}
};
-Effect eval_or_pass(const boost::optional<Policy>& policy,
+Effect eval_or_pass(const DoutPrefixProvider* dpp,
+ const boost::optional<Policy>& policy,
const rgw::IAM::Environment& env,
boost::optional<const rgw::auth::Identity&> id,
const uint64_t op,
}
-Effect eval_identity_or_session_policies(const vector<Policy>& policies,
+Effect eval_identity_or_session_policies(const DoutPrefixProvider* dpp,
+ const vector<Policy>& policies,
const rgw::IAM::Environment& env,
const uint64_t op,
const ARN& arn) {
auto policy_res = Effect::Pass, prev_res = Effect::Pass;
for (auto& policy : policies) {
- if (policy_res = eval_or_pass(policy, env, boost::none, op, arn); policy_res == Effect::Deny)
+ if (policy_res = eval_or_pass(dpp, policy, env, boost::none, op, arn); policy_res == Effect::Deny)
return policy_res;
else if (policy_res == Effect::Allow)
prev_res = Effect::Allow;
const rgw::ARN& res,
const uint64_t op)
{
- auto identity_policy_res = eval_identity_or_session_policies(user_policies, s->env, op, res);
+ auto identity_policy_res = eval_identity_or_session_policies(dpp, user_policies, s->env, op, res);
if (identity_policy_res == Effect::Deny) {
return false;
}
if (! session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(session_policies, s->env, op, res);
+ auto session_policy_res = eval_identity_or_session_policies(dpp, session_policies, s->env, op, res);
if (session_policy_res == Effect::Deny) {
return false;
}
if (!verify_requester_payer_permission(s))
return false;
- auto identity_policy_res = eval_identity_or_session_policies(identity_policies, s->env, op, ARN(bucket));
+ auto identity_policy_res = eval_identity_or_session_policies(dpp, identity_policies, s->env, op, ARN(bucket));
if (identity_policy_res == Effect::Deny)
return false;
rgw::IAM::PolicyPrincipal princ_type = rgw::IAM::PolicyPrincipal::Other;
- auto r = eval_or_pass(bucket_policy, s->env, *s->identity,
+ if (bucket_policy) {
+ ldpp_dout(dpp, 16) << __func__ << ": policy: " << bucket_policy.get()
+ << "resource: " << ARN(bucket) << dendl;
+ }
+ auto r = eval_or_pass(dpp, bucket_policy, s->env, *s->identity,
op, ARN(bucket), princ_type);
if (r == Effect::Deny)
return false;
//Take into account session policies, if the identity making a request is a role
if (!session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(session_policies, s->env, op, ARN(bucket));
+ auto session_policy_res = eval_identity_or_session_policies(dpp, session_policies, s->env, op, ARN(bucket));
if (session_policy_res == Effect::Deny) {
return false;
}
int verify_bucket_owner_or_policy(req_state* const s,
const uint64_t op)
{
- auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env, op, ARN(s->bucket->get_key()));
+ auto identity_policy_res = eval_identity_or_session_policies(s, s->iam_user_policies, s->env, op, ARN(s->bucket->get_key()));
if (identity_policy_res == Effect::Deny) {
return -EACCES;
}
rgw::IAM::PolicyPrincipal princ_type = rgw::IAM::PolicyPrincipal::Other;
- auto e = eval_or_pass(s->iam_policy,
+ auto e = eval_or_pass(s, s->iam_policy,
s->env, *s->auth.identity,
op, ARN(s->bucket->get_key()), princ_type);
if (e == Effect::Deny) {
}
if (!s->session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env, op, ARN(s->bucket->get_key()));
+ auto session_policy_res = eval_identity_or_session_policies(s, s->session_policies, s->env, op,
+ ARN(s->bucket->get_key()));
if (session_policy_res == Effect::Deny) {
return -EACCES;
}
if (!verify_requester_payer_permission(s))
return false;
- auto identity_policy_res = eval_identity_or_session_policies(identity_policies, s->env, op, ARN(obj));
+ auto identity_policy_res = eval_identity_or_session_policies(dpp, identity_policies, s->env, op, ARN(obj));
if (identity_policy_res == Effect::Deny)
return false;
rgw::IAM::PolicyPrincipal princ_type = rgw::IAM::PolicyPrincipal::Other;
- auto r = eval_or_pass(bucket_policy, s->env, *s->identity, op, ARN(obj), princ_type);
+ auto r = eval_or_pass(dpp, bucket_policy, s->env, *s->identity, op, ARN(obj), princ_type);
if (r == Effect::Deny)
return false;
if (!session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(session_policies, s->env, op, ARN(obj));
+ auto session_policy_res = eval_identity_or_session_policies(dpp, session_policies, s->env, op, ARN(obj));
if (session_policy_res == Effect::Deny) {
return false;
}
const rgw_user& bucket_owner = bucket_policy.get_owner().get_id();
if (bucket_owner.compare(s->user->get_id()) != 0 &&
! s->auth.identity->is_admin_of(bucket_owner)) {
- auto r = eval_identity_or_session_policies(s->iam_user_policies, s->env,
+ auto r = eval_identity_or_session_policies(dpp, s->iam_user_policies, s->env,
rgw::IAM::s3ListBucket, ARN(bucket->get_key()));
if (r == Effect::Allow)
return -ENOENT;
return -EACCES;
}
if (! s->session_policies.empty()) {
- r = eval_identity_or_session_policies(s->session_policies, s->env,
+ r = eval_identity_or_session_policies(dpp, s->session_policies, s->env,
rgw::IAM::s3ListBucket, ARN(bucket->get_key()));
if (r == Effect::Allow)
return -ENOENT;
if (has_s3_resource_tag)
rgw_iam_add_buckettags(this, s);
- auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (identity_policy_res == Effect::Deny)
}
if (!s->session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env,
+ auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (session_policy_res == Effect::Deny) {
}
if (s->iam_policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
- auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (identity_policy_res == Effect::Deny) {
}
if (!s->session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env,
+ auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (session_policy_res == Effect::Deny) {
if (s->iam_policy || ! s->iam_user_policies.empty() || ! s->session_policies.empty()) {
if (s->bucket->get_info().obj_lock_enabled() && bypass_governance_mode) {
- auto r = eval_identity_or_session_policies(s->iam_user_policies, s->env,
+ auto r = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
rgw::IAM::s3BypassGovernanceRetention, ARN(s->bucket->get_key(), s->object->get_name()));
if (r == Effect::Deny) {
bypass_perm = false;
bypass_perm = false;
}
} else if (r == Effect::Pass && !s->session_policies.empty()) {
- r = eval_identity_or_session_policies(s->session_policies, s->env,
+ r = eval_identity_or_session_policies(this, s->session_policies, s->env,
rgw::IAM::s3BypassGovernanceRetention, ARN(s->bucket->get_key(), s->object->get_name()));
if (r == Effect::Deny) {
bypass_perm = false;
}
}
}
- auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
s->object->get_instance().empty() ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
return -EACCES;
if (!s->session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env,
+ auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env,
s->object->get_instance().empty() ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
rgw_iam_add_objtags(this, s, s->src_object.get(), has_s3_existing_tag, has_s3_resource_tag);
ARN obj_arn(s->src_object->get_obj());
- auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
s->src_object->get_instance().empty() ?
rgw::IAM::s3GetObject :
rgw::IAM::s3GetObjectVersion,
return -EACCES;
}
if (!s->session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env,
+ auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env,
s->src_object->get_instance().empty() ?
rgw::IAM::s3GetObject :
rgw::IAM::s3GetObjectVersion,
*md_directive);
ARN obj_arn(dest_object->get_obj());
- auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies,
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies,
s->env,
rgw::IAM::s3PutObject,
obj_arn);
return -EACCES;
}
if (!s->session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env, rgw::IAM::s3PutObject, obj_arn);
+ auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env,
+ rgw::IAM::s3PutObject, obj_arn);
if (session_policy_res == Effect::Deny) {
return false;
}
rgw_iam_add_objtags(this, s, has_s3_existing_tag, has_s3_resource_tag);
if (s->iam_policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
- auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (identity_policy_res == Effect::Deny) {
}
if (!s->session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env,
+ auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (session_policy_res == Effect::Deny) {
rgw_iam_add_objtags(this, s, has_s3_existing_tag, has_s3_resource_tag);
if (s->iam_policy || ! s->iam_user_policies.empty() || ! s->session_policies.empty()) {
- auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (identity_policy_res == Effect::Deny) {
}
if (!s->session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env,
+ auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (session_policy_res == Effect::Deny) {
rgw_iam_add_objtags(this, s, has_s3_existing_tag, has_s3_resource_tag);
if (s->iam_policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
- auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
rgw::IAM::s3AbortMultipartUpload,
s->object->get_obj());
if (identity_policy_res == Effect::Deny) {
}
if (!s->session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env,
+ auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env,
rgw::IAM::s3PutObject,
s->object->get_obj());
if (session_policy_res == Effect::Deny) {
if (s->iam_policy || ! s->iam_user_policies.empty() || ! s->session_policies.empty()) {
if (s->bucket->get_info().obj_lock_enabled() && bypass_governance_mode) {
ARN bucket_arn(s->bucket->get_key());
- auto r = eval_identity_or_session_policies(s->iam_user_policies, s->env,
+ auto r = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
rgw::IAM::s3BypassGovernanceRetention, ARN(s->bucket->get_key()));
if (r == Effect::Deny) {
bypass_perm = false;
bypass_perm = false;
}
} else if (r == Effect::Pass && !s->session_policies.empty()) {
- r = eval_identity_or_session_policies(s->session_policies, s->env,
+ r = eval_identity_or_session_policies(this, s->session_policies, s->env,
rgw::IAM::s3BypassGovernanceRetention, ARN(s->bucket->get_key()));
if (r == Effect::Deny) {
bypass_perm = false;
bool not_versioned = rgw::sal::Object::empty(s->object.get()) || s->object->get_instance().empty();
- auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
not_versioned ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
return -EACCES;
if (!s->session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env,
+ auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env,
not_versioned ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
std::string version_id;
std::unique_ptr<rgw::sal::Object> obj = bucket->get_object(*iter);
if (s->iam_policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
- auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
iter->instance.empty() ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
}
if (!s->session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env,
+ auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env,
iter->instance.empty() ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
bucket_owner = bacl.get_owner();
if (policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
- auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env,
+ auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
rgw::IAM::s3PutObject, obj);
if (identity_policy_res == Effect::Deny) {
return false;
}
if (!s->session_policies.empty()) {
- auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env,
+ auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env,
rgw::IAM::s3PutObject, obj);
if (session_policy_res == Effect::Deny) {
return false;
projects / ceph.git / commitdiff