rgw: decouple system user from admin user.

author Radoslaw Zarzynski <rzarzynski@mirantis.com>

Sun, 17 Apr 2016 11:08:48 +0000 (13:08 +0200)

committer Radoslaw Zarzynski <rzarzynski@mirantis.com>

Thu, 2 Jun 2016 13:30:38 +0000 (15:30 +0200)
author Radoslaw Zarzynski <rzarzynski@mirantis.com>
Sun, 17 Apr 2016 11:08:48 +0000 (13:08 +0200)
committer Radoslaw Zarzynski <rzarzynski@mirantis.com>
Thu, 2 Jun 2016 13:30:38 +0000 (15:30 +0200)
diff --git a/src/rgw/librgw.cc b/src/rgw/librgw.cc

index 572380b5c0f5dd3e10adb1e44ee7b3aca07709b5..ff60a1a8a83086b688b7d0d38f026cd4534c001e 100644 (file)
--- a/src/rgw/librgw.cc
+++ b/src/rgw/librgw.cc
@@ -260,6 +260,8 @@ namespace rgw {
      if (ret < 0) {
        if (s->system_request) {
         dout(2) << "overriding permissions due to system operation" << dendl;
+      } else if (s->auth_identity->is_admin_of(s->user->user_id)) {
+       dout(2) << "overriding permissions due to admin operation" << dendl;
        } else {
         abort_req(s, op, ret);
         goto done;
@@ -370,6 +372,8 @@ namespace rgw {
      if (ret < 0) {
        if (s->system_request) {
         dout(2) << "overriding permissions due to system operation" << dendl;
+      } else if (s->auth_identity->is_admin_of(s->user->user_id)) {
+       dout(2) << "overriding permissions due to admin operation" << dendl;
        } else {
         abort_req(s, op, ret);
         goto done;
diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc

index 858d3267bd6f83ebb006d346acdede7681909122..d3716a86792a848a163d3d738a578846fad47f0f 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -64,5 +64,7 @@ rgw_auth_transform_old_authinfo(req_state * const s)
          new RGWDummyIdentityApplier(s->cct,
                                      s->user->user_id,
                                      s->perm_mask,
+  /* System user has admin permissions by default - it's supposed to pass
+   * through any security check. */
                                      s->system_request));
  }
diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h

index ab597ab18a17b1d2312c3f87116b948188ae1e78..6d87f0b92a630a5ddf0d429a6a796687baededd3 100644 (file)
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -1270,6 +1270,8 @@ struct req_state {
    RGWAccessControlPolicy *bucket_acl;
    RGWAccessControlPolicy *object_acl;
  
+  /* Is the request made by an user marked as a system one?
+   * Being system user means we also have the admin status. */
    bool system_request;
  
    /* aws4 auth support */
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc

index 5cee66ff35d60a7bc6c21d491e737ba1027bfeaf..7a02047f1d7d0af5b8fb2aad557d79d1934e75c0 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -277,8 +277,9 @@ static int read_policy(RGWRados *store, struct req_state *s,
        return ret;
      }
  
-    rgw_user& owner = bucket_policy.get_owner().get_id();
-    if (!s->system_request && owner.compare(s->user->user_id) != 0 &&
+    const rgw_user& bucket_owner = bucket_policy.get_owner().get_id();
+    if (bucket_owner.compare(s->user->user_id) != 0 &&
+        !s->auth_identity->is_admin_of(bucket_owner) &&
          !bucket_policy.verify_permission(*s->auth_identity, s->perm_mask,
                                           RGW_PERM_READ)) {
        ret = -EACCES;
@@ -3301,8 +3302,10 @@ int RGWCopyObj::verify_permission()
        return op_ret;
      }
  
-    if (!s->system_request && /* admin request overrides permission checks */
-        !src_policy.verify_permission(*s->auth_identity, s->perm_mask, RGW_PERM_READ)) {
+    /* admin request overrides permission checks */
+    if (!s->auth_identity->is_admin_of(src_policy.get_owner().get_id()) &&
+        !src_policy.verify_permission(*s->auth_identity, s->perm_mask,
+                                      RGW_PERM_READ)) {
        return -EACCES;
      }
    }
@@ -3339,7 +3342,8 @@ int RGWCopyObj::verify_permission()
      return op_ret;
    }
  
-  if (!s->system_request && /* system request overrides permission checks */
+  /* admin request overrides permission checks */
+  if (!s->auth_identity->is_admin_of(dest_policy.get_owner().get_id()) &&
        !dest_bucket_policy.verify_permission(*s->auth_identity, s->perm_mask,
                                              RGW_PERM_WRITE)) {
      return -EACCES;
diff --git a/src/rgw/rgw_process.cc b/src/rgw/rgw_process.cc

index c5fa0fe4e87d04951549e3b3a07fd54268478fe4..a0d04c0a4b7810fd1b71c2ad664cbf830f0642e4 100644 (file)
--- a/src/rgw/rgw_process.cc
+++ b/src/rgw/rgw_process.cc
@@ -159,6 +159,8 @@ int process_request(RGWRados* store, RGWREST* rest, RGWRequest* req,
    if (ret < 0) {
      if (s->system_request) {
        dout(2) << "overriding permissions due to system operation" << dendl;
+    } else if (s->auth_identity->is_admin_of(s->user->user_id)) {
+      dout(2) << "overriding permissions due to admin operation" << dendl;
      } else {
        abort_early(s, op, ret, handler);
        goto done;
author	Radoslaw Zarzynski <rzarzynski@mirantis.com>
	Sun, 17 Apr 2016 11:08:48 +0000 (13:08 +0200)
committer	Radoslaw Zarzynski <rzarzynski@mirantis.com>
	Thu, 2 Jun 2016 13:30:38 +0000 (15:30 +0200)
src/rgw/librgw.cc		patch \| blob \| history
src/rgw/rgw_auth.cc		patch \| blob \| history
src/rgw/rgw_common.h		patch \| blob \| history
src/rgw/rgw_op.cc		patch \| blob \| history
src/rgw/rgw_process.cc		patch \| blob \| history