]> git.apps.os.sepia.ceph.com Git - ceph-ci.git/commitdiff
projects / ceph-ci.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 9fa163d)
rgw: use object ARN for InitMultipart permissions
authorCasey Bodley <cbodley@redhat.com>
Wed, 26 Feb 2025 21:42:43 +0000 (16:42 -0500)
committerCasey Bodley <cbodley@redhat.com>
Wed, 26 Feb 2025 21:42:45 +0000 (16:42 -0500)
from https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpuoverview.html#mpuAndPermissions:
> You must be allowed to perform the s3:PutObject action on an object to create a multipart upload request.

but it was calling the verify_bucket_permission() overload which
defaulted to the bucket ARN. pass the object ARN instead, like we do for
RGWPutObj and RGWCompleteMultipart

Fixes: https://tracker.ceph.com/issues/70191
Signed-off-by: Casey Bodley <cbodley@redhat.com>
src/rgw/rgw_op.cc patch | blob | history

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 4fcb51b5472f7e7bb4ddc1b51bd8b8948edc8092..9f81b929f7dcad48ddd587e8296a5d1c72817087 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -6618,7 +6618,8 @@ int RGWInitMultipart::verify_permission(optional_yield y)
   // add server-side encryption headers
   rgw_iam_add_crypt_attrs(s->env, s->info.crypt_attribute_map);
 
-  if (!verify_bucket_permission(this, s, rgw::IAM::s3PutObject)) {
+  if (!verify_bucket_permission(this, s, ARN(s->object->get_obj()),
+                                rgw::IAM::s3PutObject)) {
     return -EACCES;
   }
 
Unnamed repository; edit this file 'description' to name the repository.