rgw: Evaluating bucket policies also while reading permissions for an object that...

author Pritha Srivastava <prsrivas@redhat.com>

Mon, 1 Apr 2019 15:39:22 +0000 (21:09 +0530)

committer Nathan Cutler <ncutler@suse.com>

Wed, 24 Jul 2019 11:16:13 +0000 (13:16 +0200)
author Pritha Srivastava <prsrivas@redhat.com>
Mon, 1 Apr 2019 15:39:22 +0000 (21:09 +0530)
committer Nathan Cutler <ncutler@suse.com>
Wed, 24 Jul 2019 11:16:13 +0000 (13:16 +0200)
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc

index 9c6d06ac37db8230aee6ba113c9de3b5de78e514..cfc9b2c9838b99f956dc5f1ee3230df8a8f77368 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -369,13 +369,20 @@ static int read_obj_policy(RGWRados *store,
      if (ret < 0) {
        return ret;
      }
-
      const rgw_user& bucket_owner = bucket_policy.get_owner().get_id();
      if (bucket_owner.compare(s->user->user_id) != 0 &&
-        ! s->auth.identity->is_admin_of(bucket_owner) &&
-        ! bucket_policy.verify_permission(*s->auth.identity, s->perm_mask,
-                                          RGW_PERM_READ)) {
-      ret = -EACCES;
+        ! s->auth.identity->is_admin_of(bucket_owner)) {
+      if (policy) {
+        auto r =  policy->eval(s->env, *s->auth.identity, rgw::IAM::s3ListBucket, ARN(bucket));
+        if (r == Effect::Allow)
+          return -ENOENT;
+        if (r == Effect::Deny)
+          return -EACCES;
+      }
+      if (! bucket_policy.verify_permission(*s->auth.identity, s->perm_mask, RGW_PERM_READ))
+        ret = -EACCES;
+      else
+        ret = -ENOENT;
      } else {
        ret = -ENOENT;
      }
author	Pritha Srivastava <prsrivas@redhat.com>
	Mon, 1 Apr 2019 15:39:22 +0000 (21:09 +0530)
committer	Nathan Cutler <ncutler@suse.com>
	Wed, 24 Jul 2019 11:16:13 +0000 (13:16 +0200)