Effect eval_identity_or_session_policies(const vector<Policy>& policies,
const rgw::IAM::Environment& env,
- boost::optional<const rgw::auth::Identity&> id,
const uint64_t op,
- const ARN& resource) {
+ const ARN& arn) {
auto policy_res = Effect::Pass, prev_res = Effect::Pass;
for (auto& policy : policies) {
- if (policy_res = eval_or_pass(policy, env, id, op, resource); policy_res == Effect::Deny)
+ if (policy_res = eval_or_pass(policy, env, boost::none, op, arn); policy_res == Effect::Deny)
return policy_res;
else if (policy_res == Effect::Allow)
prev_res = Effect::Allow;
const rgw::ARN& res,
const uint64_t op)
{
- auto identity_policy_res = eval_identity_or_session_policies(user_policies, s->env, boost::none, op, res);
+ auto identity_policy_res = eval_identity_or_session_policies(user_policies, s->env, op, res);
if (identity_policy_res == Effect::Deny) {
return false;
}
if (! session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(session_policies, s->env, boost::none, op, res);
+ auto session_policy_res = eval_identity_or_session_policies(session_policies, s->env, op, res);
if (session_policy_res == Effect::Deny) {
return false;
}
if (!verify_requester_payer_permission(s))
return false;
- auto identity_policy_res = eval_identity_or_session_policies(identity_policies, s->env, boost::none, op, ARN(bucket));
+ auto identity_policy_res = eval_identity_or_session_policies(identity_policies, s->env, op, ARN(bucket));
if (identity_policy_res == Effect::Deny)
return false;
//Take into account session policies, if the identity making a request is a role
if (!session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(session_policies, s->env, boost::none, op, ARN(bucket));
+ auto session_policy_res = eval_identity_or_session_policies(session_policies, s->env, op, ARN(bucket));
if (session_policy_res == Effect::Deny) {
return false;
}
int verify_bucket_owner_or_policy(struct req_state* const s,
const uint64_t op)
{
- auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env, boost::none, op, ARN(s->bucket->get_key()));
+ auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env, op, ARN(s->bucket->get_key()));
if (identity_policy_res == Effect::Deny) {
return -EACCES;
}
}
if (!s->session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env, boost::none, op, ARN(s->bucket->get_key()));
+ auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env, op, ARN(s->bucket->get_key()));
if (session_policy_res == Effect::Deny) {
return -EACCES;
}
if (!verify_requester_payer_permission(s))
return false;
- auto identity_policy_res = eval_identity_or_session_policies(identity_policies, s->env, boost::none, op, ARN(obj));
+ auto identity_policy_res = eval_identity_or_session_policies(identity_policies, s->env, op, ARN(obj));
if (identity_policy_res == Effect::Deny)
return false;
return false;
if (!session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(session_policies, s->env, boost::none, op, ARN(obj));
+ auto session_policy_res = eval_identity_or_session_policies(session_policies, s->env, op, ARN(obj));
if (session_policy_res == Effect::Deny) {
return false;
}
if (bucket_owner.compare(s->user->get_id()) != 0 &&
! s->auth.identity->is_admin_of(bucket_owner)) {
auto r = eval_identity_or_session_policies(s->iam_user_policies, s->env,
- *s->auth.identity, rgw::IAM::s3ListBucket,
- ARN(bucket->get_key()));
+ rgw::IAM::s3ListBucket, ARN(bucket->get_key()));
if (r == Effect::Allow)
return -ENOENT;
if (r == Effect::Deny)
}
if (! s->session_policies.empty()) {
r = eval_identity_or_session_policies(s->session_policies, s->env,
- *s->auth.identity, rgw::IAM::s3ListBucket,
- ARN(bucket->get_key()));
+ rgw::IAM::s3ListBucket, ARN(bucket->get_key()));
if (r == Effect::Allow)
return -ENOENT;
if (r == Effect::Deny)
rgw_iam_add_buckettags(this, s);
auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
- boost::none,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (identity_policy_res == Effect::Deny)
if (!s->session_policies.empty()) {
auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env,
- boost::none,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (session_policy_res == Effect::Deny) {
if (s->iam_policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
- boost::none,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (identity_policy_res == Effect::Deny) {
if (!s->session_policies.empty()) {
auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env,
- boost::none,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (session_policy_res == Effect::Deny) {
if (s->iam_policy || ! s->iam_user_policies.empty() || ! s->session_policies.empty()) {
if (s->bucket->get_info().obj_lock_enabled() && bypass_governance_mode) {
- auto r = eval_identity_or_session_policies(s->iam_user_policies, s->env, boost::none,
+ auto r = eval_identity_or_session_policies(s->iam_user_policies, s->env,
rgw::IAM::s3BypassGovernanceRetention, ARN(s->bucket->get_key(), s->object->get_name()));
if (r == Effect::Deny) {
bypass_perm = false;
bypass_perm = false;
}
} else if (r == Effect::Pass && !s->session_policies.empty()) {
- r = eval_identity_or_session_policies(s->session_policies, s->env, boost::none,
+ r = eval_identity_or_session_policies(s->session_policies, s->env,
rgw::IAM::s3BypassGovernanceRetention, ARN(s->bucket->get_key(), s->object->get_name()));
if (r == Effect::Deny) {
bypass_perm = false;
}
}
auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
- boost::none,
s->object->get_instance().empty() ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
if (!s->session_policies.empty()) {
auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env,
- boost::none,
s->object->get_instance().empty() ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
ARN obj_arn(s->src_object->get_obj());
auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
- boost::none,
s->src_object->get_instance().empty() ?
rgw::IAM::s3GetObject :
rgw::IAM::s3GetObjectVersion,
}
if (!s->session_policies.empty()) {
auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env,
- boost::none,
s->src_object->get_instance().empty() ?
rgw::IAM::s3GetObject :
rgw::IAM::s3GetObjectVersion,
ARN obj_arn(dest_object->get_obj());
auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies,
- s->env, boost::none,
+ s->env,
rgw::IAM::s3PutObject,
obj_arn);
if (identity_policy_res == Effect::Deny) {
return -EACCES;
}
if (!s->session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env, boost::none, rgw::IAM::s3PutObject, obj_arn);
+ auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env, rgw::IAM::s3PutObject, obj_arn);
if (session_policy_res == Effect::Deny) {
return false;
}
if (s->iam_policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
- boost::none,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (identity_policy_res == Effect::Deny) {
if (!s->session_policies.empty()) {
auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env,
- boost::none,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (session_policy_res == Effect::Deny) {
if (s->iam_policy || ! s->iam_user_policies.empty() || ! s->session_policies.empty()) {
auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
- boost::none,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (identity_policy_res == Effect::Deny) {
if (!s->session_policies.empty()) {
auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env,
- boost::none,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (session_policy_res == Effect::Deny) {
if (s->iam_policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
- boost::none,
rgw::IAM::s3AbortMultipartUpload,
s->object->get_obj());
if (identity_policy_res == Effect::Deny) {
if (!s->session_policies.empty()) {
auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env,
- boost::none,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (session_policy_res == Effect::Deny) {
if (s->iam_policy || ! s->iam_user_policies.empty() || ! s->session_policies.empty()) {
if (s->bucket->get_info().obj_lock_enabled() && bypass_governance_mode) {
ARN bucket_arn(s->bucket->get_key());
- auto r = eval_identity_or_session_policies(s->iam_user_policies, s->env, boost::none,
+ auto r = eval_identity_or_session_policies(s->iam_user_policies, s->env,
rgw::IAM::s3BypassGovernanceRetention, ARN(s->bucket->get_key()));
if (r == Effect::Deny) {
bypass_perm = false;
bypass_perm = false;
}
} else if (r == Effect::Pass && !s->session_policies.empty()) {
- r = eval_identity_or_session_policies(s->session_policies, s->env, boost::none,
+ r = eval_identity_or_session_policies(s->session_policies, s->env,
rgw::IAM::s3BypassGovernanceRetention, ARN(s->bucket->get_key()));
if (r == Effect::Deny) {
bypass_perm = false;
bool not_versioned = rgw::sal::Object::empty(s->object.get()) || s->object->get_instance().empty();
auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
- boost::none,
not_versioned ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
if (!s->session_policies.empty()) {
auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env,
- boost::none,
not_versioned ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
std::unique_ptr<rgw::sal::Object> obj = bucket->get_object(*iter);
if (s->iam_policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
- boost::none,
iter->instance.empty() ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
if (!s->session_policies.empty()) {
auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env,
- boost::none,
iter->instance.empty() ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
bucket_owner = bacl.get_owner();
if (policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
- boost::none,
rgw::IAM::s3PutObject, obj);
if (identity_policy_res == Effect::Deny) {
return false;
if (!s->session_policies.empty()) {
auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env,
- boost::none,
rgw::IAM::s3PutObject, obj);
if (session_policy_res == Effect::Deny) {
return false;
projects / ceph.git / commitdiff