RGW: a subuser with no permission can still list buckets and create buckets

A S3 subuser having no permissions was able to do a normal user ops,
from aws docs there's no functionality for a s3 subuser as we do have
with swift. The fix here is to check the "subuser perm mask" before going
forward with "no_acl" check.

Fixes: https://tracker.ceph.com/issues/63791
Signed-off-by: Shreyansh Sancheti <ssanchet@redhat.com>

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 3ee98fa18ca16b68235adf639fcd20de970621e6..c0cbb7f86efc95697439a16d4959c17400fbe117 100644 (file)
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -1182,13 +1182,14 @@ bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
   if (s->identity->get_identity_type() == TYPE_ROLE)
     return false;
 
-  /* S3 doesn't support account ACLs, so user_acl will be uninitialized. */
-  if (user_acl.get_owner().id.empty())
-    return true;
-
+  /* S3 doesn't have a subuser, it takes user permissions  */
   if ((perm & (int)s->perm_mask) != perm)
     return false;
 
+  /* S3 doesn't support account ACLs, so user_acl will be uninitialized. */
+  if (user_acl.get_owner().id.empty())
+    return true;
+  
   return user_acl.verify_permission(dpp, *s->identity, perm, perm);
 }