rgw: support IAM policies for object tagging

A very basic support for the s3:{get/put/delete}objecttagging and
related versions for object versioning

Signed-off-by: Abhishek Lekshmanan <abhishek@suse.com>

diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc
index 843dca7a2de09cdb1dbd979e98351627234d5619..d7556e3655a8f6d83722377f2c239ab48be09ee9 100644 (file)
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -411,6 +411,8 @@ static const actpair actpairs[] =
  { "s3:DeleteBucketWebsite", s3DeleteBucketWebsite },
  { "s3:DeleteObject", s3DeleteObject },
  { "s3:DeleteObjectVersion", s3DeleteObjectVersion },
+ { "s3:DeleteObjectTagging", s3DeleteObjectTagging },
+ { "s3:DeleteObjectVersionTagging", s3DeleteObjectVersionTagging },
  { "s3:DeleteReplicationConfiguration", s3DeleteReplicationConfiguration },
  { "s3:GetAccelerateConfiguration", s3GetAccelerateConfiguration },
  { "s3:GetBucketAcl", s3GetBucketAcl },
@@ -430,6 +432,8 @@ static const actpair actpairs[] =
  { "s3:GetObjectVersionAcl", s3GetObjectVersionAcl },
  { "s3:GetObjectVersion", s3GetObjectVersion },
  { "s3:GetObjectVersionTorrent", s3GetObjectVersionTorrent },
+ { "s3:GetObjectTagging", s3GetObjectTagging },
+ { "s3:GetObjectVersionTagging", s3GetObjectVersionTagging},
  { "s3:GetReplicationConfiguration", s3GetReplicationConfiguration },
  { "s3:ListAllMyBuckets", s3ListAllMyBuckets },
  { "s3:ListBucketMultiPartUploads", s3ListBucketMultiPartUploads },
@@ -450,6 +454,8 @@ static const actpair actpairs[] =
  { "s3:PutObjectAcl",  s3PutObjectAcl },
  { "s3:PutObject", s3PutObject },
  { "s3:PutObjectVersionAcl", s3PutObjectVersionAcl },
+ { "s3:PutObjectTagging", s3PutObjectTagging },
+ { "s3:PutObjectVersionTagging", s3PutObjectVersionTagging },
  { "s3:PutReplicationConfiguration", s3PutReplicationConfiguration },
  { "s3:RestoreObject", s3RestoreObject }};
 
@@ -1356,6 +1362,24 @@ const char* action_bit_string(uint64_t action) {
 
   case s3DeleteReplicationConfiguration:
     return "s3:DeleteReplicationConfiguration";
+
+  case s3PutObjectTagging:
+    return "s3:PutObjectTagging";
+
+  case s3PutObjectVersionTagging:
+    return "s3:PutObjectVersionTagging";
+
+  case s3GetObjectTagging:
+    return "s3:GetObjectTagging";
+
+  case s3GetObjectVersionTagging:
+    return "s3:GetObjectVersionTagging";
+
+  case s3DeleteObjectTagging:
+    return "s3:DeleteObjectTagging";
+
+  case s3DeleteObjectVersionTagging:
+    return "s3:DeleteObjectVersionTagging";
   }
   return "s3Invalid";
 }

diff --git a/src/rgw/rgw_iam_policy.h b/src/rgw/rgw_iam_policy.h
index 4429a57430964976bacb0193681db03b4bfe9717..674d7be08894f64809832b4129d57eb275d2a5f9 100644 (file)
--- a/src/rgw/rgw_iam_policy.h
+++ b/src/rgw/rgw_iam_policy.h
@@ -91,7 +91,13 @@ static constexpr std::uint64_t s3PutLifecycleConfiguration = 1ULL << 44;
 static constexpr std::uint64_t s3PutReplicationConfiguration = 1ULL << 45;
 static constexpr std::uint64_t s3GetReplicationConfiguration = 1ULL << 46;
 static constexpr std::uint64_t s3DeleteReplicationConfiguration = 1ULL << 47;
-static constexpr std::uint64_t s3Count = 48;
+static constexpr std::uint64_t s3GetObjectTagging = 1ULL << 48;
+static constexpr std::uint64_t s3PutObjectTagging = 1ULL << 49;
+static constexpr std::uint64_t s3DeleteObjectTagging = 1ULL << 50;
+static constexpr std::uint64_t s3GetObjectVersionTagging = 1ULL << 51;
+static constexpr std::uint64_t s3PutObjectVersionTagging = 1ULL << 52;
+static constexpr std::uint64_t s3DeleteObjectVersionTagging = 1ULL << 53;
+static constexpr std::uint64_t s3Count = 54;
 static constexpr std::uint64_t s3All = (1ULL << s3Count) - 1;
 
 namespace {
@@ -101,6 +107,8 @@ inline int op_to_perm(std::uint64_t op) {
   case s3GetObjectTorrent:
   case s3GetObjectVersion:
   case s3GetObjectVersionTorrent:
+  case s3GetObjectTagging:
+  case s3GetObjectVersionTagging:
   case s3ListAllMyBuckets:
   case s3ListBucket:
   case s3ListBucketMultiPartUploads:
@@ -114,6 +122,10 @@ inline int op_to_perm(std::uint64_t op) {
   case s3DeleteObject:
   case s3DeleteObjectVersion:
   case s3PutObject:
+  case s3PutObjectTagging:
+  case s3PutObjectVersionTagging:
+  case s3DeleteObjectTagging:
+  case s3DeleteObjectVersionTagging:
   case s3RestoreObject:
     return RGW_PERM_WRITE;
 

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 3590bdd50721c7a42c426088f4a1a66dd2f9d9fa..3abe635e8c1acdb915e8a4576086673559db50fb 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -693,7 +693,10 @@ int RGWOp::verify_op_mask()
 
 int RGWGetObjTags::verify_permission()
 {
-  if (!verify_object_permission(s, RGW_PERM_READ))
+  if (!verify_object_permission(s,
+                               s->object.instance.empty() ?
+                               rgw::IAM::s3GetObjectTagging:
+                               rgw::IAM::s3GetObjectVersionTagging))
     return -EACCES;
 
   return 0;
@@ -723,9 +726,11 @@ void RGWGetObjTags::execute()
 
 int RGWPutObjTags::verify_permission()
 {
-  if (!verify_object_permission(s, RGW_PERM_WRITE)) {
+  if (!verify_object_permission(s,
+                               s->object.instance.empty() ?
+                               rgw::IAM::s3PutObjectTagging:
+                               rgw::IAM::s3PutObjectVersionTagging))
     return -EACCES;
-  }
   return 0;
 }
 
@@ -759,9 +764,11 @@ void RGWDeleteObjTags::pre_exec(){
 int RGWDeleteObjTags::verify_permission(){
 
   if (!s->object.empty()){
-    if(!verify_object_permission(s, RGW_PERM_WRITE)) {
+    if (!verify_object_permission(s,
+                                 s->object.instance.empty() ?
+                                 rgw::IAM::s3DeleteObjectTagging:
+                                 rgw::IAM::s3DeleteObjectVersionTagging))
       return -EACCES;
-    }
   }
   return 0;
 }