rgw/auth: Identity matches account user principals

when a user belongs to an account, they match Principal ARNs by account
id instead of tenant name, and by user name instead user id

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 8e24a611db7a951c2523503e922c9fda4fb68f2e)

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index 5899b65b73625badcc5f716ed1a9e1f6394d6925..187ea2c71f0e0018a275dd40d00d82a2aa8f7ab1 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -146,8 +146,13 @@ transform_old_authinfo(CephContext* const cct,
         return p.get_account() == id.tenant;
       } else if (p.is_user()) {
         std::string_view no_subuser;
-        return p.get_account() == id.tenant
-            && match_principal(path, id.id, no_subuser, p.get_id());
+        // account users can match both account- and tenant-based arns
+        if (!account_id.empty() && p.get_account() == account_id) {
+          return match_principal(path, display_name, no_subuser, p.get_id());
+        } else {
+          return p.get_account() == id.tenant
+              && match_principal(path, id.id, no_subuser, p.get_id());
+        }
       }
       return false;
     }
@@ -867,9 +872,16 @@ bool rgw::auth::LocalApplier::is_identity(const Principal& p) const {
   } else if (p.is_account()) {
     return p.get_account() == user_info.user_id.tenant;
   } else if (p.is_user()) {
-    return p.get_account() == user_info.user_id.tenant
-        && match_principal(user_info.path, user_info.user_id.id,
-                           subuser, p.get_id());
+    // account users can match both account- and tenant-based arns
+    if (!user_info.account_id.empty() &&
+        p.get_account() == user_info.account_id) {
+      return match_principal(user_info.path, user_info.display_name,
+                             subuser, p.get_id());
+    } else {
+      return p.get_account() == user_info.user_id.tenant
+          && match_principal(user_info.path, user_info.user_id.id,
+                             subuser, p.get_id());
+    }
   }
   return false;
 }