rgw: check for s3ReplicateObject perm on destination bucket for replication

author Seena Fallah <seenafallah@gmail.com>

Thu, 20 Feb 2025 23:56:28 +0000 (00:56 +0100)

committer Seena Fallah <seenafallah@gmail.com>

Mon, 28 Apr 2025 16:56:05 +0000 (18:56 +0200)
author Seena Fallah <seenafallah@gmail.com>
Thu, 20 Feb 2025 23:56:28 +0000 (00:56 +0100)
committer Seena Fallah <seenafallah@gmail.com>
Mon, 28 Apr 2025 16:56:05 +0000 (18:56 +0200)
diff --git a/src/rgw/driver/rados/rgw_data_sync.cc b/src/rgw/driver/rados/rgw_data_sync.cc

index af7518c36c9003a88b54540b8c10e51f3e6ecda3..7523996d9a1cf15b550ead3b1410a4c587ff8fe8 100644 (file)
--- a/src/rgw/driver/rados/rgw_data_sync.cc
+++ b/src/rgw/driver/rados/rgw_data_sync.cc
@@ -2986,7 +2986,7 @@ public:
              return set_cr_error(retcode);
            }
  
-          if (!dest_bucket_perms.verify_bucket_permission(dest_key.value_or(key), rgw::IAM::s3PutObject)) {
+          if (!dest_bucket_perms.verify_bucket_permission(dest_key.value_or(key), rgw::IAM::s3ReplicateObject)) {
              ldout(cct, 0) << "ERROR: " << __func__ << ": permission check failed: user not allowed to write into bucket (bucket=" << sync_pipe.info.dest_bucket.get_key() << ")" << dendl;
              return set_cr_error(-EPERM);
            }
diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc

index ea85ab49618118aaec8ed327e8916036eef06f54..fda7d68a0dda4e83c18e6b814464f07ec752d4a8 100644 (file)
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -139,6 +139,7 @@ static const actpair actpairs[] =
   { "s3:RestoreObject", s3RestoreObject },
   { "s3:DescribeJob", s3DescribeJob },
   { "s3:ReplicateDelete", s3ReplicateDelete },
+ { "s3:ReplicateObject", s3ReplicateObject },
   { "s3-object-lambda:GetObject", s3objectlambdaGetObject },
   { "s3-object-lambda:ListBucket", s3objectlambdaListBucket },
   { "iam:PutUserPolicy", iamPutUserPolicy },
@@ -1513,6 +1514,9 @@ const char* action_bit_string(uint64_t action) {
    case s3ReplicateDelete:
      return "s3:ReplicateDelete";
  
+  case s3ReplicateObject:
+    return "s3:ReplicateObject";
+
    case s3objectlambdaGetObject:
      return "s3-object-lambda:GetObject";
  
diff --git a/src/rgw/rgw_iam_policy.h b/src/rgw/rgw_iam_policy.h

index e51250041fd9546f8aecf723527ebe2782d6deaa..f7f9b38e5c3b25742edc3ba08c88a4ce149f8d84 100644 (file)
--- a/src/rgw/rgw_iam_policy.h
+++ b/src/rgw/rgw_iam_policy.h
@@ -118,6 +118,7 @@ enum {
    s3GetObjectAttributes,
    s3GetObjectVersionAttributes,
    s3ReplicateDelete,
+  s3ReplicateObject,
    s3All,
  
    s3objectlambdaGetObject,
@@ -275,6 +276,7 @@ inline int op_to_perm(std::uint64_t op) {
    case s3PutObjectLegalHold:
    case s3BypassGovernanceRetention:
    case s3ReplicateDelete:
+  case s3ReplicateObject:
      return RGW_PERM_WRITE;
  
    case s3GetAccelerateConfiguration:
author	Seena Fallah <seenafallah@gmail.com>
	Thu, 20 Feb 2025 23:56:28 +0000 (00:56 +0100)
committer	Seena Fallah <seenafallah@gmail.com>
	Mon, 28 Apr 2025 16:56:05 +0000 (18:56 +0200)
src/rgw/driver/rados/rgw_data_sync.cc		patch \| blob \| history
src/rgw/rgw_iam_policy.cc		patch \| blob \| history
src/rgw/rgw_iam_policy.h		patch \| blob \| history