auto obj = rgw_obj(s->bucket, s->object);
rgw_iam_add_existing_objtags(store, s, obj, iam_action);
}
-
+ if (! s->iam_user_policies.empty()) {
+ for (auto& user_policy : s->iam_user_policies) {
+ if (user_policy.has_partial_conditional(S3_EXISTING_OBJTAG)) {
+ rgw_obj obj = rgw_obj(s->bucket, s->object);
+ rgw_iam_add_existing_objtags(store, s, obj, iam_action);
+ }
+ }
+ }
if (!verify_object_permission(this, s,iam_action))
return -EACCES;
return 0;
else if (usr_policy_res == Effect::Allow)
break;
}
- auto e = policy->eval(s->env, *s->auth.identity,
+ rgw::IAM::Effect e = Effect::Pass;
+ if (policy) {
+ e = policy->eval(s->env, *s->auth.identity,
cs_object.instance.empty() ?
rgw::IAM::s3GetObject :
rgw::IAM::s3GetObjectVersion,
rgw::IAM::ARN(obj));
+ }
if (e == Effect::Deny) {
return -EACCES;
} else if (usr_policy_res == Effect::Pass && e == Effect::Pass &&
if (usr_policy_res == Effect::Deny)
return -EACCES;
- auto e = s->iam_policy->eval(s->env, *s->auth.identity,
- rgw::IAM::s3PutObject,
- rgw_obj(s->bucket, s->object));
+ rgw::IAM::Effect e = Effect::Pass;
+ if (s->iam_policy) {
+ e = s->iam_policy->eval(s->env, *s->auth.identity,
+ rgw::IAM::s3PutObject,
+ rgw_obj(s->bucket, s->object));
+ }
if (e == Effect::Allow) {
return 0;
} else if (e == Effect::Deny) {
op_ret = -EACCES;
return;
}
- auto e = s->iam_policy->eval(s->env, *s->auth.identity,
+
+ rgw::IAM::Effect e = Effect::Pass;
+ if (s->iam_policy) {
+ e = s->iam_policy->eval(s->env, *s->auth.identity,
rgw::IAM::s3PutObject,
rgw_obj(s->bucket, s->object));
+ }
if (e == Effect::Deny) {
op_ret = -EACCES;
return;
if (usr_policy_res == Effect::Deny) {
return false;
}
- auto r = s->iam_policy->eval(s->env, *s->auth.identity,
+
+ rgw::IAM::Effect r = Effect::Pass;
+ if (s->iam_policy) {
+ r = s->iam_policy->eval(s->env, *s->auth.identity,
s->object.instance.empty() ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
ARN(s->bucket, s->object.name));
+ }
if (r == Effect::Allow)
return true;
else if (r == Effect::Deny)
if (usr_policy_res == Effect::Deny) {
return -EACCES;
}
- auto e = s->iam_policy->eval(s->env, *s->auth.identity,
+
+ rgw::IAM::Effect e = Effect::Pass;
+ if (s->iam_policy) {
+ e = s->iam_policy->eval(s->env, *s->auth.identity,
rgw::IAM::s3PutObject,
rgw_obj(s->bucket, s->object));
+ }
if (e == Effect::Allow) {
return 0;
} else if (e == Effect::Deny) {
if (usr_policy_res == Effect::Deny) {
return -EACCES;
}
- auto e = s->iam_policy->eval(s->env, *s->auth.identity,
+
+ rgw::IAM::Effect e = Effect::Pass;
+ if (s->iam_policy) {
+ e = s->iam_policy->eval(s->env, *s->auth.identity,
rgw::IAM::s3PutObject,
rgw_obj(s->bucket, s->object));
+ }
if (e == Effect::Allow) {
return 0;
} else if (e == Effect::Deny) {
return -EACCES;
}
- auto e = s->iam_policy->eval(s->env, *s->auth.identity,
+ rgw::IAM::Effect e = Effect::Pass;
+ if (s->iam_policy) {
+ e = s->iam_policy->eval(s->env, *s->auth.identity,
rgw::IAM::s3AbortMultipartUpload,
rgw_obj(s->bucket, s->object));
+ }
if (e == Effect::Allow) {
return 0;
} else if (e == Effect::Deny) {
send_partial_response(*iter, false, "", -EACCES);
continue;
}
- auto e = s->iam_policy->eval(s->env,
+
+ rgw::IAM::Effect e = Effect::Pass;
+ if (s->iam_policy) {
+ e = s->iam_policy->eval(s->env,
*s->auth.identity,
iter->instance.empty() ?
rgw::IAM::s3DeleteObject :
rgw::IAM::s3DeleteObjectVersion,
obj);
+ }
if ((e == Effect::Deny) ||
(usr_policy_res == Effect::Pass && e == Effect::Pass && !acl_allowed)) {
send_partial_response(*iter, false, "", -EACCES);
projects / ceph.git / commitdiff