To replicate objects encrypted via sse-kms objects,
s3:GetObjectVersionForReplication is required.
Signed-off-by: Seena Fallah <seenafallah@gmail.com>
(cherry picked from commit
3024b70ad56a7733527be7bae53d0a19a368c45c)
// fallback to s3:GetObject(Version) permission
action = s->object->get_instance().empty() ? rgw::IAM::s3GetObject : rgw::IAM::s3GetObjectVersion;
+
+ // sse-kms is not supported by s3:GetObject(Version) permission
+ bufferlist bl;
+ if (s->object->get_attr(RGW_ATTR_CRYPT_MODE, bl) && bl.to_str() == "SSE-KMS") {
+ s->err.message = "object is encrypted with SSE-KMS, missing s3:GetObjectVersionForReplication permission";
+ ldpp_dout(this, 4) << "ERROR: fetching object for replication object=" << s->object << " reason=" << s->err.message << dendl;
+
+ return -EACCES;
+ }
} else if (get_torrent) {
action = s->object->get_instance().empty() ? rgw::IAM::s3GetObjectTorrent : rgw::IAM::s3GetObjectVersionTorrent;
} else {
ret = op->verify_permission(y);
std::swap(span, s->trace);
}
- if (ret < 0) {
+ if (ret == -EACCES || ret == -EPERM || ret == -ERR_AUTHORIZATION) {
// system requests may impersonate another user/role for permission checks
// so only rely on is_admin_of() to override permissions
if (s->auth.identity->is_admin_of(s->user->get_id())) {
} else {
return ret;
}
+ } else if (ret < 0) {
+ // other errors are not overridden as they might be invalid input
+ return ret;
}
ldpp_dout(op, 2) << "verifying op params" << dendl;
projects / ceph.git / commitdiff