rgw: Fix for role permission evaluation based on TYPE_ROLE.

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 0aa9b42032c95451d7a0ac767c225a27cac9b9c8..afe1f3ada36e11ffc94dac6f0efc4ca30cf0c69b 100644 (file)
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -1134,8 +1134,11 @@ bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp, struct req_
                             RGWAccessControlPolicy * const user_acl,
                             const int perm)
 {
+  if (s->user->type == TYPE_ROLE)
+    return false;
+
   /* S3 doesn't support account ACLs. */
-  if ((s->user->type != TYPE_NONE || s->user->user_id == rgw_user(RGW_USER_ANON_ID)) && !user_acl)
+  if (!user_acl)
     return true;
 
   if ((perm & (int)s->perm_mask) != perm)

diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index 9e311ac268cb25fc943e6590f30af466980bee3b..0a002fd4a25ac3f144d0ad464655f97f9b4c6add 100644 (file)
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -634,7 +634,8 @@ enum RGWUserSourceType
   TYPE_NONE=0,
   TYPE_RGW=1,
   TYPE_KEYSTONE=2,
-  TYPE_LDAP=3
+  TYPE_LDAP=3,
+  TYPE_ROLE=4
 };
 
 struct RGWUserInfo

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 17334ac61905bad1696741a8d2d9cea7153de6e7..c76cfd0f612278cce7dbfd5ef83db2a18685884f 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -572,7 +572,7 @@ int rgw_build_bucket_policies(RGWRados* store, struct req_state* s)
   }
   // We don't need user policies in case of STS token returned by AssumeRole,
   // hence the check for user type
-  if (! s->user->user_id.empty() && s->user->type != TYPE_NONE) {
+  if (! s->user->user_id.empty() && s->user->type != TYPE_ROLE) {
     try {
       map<string, bufferlist> uattrs;
       if (ret = rgw_get_user_attrs_by_uid(store, s->user->user_id, uattrs); ! ret) {

diff --git a/src/rgw/rgw_rest.cc b/src/rgw/rgw_rest.cc
index 7b3314b52fd6bfbdf6e6a73c2b90e2e4468fa939..f7142731b41df71862e66ce3ed1a8d97354f8523 100644 (file)
--- a/src/rgw/rgw_rest.cc
+++ b/src/rgw/rgw_rest.cc
@@ -1816,7 +1816,7 @@ int RGWHandler_REST::init_permissions(RGWOp* op)
 {
   if (op->get_type() == RGW_OP_CREATE_BUCKET) {
     // We don't need user policies in case of STS token returned by AssumeRole, hence the check for user type
-    if (! s->user->user_id.empty() && s->user->type != TYPE_NONE) {
+    if (! s->user->user_id.empty() && s->user->type != TYPE_ROLE) {
       try {
         map<string, bufferlist> uattrs;
         if (auto ret = rgw_get_user_attrs_by_uid(store, s->user->user_id, uattrs); ! ret) {

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index e4671660c02d495be4123711e5c303578dc58de2..686b5f3700945e3e8ca98a8d4463a62fe4c57e69 100644 (file)
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -4483,8 +4483,9 @@ rgw::auth::s3::STSEngine::authenticate(
     }
     // This is mostly needed to assign the owner of a bucket during its creation
     user_info.user_id = token.user;
+    user_info.type = token.acct_type;
   }
-  if (! token.user.empty() && token.acct_type != TYPE_NONE) {
+  if (! token.user.empty() && token.acct_type != TYPE_ROLE) {
     // get user info
     int ret = rgw_get_user_info_by_uid(store, token.user, user_info, NULL);
     if (ret < 0) {

diff --git a/src/rgw/rgw_sts.cc b/src/rgw/rgw_sts.cc
index 4158179dfa60ed3408443c87f38cb1d92d5c9ef5..2558b64a22e94f0c6cc36382905f5a65f56e08b9 100644 (file)
--- a/src/rgw/rgw_sts.cc
+++ b/src/rgw/rgw_sts.cc
@@ -112,7 +112,7 @@ int Credentials::generateCredentials(CephContext* cct,
     token.acct_name = {};
     token.perm_mask = 0;
     token.is_admin = 0;
-    token.acct_type = TYPE_NONE;
+    token.acct_type = TYPE_ROLE;
   }
 
   buffer::list input, enc_output;