rgw/notifications: prevent anonymous topic operations

fixes: https://tracker.ceph.com/issues/58167

Signed-off-by: Yuval Lifshitz <ylifshit@redhat.com>

diff --git a/src/rgw/driver/rados/rgw_rest_pubsub.cc b/src/rgw/driver/rados/rgw_rest_pubsub.cc
index 86c18bf743975b3e3c786ea1709b7785f59f5460..6d37002c9f13389ef2770b8fcc312edc08bbcd22 100644 (file)
--- a/src/rgw/driver/rados/rgw_rest_pubsub.cc
+++ b/src/rgw/driver/rados/rgw_rest_pubsub.cc
@@ -510,7 +510,15 @@ RGWOp *RGWHandler_REST_PSTopic_AWS::op_post()
 }
 
 int RGWHandler_REST_PSTopic_AWS::authorize(const DoutPrefixProvider* dpp, optional_yield y) {
-  return RGW_Auth_S3::authorize(dpp, driver, auth_registry, s, y);
+  const auto rc = RGW_Auth_S3::authorize(dpp, driver, auth_registry, s, y);
+  if (rc < 0) {
+    return rc;
+  }
+  if (s->auth.identity->is_anonymous()) {
+    ldpp_dout(dpp, 1) << "anonymous user not allowed in topic operations" << dendl;
+    return -ERR_INVALID_REQUEST;
+  }
+  return 0;
 }
 
 namespace {