]> git.apps.os.sepia.ceph.com Git - ceph.git/commitdiff
rgw: implement the basic security check for BulkUpload of Swift API.
authorRadoslaw Zarzynski <rzarzynski@mirantis.com>
Wed, 30 Nov 2016 16:49:25 +0000 (17:49 +0100)
committerRadoslaw Zarzynski <rzarzynski@mirantis.com>
Sun, 2 Apr 2017 13:46:13 +0000 (15:46 +0200)
Signed-off-by: Radoslaw Zarzynski <rzarzynski@mirantis.com>
src/rgw/rgw_op.cc

index 9db697a5ac89ac4b603cb27dd602d6d113ff2ce5..9cb691059832198b5dd451bc76127792457e737b 100644 (file)
@@ -5500,6 +5500,26 @@ void RGWBulkDelete::execute()
 
 int RGWBulkUploadOp::verify_permission()
 {
+  if (s->auth.identity->is_anonymous()) {
+    return -EACCES;
+  }
+
+  if (! verify_user_permission(s, RGW_PERM_WRITE)) {
+    return -EACCES;
+  }
+
+  if (s->user->user_id.tenant != s->bucket_tenant) {
+    ldout(s->cct, 10) << "user cannot create a bucket in a different tenant"
+                      << " (user_id.tenant=" << s->user->user_id.tenant
+                      << " requested=" << s->bucket_tenant << ")"
+                      << dendl;
+    return -EACCES;
+  }
+
+  if (s->user->max_buckets < 0) {
+    return -EPERM;
+  }
+
   return 0;
 }