rgw/sts: changing identity to boost::none, when role policy

is verified for putobj permissions, in case of renaming a
large file.

While renaming a large file, putobj is invoked as an intermediate
step, and role policy is verified for the source object if temp creds
are used. Since the role policy is attached to the identity (role)
itself and the role policy does not contain a Principal, there is no
need to verify the identity and hence boost::none is passed in place
of the identity.

fixes: https://tracker.ceph.com/issues/58628

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
(cherry picked from commit c2f5716e5196073abfc50917e5f687888f6dff42)

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 04a55ccc8ff2670d2dde8eb9e535988559d5698a..cb9b75359cf8f908fe6c1dd5f7f4ee52521fc449 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -3717,7 +3717,7 @@ int RGWPutObj::verify_permission(optional_yield y)
         auto usr_policy_res = Effect::Pass;
         rgw::ARN obj_arn(cs_object->get_obj());
         for (auto& user_policy : s->iam_user_policies) {
-          if (usr_policy_res = user_policy.eval(s->env, *s->auth.identity,
+          if (usr_policy_res = user_policy.eval(s->env, boost::none,
                              cs_object->get_instance().empty() ?
                              rgw::IAM::s3GetObject :
                              rgw::IAM::s3GetObjectVersion,