rgw/sts: createbucket op should take into account

author Pritha Srivastava <prsrivas@redhat.com>

Thu, 8 Jul 2021 15:54:10 +0000 (21:24 +0530)

committer Casey Bodley <cbodley@redhat.com>

Tue, 28 Nov 2023 20:34:19 +0000 (15:34 -0500)
author Pritha Srivastava <prsrivas@redhat.com>
Thu, 8 Jul 2021 15:54:10 +0000 (21:24 +0530)
committer Casey Bodley <cbodley@redhat.com>
Tue, 28 Nov 2023 20:34:19 +0000 (15:34 -0500)
diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc

index e7b62527a05ba91389bc2970508175ee6e4c053f..45ce6144f069fa1a33f7c24157c359acd410821c 100644 (file)
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -1077,15 +1077,28 @@ bool verify_user_permission(const DoutPrefixProvider* dpp,
                              perm_state_base * const s,
                              RGWAccessControlPolicy * const user_acl,
                              const vector<rgw::IAM::Policy>& user_policies,
+                            const vector<rgw::IAM::Policy>& session_policies,
                              const rgw::ARN& res,
                              const uint64_t op)
  {
-  auto usr_policy_res = eval_identity_or_session_policies(user_policies, s->env, op, res);
-  if (usr_policy_res == Effect::Deny) {
+  auto identity_policy_res = eval_identity_or_session_policies(user_policies, s->env, op, res);
+  if (identity_policy_res == Effect::Deny) {
+    return false;
+  }
+
+  if (! session_policies.empty()) {
+    auto session_policy_res = eval_identity_or_session_policies(session_policies, s->env, op, res);
+    if (session_policy_res == Effect::Deny) {
+      return false;
+    }
+    //Intersection of identity policies and session policies
+    if (identity_policy_res == Effect::Allow && session_policy_res == Effect::Allow) {
+      return true;
+    }
      return false;
    }
  
-  if (usr_policy_res == Effect::Allow) {
+  if (identity_policy_res == Effect::Allow) {
      return true;
    }
  
@@ -1122,7 +1135,7 @@ bool verify_user_permission(const DoutPrefixProvider* dpp,
                              const uint64_t op)
  {
    perm_state_from_req_state ps(s);
-  return verify_user_permission(dpp, &ps, s->user_acl.get(), s->iam_user_policies, res, op);
+  return verify_user_permission(dpp, &ps, s->user_acl.get(), s->iam_user_policies, s->session_policies, res, op);
  }
  
  bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp, 
diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h

index 714810d199dc41008a580b9ceefb60a3a342346d..20bc5e4e49f3810c2bae9832f6fd911ec157e374 100644 (file)
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -2106,6 +2106,7 @@ bool verify_user_permission(const DoutPrefixProvider* dpp,
                              struct req_state * const s,
                              RGWAccessControlPolicy * const user_acl,
                              const vector<rgw::IAM::Policy>& user_policies,
+                            const vector<rgw::IAM::Policy>& session_policies,
                              const rgw::ARN& res,
                              const uint64_t op);
  bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
author	Pritha Srivastava <prsrivas@redhat.com>
	Thu, 8 Jul 2021 15:54:10 +0000 (21:24 +0530)
committer	Casey Bodley <cbodley@redhat.com>
	Tue, 28 Nov 2023 20:34:19 +0000 (15:34 -0500)
src/rgw/rgw_common.cc		patch \| blob \| history
src/rgw/rgw_common.h		patch \| blob \| history