rgw: skip read_policy checks for system_users

A system user should still be able to examine suspended buckets, and
get -ENOENT instead of -EACCESS for a deleted object.

Fixes: #6616
Backport: dumpling
Signed-off-by: Josh Durgin <josh.durgin@inktank.com>
(cherry picked from commit ea816c1c2fd47eab647d6fab96c9ca4bfeecd5bb)

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index fc4ad6d3511dcf35d6f7c1bb0d120232fc9e1201..e45cc2704bed9b0004c08916ab74ed1e8db8ed66 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -269,7 +269,7 @@ static int read_policy(RGWRados *store, struct req_state *s,
   string oid = object;
   rgw_obj obj;
 
-  if (bucket_info.flags & BUCKET_SUSPENDED) {
+  if (!s->system_request && bucket_info.flags & BUCKET_SUSPENDED) {
     ldout(s->cct, 0) << "NOTICE: bucket " << bucket_info.bucket.name << " is suspended" << dendl;
     return -ERR_USER_SUSPENDED;
   }
@@ -292,7 +292,7 @@ static int read_policy(RGWRados *store, struct req_state *s,
     if (ret < 0)
       return ret;
     string& owner = bucket_policy.get_owner().get_id();
-    if (owner.compare(s->user.user_id) != 0 &&
+    if (!s->system_request && owner.compare(s->user.user_id) != 0 &&
         !bucket_policy.verify_permission(s->user.user_id, s->perm_mask, RGW_PERM_READ))
       ret = -EACCES;
     else