// dump_keys is false if user-info-without-keys is 'read' and
// the user is not the system user or an admin user
int keys_perm = s->user->get_info().caps.check_cap("users", RGW_CAP_READ);
- if (keys_perm == 0 || op_state.system || s->auth.identity->is_admin_of(uid)) {
+ if (keys_perm == 0 || op_state.system || s->auth.identity->is_admin()) {
dump_keys = true;
ldpp_dout(s, 20) << "dump_keys is set to true" << dendl;
}
const rgw_user id;
const std::string display_name;
const std::string path;
- const bool is_admin;
+ const bool user_is_admin;
const uint32_t type;
const std::optional<RGWAccountInfo> account;
const std::vector<IAM::Policy> policies;
id(user.user_id),
display_name(user.display_name),
path(user.path),
- is_admin(user.admin),
+ user_is_admin(user.admin),
type(user.type),
account(std::move(account)),
policies(std::move(policies))
return rgw_perms_from_aclspec_default_strategy(id.to_str(), aclspec, dpp);
}
- bool is_admin_of(const rgw_owner& o) const override {
- return is_admin;
+ bool is_admin() const override {
+ return user_is_admin;
}
bool is_owner_of(const rgw_owner& o) const override {
void to_str(std::ostream& out) const override {
out << "RGWDummyIdentityApplier(auth_id=" << id
- << ", is_admin=" << is_admin << ")";
+ << ", is_admin=" << user_is_admin << ")";
}
auto load_acct_info(const DoutPrefixProvider* dpp) const -> std::unique_ptr<rgw::sal::User> override {
return perm;
}
-bool rgw::auth::RemoteApplier::is_admin_of(const rgw_owner& o) const
+bool rgw::auth::RemoteApplier::is_admin() const
{
return info.is_admin;
}
return mask;
}
-bool rgw::auth::LocalApplier::is_admin_of(const rgw_owner& o) const
+bool rgw::auth::LocalApplier::is_admin() const
{
return user_info.admin || user_info.system;
}
* applier that is being used. */
virtual uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const = 0;
- /* Verify whether a given identity *can be treated as* an admin of rgw_owner
- * specified in @o. On error throws rgw::auth::Exception storing the reason. */
- virtual bool is_admin_of(const rgw_owner& o) const = 0;
+ /* Verify whether a given identity *can be treated as* an admin.
+ * On error throws rgw::auth::Exception storing the reason. */
+ virtual bool is_admin() const = 0;
/* Verify whether a given identity is the rgw_owner specified in @o.
* On internal error throws rgw::auth::Exception storing the reason. */
return RGW_PERM_NONE;
}
- bool is_admin_of(const rgw_owner& o) const override {
+ bool is_admin() const override {
return false;
}
ACLOwner get_aclowner() const override;
uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override;
- bool is_admin_of(const rgw_owner& o) const override;
+ bool is_admin() const override;
bool is_owner_of(const rgw_owner& o) const override;
bool is_root() const override;
bool is_identity(const Principal& p) const override;
ACLOwner get_aclowner() const override;
uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override;
- bool is_admin_of(const rgw_owner& o) const override;
+ bool is_admin() const override;
bool is_owner_of(const rgw_owner& o) const override;
bool is_root() const override;
bool is_identity(const Principal& p) const override;
uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override {
return 0;
}
- bool is_admin_of(const rgw_owner& o) const override {
+ bool is_admin() const override {
return false;
}
bool is_owner_of(const rgw_owner& o) const override;
return RGW_PERM_NONE;
}
- bool is_admin_of(const rgw_owner& o) const override {
+ bool is_admin() const override {
return false;
}
return get_decoratee().get_perms_from_aclspec(dpp, aclspec);
}
- bool is_admin_of(const rgw_owner& o) const override {
- return get_decoratee().is_admin_of(o);
+ bool is_admin() const override {
+ return get_decoratee().is_admin();
}
bool is_owner_of(const rgw_owner& o) const override {
return DecoratedApplier<T>::get_tenant();
}
- bool is_admin_of(const rgw_owner& o) const override {
+ bool is_admin() const override {
if (is_system && !is_impersonating) {
return true;
}
- return DecoratedApplier<T>::is_admin_of(o);
+ return DecoratedApplier<T>::is_admin();
}
};
if (ret < 0) {
if (s->system_request) {
ldpp_dout(op, 2) << "overriding permissions due to system operation" << dendl;
- } else if (s->auth.identity->is_admin_of(s->user->get_id())) {
+ } else if (s->auth.identity->is_admin()) {
ldpp_dout(op, 2) << "overriding permissions due to admin operation" << dendl;
} else {
abort_req(s, op, ret);
if (ret < 0) {
if (s->system_request) {
ldpp_dout(op, 2) << "overriding permissions due to system operation" << dendl;
- } else if (s->auth.identity->is_admin_of(s->user->get_id())) {
+ } else if (s->auth.identity->is_admin()) {
ldpp_dout(op, 2) << "overriding permissions due to admin operation" << dendl;
} else {
abort_req(s, op, ret);
return ret;
}
- if (s->auth.identity->is_admin_of(bucket_policy.get_owner().id)) {
+ if (s->auth.identity->is_admin()) {
return -ENOENT;
}
* stored inside different accounts. */
if (s->system_request) {
ldpp_dout(this, 2) << "overriding permissions due to system operation" << dendl;
- } else if (s->auth.identity->is_admin_of(s->user->get_id())) {
+ } else if (s->auth.identity->is_admin()) {
ldpp_dout(this, 2) << "overriding permissions due to admin operation" << dendl;
} else if (!verify_object_permission(this, s, part->get_obj(), s->user_acl,
bucket_acl, obj_policy, bucket_policy,
}
if (ret == -EACCES || ret == -EPERM || ret == -ERR_AUTHORIZATION) {
// system requests may impersonate another user/role for permission checks
- // so only rely on is_admin_of() to override permissions
- if (s->auth.identity->is_admin_of(s->user->get_id())) {
+ // so only rely on is_admin() to override permissions
+ if (s->auth.identity->is_admin()) {
dout(2) << "overriding permissions due to admin operation" << dendl;
} else {
return ret;
auto action = s->object->get_instance().empty() ? rgw::IAM::s3GetObjectTagging : rgw::IAM::s3GetObjectVersionTagging;
// since we are already under s->system_request, if the request is not impersonating,
// it can be assumed that it is not a user-mode replication.
- bool keep_tags = s->auth.identity->is_admin_of(s->user->get_id()) || verify_object_permission(this, s, action);
+ bool keep_tags = s->auth.identity->is_admin() || verify_object_permission(this, s, action);
// remove tags from attrs if the user doesn't have permission
bufferlist tags_bl;
if (identity) {
token.acct_name = identity->get_acct_name();
token.perm_mask = identity->get_perm_mask();
- token.is_admin = identity->is_admin_of(token.user);
+ token.is_admin = identity->is_admin();
token.acct_type = identity->get_identity_type();
} else {
token.acct_name = {};
: LocalApplier(cct, std::move(user), std::nullopt, {}, LocalApplier::NO_SUBUSER,
std::nullopt, LocalApplier::NO_ACCESS_KEY) {
}
- bool is_admin_of(const rgw_owner& o) const {return false;}
+ bool is_admin() const {return false;}
bool is_owner_of(const rgw_owner& o) const {
auto* uid = std::get_if<rgw_user>(&o);
return uid && uid->id == RGW_USER_ANON_ID;
return 0;
};
- bool is_admin_of(const rgw_owner& o) const override {
+ bool is_admin() const override {
ceph_abort();
return false;
}
return 0;
};
- bool is_admin_of(const rgw_owner& o) const override {
+ bool is_admin() const override {
return false;
}
projects / ceph.git / commitdiff