rgw : add num limit for IAM user policies

Fixes: https://tracker.ceph.com/issues/55017
Signed-off-by: caolei <cao.leilc@inspur.com>

diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in
index 33fe0a607948ac2fcd3717c12edf96d74898f692..030151f6d91150b20530abc3d3ffb3c91c189082 100644 (file)
--- a/src/common/options/rgw.yaml.in
+++ b/src/common/options/rgw.yaml.in
@@ -12,6 +12,15 @@ options:
   services:
   - rgw
   with_legacy: true
+# An user can have up to 100 IAM user policies.
+- name: rgw_user_policies_max_num
+  type: int
+  level: advanced
+  desc: Max number of IAM user policies on a single user
+  default: 100
+  services:
+  - rgw
+  with_legacy: true
 # According to AWS S3(http://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html),
 # An cors can have up to 100 rules.
 - name: rgw_cors_rules_max_num

diff --git a/src/rgw/rgw_rest_user_policy.cc b/src/rgw/rgw_rest_user_policy.cc
index 9606ae7b59d636667eca536893587d12689f566f..e50f46a068e686e0a52ed15a53f53f076ad59780 100644 (file)
--- a/src/rgw/rgw_rest_user_policy.cc
+++ b/src/rgw/rgw_rest_user_policy.cc
@@ -149,6 +149,21 @@ void RGWPutUserPolicy::execute(optional_yield y)
     }
     bufferlist in_bl;
     policies[policy_name] = policy;
+#define USER_POLICIES_MAX_NUM 100
+    int max_num = s->cct->_conf->rgw_user_policies_max_num;
+    if (max_num < 0) {
+      max_num = USER_POLICIES_MAX_NUM;
+    }
+    if (policies.size() > max_num) {
+      ldpp_dout(this, 4) << "IAM user policies has reached the num config: "
+                         << max_num << ", cant add another" << dendl;
+      op_ret = -ERR_INVALID_REQUEST;
+      s->err.message =
+          "The number of IAM user policies should not exceed allowed limit "
+          "of " +
+          std::to_string(max_num) + " policies.";
+      return;
+    }
     encode(policies, in_bl);
     user->get_attrs()[RGW_ATTR_USER_POLICY] = in_bl;