@ void RGWCreateRole::execute(optional_yield y)
   if (op_ret < 0) {
     return;
   }
+  std::string user_tenant = s->user->get_tenant();
   std::unique_ptr<rgw::sal::RGWRole> role = store->get_role(role_name,
-                                                           s->user->get_tenant(),
+                                                           user_tenant,
                                                            role_path,
                                                            trust_policy,
                                                            max_session_duration);
+  if (!user_tenant.empty() && role->get_tenant() != user_tenant) {
+    ldpp_dout(this, 20) << "ERROR: the tenant provided in the role name does not match with the tenant of the user creating the role"
+    << dendl;
+    op_ret = -EINVAL;
+    return;
+  }
   op_ret = role->create(s, true, y);
 
   if (op_ret == -EEXIST) {