rgw/s3control: skip account id check for admin users

allow access to admin users that don't belong to the requested account.
this is also necessary for multisite, where requests are forwarded to
the metadata master as the multisite system user instead of the original
requester

Signed-off-by: Casey Bodley <cbodley@redhat.com>

diff --git a/src/rgw/rgw_rest_s3control.cc b/src/rgw/rgw_rest_s3control.cc
index 89b97a67fae92ecdf43c53b4f1406f54872607b5..01b9285139475fb44788c366f36f7387cb9fec39 100644 (file)
--- a/src/rgw/rgw_rest_s3control.cc
+++ b/src/rgw/rgw_rest_s3control.cc
@@ -52,13 +52,16 @@ static int get_account_id(req_state* s, rgw_account_id& account_id)
     return -EINVAL;
   }
 
-  const auto& account = s->auth.identity->get_account();
-  if (!account) {
-    return -ERR_METHOD_NOT_ALLOWED;
-  }
-  if (account_id != account->id) {
-    s->err.message = "x-amz-account-id must match the requester";
-    return -EINVAL;
+  if (!s->auth.identity->is_admin()) {
+    // verify that the requester belongs to the specified account
+    const auto& account = s->auth.identity->get_account();
+    if (!account) {
+      return -ERR_METHOD_NOT_ALLOWED;
+    }
+    if (account_id != account->id) {
+      s->err.message = "x-amz-account-id must match the requester";
+      return -EINVAL;
+    }
   }
   return 0;
 }