rgw: replication require lock perm if enabled

Signed-off-by: Seena Fallah <seenafallah@gmail.com>

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index a0c66e7abdad82397b0f94dcd84a3a66921ef9a0..908371c81fc7d2e4a5be08547beb3f458e015dec 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -1107,6 +1107,24 @@ int RGWGetObj::verify_permission(optional_yield y)
   // non-impersonated or standard system requests will be handled in rgw_process_authenticated().
   const bool is_replication_request = s->system_request;
 
+  if (s->bucket->get_info().obj_lock_enabled()) {
+    get_retention = verify_object_permission(this, s, rgw::IAM::s3GetObjectRetention);
+    if (is_replication_request && !get_retention) {
+      s->err.message = "missing s3:GetObjectRetention permission";
+      ldpp_dout(this, 4) << "ERROR: fetching object for replication object=" << s->object << " reason=" << s->err.message << dendl;
+
+      return -EACCES;
+    }
+
+    get_legal_hold = verify_object_permission(this, s, rgw::IAM::s3GetObjectLegalHold);
+    if (is_replication_request && !get_legal_hold) {
+      s->err.message = "missing s3:GetObjectLegalHold permission";
+      ldpp_dout(this, 4) << "ERROR: fetching object for replication object=" << s->object << " reason=" << s->err.message << dendl;
+
+      return -EACCES;
+    }
+  }
+
   if (is_replication_request) {
     // check for s3:GetObject(Version)Acl permission
     action = s->object->get_instance().empty() ? rgw::IAM::s3GetObjectAcl : rgw::IAM::s3GetObjectVersionAcl;
@@ -1143,11 +1161,6 @@ int RGWGetObj::verify_permission(optional_yield y)
     return -EACCES;
   }
 
-  if (s->bucket->get_info().obj_lock_enabled()) {
-    get_retention = verify_object_permission(this, s, rgw::IAM::s3GetObjectRetention);
-    get_legal_hold = verify_object_permission(this, s, rgw::IAM::s3GetObjectLegalHold);
-  }
-
   return 0;
 }