rgw: enforce swift acls

doesn't work yet, but almost.

Signed-off-by: Yehuda Sadeh <yehuda@hq.newdream.net>

diff --git a/src/common/config_opts.h b/src/common/config_opts.h
index ac6d0e567da1eda0e676be8012f3fe3abdabf9f3..afe1f191287e54b6a54c06501bfbfd5f157c2a54 100644 (file)
--- a/src/common/config_opts.h
+++ b/src/common/config_opts.h
@@ -354,6 +354,7 @@ OPTION(rgw_socket_path, OPT_STR, "")   // path to unix domain socket, if not spe
 OPTION(rgw_dns_name, OPT_STR, "")
 OPTION(rgw_swift_url, OPT_STR, "")              // 
 OPTION(rgw_swift_url_prefix, OPT_STR, "swift")  // 
+OPTION(rgw_enforce_swift_acls, OPT_BOOL, true)
 OPTION(rgw_print_continue, OPT_BOOL, true)  // enable if 100-Continue works
 OPTION(rgw_remote_addr_param, OPT_STR, "REMOTE_ADDR")  // e.g. X-Forwarded-For, if you have a reverse proxy
 OPTION(rgw_op_thread_timeout, OPT_INT, 10*60)

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 1bc70a00e5263a7d7dfa2f8a65d3ef75fd95f635..1cac44c755a77fd5b58e13f13ed71c68e8226933 100644 (file)
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -355,7 +355,26 @@ bool verify_object_permission(struct req_state *s, int perm)
   if (!s->object_acl)
     return false;
 
-  return s->object_acl->verify_permission(s->user.user_id, s->perm_mask, perm);
+  bool ret = s->object_acl->verify_permission(s->user.user_id, s->perm_mask, perm);
+  if (ret)
+    return true;
+
+  if (!g_conf->rgw_enforce_swift_acls)
+    return ret;
+
+  if ((perm & (int)s->perm_mask) != perm)
+    return false;
+
+  int swift_perm = 0;
+  if (perm & (RGW_PERM_READ || RGW_PERM_READ_ACP))
+    swift_perm |= RGW_PERM_READ_OBJS;
+  if (perm & (RGW_PERM_WRITE || RGW_PERM_WRITE_ACP))
+    swift_perm |= RGW_PERM_WRITE_OBJS;
+
+  if (!swift_perm)
+    return false;
+
+  return s->bucket_acl->verify_permission(s->user.user_id, s->perm_mask, swift_perm);
 }
 
 static char hex_to_num(char c)