rgw: prevent data sync from replicating to buckets not owned by the user

Issue https://tracker.ceph.com/issues/68884 revealed that because
user_acl is initialized by default in RGWUserPermHandler::Init with
the same identity, calling verify_bucket_permission_no_policy()
would mistakenly allow the request since the user ACL matches the
identity. Removing the default creation of user_acl would align the
behavior with other S3 operations to prevent unauthorized data replication.

Fixes: https://tracker.ceph.com/issues/69972
Signed-off-by: Seena Fallah <seenafallah@gmail.com>

diff --git a/src/rgw/driver/rados/rgw_data_sync.cc b/src/rgw/driver/rados/rgw_data_sync.cc
index e63fdfae3950feec432dada1c635740b8d20eb8c..7eb8db380889c4263d951085ac0be53629c2ae1c 100644 (file)
--- a/src/rgw/driver/rados/rgw_data_sync.cc
+++ b/src/rgw/driver/rados/rgw_data_sync.cc
@@ -2694,8 +2694,8 @@ class RGWUserPermHandler {
 
       ret = RGWUserPermHandler::policy_from_attrs(
           sync_env->cct, user->get_attrs(), &info->user_acl);
-      if (ret == -ENOENT) {
-        info->user_acl.create_default(uid, user->get_display_name());
+      if (ret < 0 && ret != -ENOENT) {
+        return ret;
       }
 
       return 0;