// If RestrictPublicBuckets is enabled and the bucket policy allows public access,
// deny the request if the requester is not in the bucket owner account
- const bool restrict_public_buckets = s->public_access_block && s->public_access_block->restrict_public_buckets();
+ const bool restrict_public_buckets = s->public_access_block && s->public_access_block->RestrictPublicBuckets;
if (restrict_public_buckets && bucket_policy && rgw::IAM::is_public(*bucket_policy) && !s->identity->is_owner_of(s->bucket_info.owner)) {
ldpp_dout(dpp, 10) << __func__ << ": public policies are blocked by the RestrictPublicBuckets block public access setting" << dendl;
return false;
if (bucket_acl.verify_permission(dpp, *ps->identity, perm, perm,
ps->get_referer(),
ps->public_access_block &&
- ps->public_access_block->ignore_public_acls())) {
+ ps->public_access_block->IgnorePublicAcls)) {
ldpp_dout(dpp, 10) << __func__ << ": granted by bucket acl" << dendl;
if (granted_by_acl) {
*granted_by_acl = true;
// If RestrictPublicBuckets is enabled and the bucket policy allows public access,
// deny the request if the requester is not in the bucket owner account
- const bool restrict_public_buckets = ps->public_access_block && ps->public_access_block->restrict_public_buckets();
+ const bool restrict_public_buckets = ps->public_access_block && ps->public_access_block->RestrictPublicBuckets;
if (restrict_public_buckets && bucket_policy && rgw::IAM::is_public(*bucket_policy) && !ps->identity->is_owner_of(ps->bucket_info.owner)) {
ldpp_dout(dpp, 10) << __func__ << ": public policies are blocked by the RestrictPublicBuckets block public access setting" << dendl;
return false;
object_acl.verify_permission(dpp, *ps->identity, ps->perm_mask, perm,
nullptr, /* http referrer */
ps->public_access_block &&
- ps->public_access_block->ignore_public_acls())) {
+ ps->public_access_block->IgnorePublicAcls)) {
ldpp_dout(dpp, 10) << __func__ << ": granted by object acl" << dendl;
if (granted_by_acl) {
*granted_by_acl = true;
} /* copy_source */
// reject public canned acls
- if (s->public_access_block && s->public_access_block->block_public_acls() &&
+ if (s->public_access_block && s->public_access_block->BlockPublicAcls &&
(s->canned_acl == "public-read" ||
s->canned_acl == "public-read-write" ||
s->canned_acl == "authenticated-read")) {
}
if (s->public_access_block &&
- s->public_access_block->block_public_acls() &&
+ s->public_access_block->BlockPublicAcls &&
new_policy.is_public(this)) {
op_ret = -EACCES;
return;
s->cct->_conf.get_val<bool>("rgw_policy_reject_invalid_principals"));
rgw::sal::Attrs attrs(s->bucket_attrs);
if (s->public_access_block &&
- s->public_access_block->block_public_policy() &&
+ s->public_access_block->BlockPublicPolicy &&
rgw::IAM::is_public(p)) {
op_ret = -EACCES;
return;
oldState.copyfmt(os);
os << std::boolalpha
- << "BlockPublicAcls: " << access_conf.block_public_acls() << std::endl
- << "IgnorePublicAcls: " << access_conf.ignore_public_acls() << std::endl
- << "BlockPublicPolicy" << access_conf.block_public_policy() << std::endl
- << "RestrictPublicBuckets" << access_conf.restrict_public_buckets() << std::endl;
+ << "BlockPublicAcls: " << access_conf.BlockPublicAcls << std::endl
+ << "IgnorePublicAcls: " << access_conf.IgnorePublicAcls << std::endl
+ << "BlockPublicPolicy" << access_conf.BlockPublicPolicy << std::endl
+ << "RestrictPublicBuckets" << access_conf.RestrictPublicBuckets << std::endl;
os.copyfmt(oldState);
return os;
class XMLObj;
namespace ceph { class Formatter; }
-class PublicAccessBlockConfiguration {
- bool BlockPublicAcls;
- bool IgnorePublicAcls;
- bool BlockPublicPolicy;
- bool RestrictPublicBuckets;
- public:
- PublicAccessBlockConfiguration():
- BlockPublicAcls(false), IgnorePublicAcls(false),
- BlockPublicPolicy(false), RestrictPublicBuckets(false)
- {}
-
- auto block_public_acls() const {
- return BlockPublicAcls;
- }
- auto ignore_public_acls() const {
- return IgnorePublicAcls;
- }
- auto block_public_policy() const {
- return BlockPublicPolicy;
- }
- auto restrict_public_buckets() const {
- return RestrictPublicBuckets;
- }
+struct PublicAccessBlockConfiguration {
+ bool BlockPublicAcls = false;
+ bool IgnorePublicAcls = false;
+ bool BlockPublicPolicy = false;
+ bool RestrictPublicBuckets = false;
void encode(ceph::bufferlist& bl) const {
ENCODE_START(1,1, bl);
projects / ceph.git / commitdiff