rgw: Check user permissions for governance retention bypass in multi-object delete.

author Mark Houghton <mhoughton@microfocus.com>

Wed, 28 Oct 2020 14:44:03 +0000 (14:44 +0000)

committer Matt Benjamin <mbenjamin@redhat.com>

Thu, 6 May 2021 14:11:33 +0000 (10:11 -0400)
author Mark Houghton <mhoughton@microfocus.com>
Wed, 28 Oct 2020 14:44:03 +0000 (14:44 +0000)
committer Matt Benjamin <mbenjamin@redhat.com>
Thu, 6 May 2021 14:11:33 +0000 (10:11 -0400)
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc

index 01e2a7929a1b6645f1af41d6c83a77e1096e2fc8..07dc025b6b8c26c435eef7d6250fe0f59ca16419 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -6281,6 +6281,21 @@ void RGWGetHealthCheck::execute()
  int RGWDeleteMultiObj::verify_permission()
  {
    if (s->iam_policy || ! s->iam_user_policies.empty()) {
+    if (s->bucket_info.obj_lock_enabled()  && bypass_governance_mode) {
+      auto r = eval_user_policies(s->iam_user_policies, s->env, boost::none,
+                                 rgw::IAM::s3BypassGovernanceRetention,
+                                 ARN(s->bucket));
+      if (r == Effect::Deny) {
+        bypass_perm = false;
+      } else if (r == Effect::Pass && s->iam_policy) {
+        r = s->iam_policy->eval(s->env, *s->auth.identity,
+                               rgw::IAM::s3BypassGovernanceRetention,
+                               ARN(s->bucket));
+        if (r == Effect::Deny) {
+          bypass_perm = false;
+        }
+      }
+    }
      auto usr_policy_res = eval_user_policies(s->iam_user_policies, s->env,
                                                boost::none,
                                                s->object.instance.empty() ?
author	Mark Houghton <mhoughton@microfocus.com>
	Wed, 28 Oct 2020 14:44:03 +0000 (14:44 +0000)
committer	Matt Benjamin <mbenjamin@redhat.com>
	Thu, 6 May 2021 14:11:33 +0000 (10:11 -0400)