]> git.apps.os.sepia.ceph.com Git - ceph.git/commitdiff
rgw: check for s3ReplicateObject perm on destination bucket for replication
authorSeena Fallah <seenafallah@gmail.com>
Thu, 20 Feb 2025 23:56:28 +0000 (00:56 +0100)
committerSeena Fallah <seenafallah@gmail.com>
Mon, 28 Apr 2025 16:56:05 +0000 (18:56 +0200)
Instead of s3:PutObject rely on s3:s3ReplicateObject permission to
check whether the user can replicate to the destination bucket.

Signed-off-by: Seena Fallah <seenafallah@gmail.com>
src/rgw/driver/rados/rgw_data_sync.cc
src/rgw/rgw_iam_policy.cc
src/rgw/rgw_iam_policy.h

index af7518c36c9003a88b54540b8c10e51f3e6ecda3..7523996d9a1cf15b550ead3b1410a4c587ff8fe8 100644 (file)
@@ -2986,7 +2986,7 @@ public:
             return set_cr_error(retcode);
           }
 
-          if (!dest_bucket_perms.verify_bucket_permission(dest_key.value_or(key), rgw::IAM::s3PutObject)) {
+          if (!dest_bucket_perms.verify_bucket_permission(dest_key.value_or(key), rgw::IAM::s3ReplicateObject)) {
             ldout(cct, 0) << "ERROR: " << __func__ << ": permission check failed: user not allowed to write into bucket (bucket=" << sync_pipe.info.dest_bucket.get_key() << ")" << dendl;
             return set_cr_error(-EPERM);
           }
index ea85ab49618118aaec8ed327e8916036eef06f54..fda7d68a0dda4e83c18e6b814464f07ec752d4a8 100644 (file)
@@ -139,6 +139,7 @@ static const actpair actpairs[] =
  { "s3:RestoreObject", s3RestoreObject },
  { "s3:DescribeJob", s3DescribeJob },
  { "s3:ReplicateDelete", s3ReplicateDelete },
+ { "s3:ReplicateObject", s3ReplicateObject },
  { "s3-object-lambda:GetObject", s3objectlambdaGetObject },
  { "s3-object-lambda:ListBucket", s3objectlambdaListBucket },
  { "iam:PutUserPolicy", iamPutUserPolicy },
@@ -1513,6 +1514,9 @@ const char* action_bit_string(uint64_t action) {
   case s3ReplicateDelete:
     return "s3:ReplicateDelete";
 
+  case s3ReplicateObject:
+    return "s3:ReplicateObject";
+
   case s3objectlambdaGetObject:
     return "s3-object-lambda:GetObject";
 
index e51250041fd9546f8aecf723527ebe2782d6deaa..f7f9b38e5c3b25742edc3ba08c88a4ce149f8d84 100644 (file)
@@ -118,6 +118,7 @@ enum {
   s3GetObjectAttributes,
   s3GetObjectVersionAttributes,
   s3ReplicateDelete,
+  s3ReplicateObject,
   s3All,
 
   s3objectlambdaGetObject,
@@ -275,6 +276,7 @@ inline int op_to_perm(std::uint64_t op) {
   case s3PutObjectLegalHold:
   case s3BypassGovernanceRetention:
   case s3ReplicateDelete:
+  case s3ReplicateObject:
     return RGW_PERM_WRITE;
 
   case s3GetAccelerateConfiguration: