rgw/iam: add s3:Get/PutAccountPublicAccessBlock actions

Signed-off-by: Casey Bodley <cbodley@redhat.com>

diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc
index 5ef051c7a977865c0003536660d4adeca0ae2a7a..c312632ed57fb5388a1d1f5feca5caecc8ccfc0b 100644 (file)
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -142,6 +142,8 @@ static const actpair actpairs[] =
  { "s3:ReplicateObject", s3ReplicateObject },
  { "s3:ReplicateTags", s3ReplicateTags },
  { "s3:GetObjectVersionForReplication", s3GetObjectVersionForReplication },
+ { "s3:PutAccountPublicAccessBlock", s3PutAccountPublicAccessBlock },
+ { "s3:GetAccountPublicAccessBlock", s3GetAccountPublicAccessBlock },
  { "s3-object-lambda:GetObject", s3objectlambdaGetObject },
  { "s3-object-lambda:ListBucket", s3objectlambdaListBucket },
  { "iam:PutUserPolicy", iamPutUserPolicy },
@@ -1510,6 +1512,12 @@ const char* action_bit_string(uint64_t action) {
   case s3GetObjectVersionForReplication:
     return "s3:GetObjectVersionForReplication";
 
+  case s3PutAccountPublicAccessBlock:
+    return "s3:PutAccountPublicAccessBlock";
+
+  case s3GetAccountPublicAccessBlock:
+    return "s3:GetAccountPublicAccessBlock";
+
   case s3objectlambdaGetObject:
     return "s3-object-lambda:GetObject";
 

diff --git a/src/rgw/rgw_iam_policy.h b/src/rgw/rgw_iam_policy.h
index 8d7f83030add6df09b607a72cf1eb763d3c4da68..2915f0de3ca7a85e6f43d1169a7f1d0311dea51c 100644 (file)
--- a/src/rgw/rgw_iam_policy.h
+++ b/src/rgw/rgw_iam_policy.h
@@ -121,6 +121,8 @@ enum {
   s3ReplicateObject,
   s3GetObjectVersionForReplication,
   s3ReplicateTags,
+  s3PutAccountPublicAccessBlock,
+  s3GetAccountPublicAccessBlock,
   s3All,
 
   s3objectlambdaGetObject,

diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc
index b0f83ac4ec708c43b8b7d7f8f16c7ffdfdbeccea..2ccdc577089a3e46a74efbf7aca60baad10908ca 100644 (file)
--- a/src/test/rgw/test_rgw_iam_policy.cc
+++ b/src/test/rgw/test_rgw_iam_policy.cc
@@ -90,6 +90,7 @@ using rgw::IAM::s3GetBucketObjectLockConfiguration;
 using rgw::IAM::s3GetObjectRetention;
 using rgw::IAM::s3GetObjectLegalHold;
 using rgw::IAM::s3DescribeJob;
+using rgw::IAM::s3GetAccountPublicAccessBlock;
 using rgw::IAM::s3objectlambdaGetObject;
 using rgw::IAM::s3objectlambdaListBucket;
 using rgw::IAM::iamGenerateCredentialReport;
@@ -456,6 +457,7 @@ TEST_F(PolicyTest, Parse3) {
   act2[s3GetPublicAccessBlock] = 1;
   act2[s3GetBucketEncryption] = 1;
   act2[s3GetObjectVersionForReplication] = 1;
+  act2[s3GetAccountPublicAccessBlock] = 1;
 
   EXPECT_EQ(p->statements[2].action, act2);
   EXPECT_EQ(p->statements[2].notaction, None);
@@ -529,6 +531,7 @@ TEST_F(PolicyTest, Eval3) {
   s3allow[s3GetPublicAccessBlock] = 1;
   s3allow[s3GetBucketEncryption] = 1;
   s3allow[s3GetObjectVersionForReplication] = 1;
+  s3allow[s3GetAccountPublicAccessBlock] = 1;
 
   ARN arn1(Partition::aws, Service::s3,
                       "", arbitrary_tenant, "mybucket");
@@ -927,6 +930,7 @@ TEST_F(ManagedPolicyTest, AmazonS3ReadOnlyAccess)
   act[s3GetBucketPublicAccessBlock] = 1;
   act[s3GetBucketEncryption] = 1;
   act[s3GetObjectVersionForReplication] = 1;
+  act[s3GetAccountPublicAccessBlock] = 1;
   // s3:List*
   act[s3ListMultipartUploadParts] = 1;
   act[s3ListBucket] = 1;