rgw: add subuser to user policy condition check

Signed-off-by: ivan <i.makarychev@tinkoff.ru>

diff --git a/src/rgw/rgw_iam_policy_keywords.gperf b/src/rgw/rgw_iam_policy_keywords.gperf
index af73dd130749a0807b3e8d5ff0639db5137f1b5b..6b09a6aff8181f5e00210a5893dbf7e88ad4d222 100644 (file)
--- a/src/rgw/rgw_iam_policy_keywords.gperf
+++ b/src/rgw/rgw_iam_policy_keywords.gperf
@@ -115,6 +115,8 @@ Null, TokenKind::cond_op, TokenID::Null, (uint64_t) Type::null, true, true
 #s3:authType, TokenKind::cond_key, TokenID::s3authType, (uint64_t) Type::string, true, false
 #s3:signatureAge, TokenKind::cond_key, TokenID::s3signatureAge, (uint64_t) Type::number, true, false
 #s3:x-amz-content-sha256, TokenKind::cond_key, TokenID::s3x_amz_content_sha256, (uint64_t) Type::string, true, false
+# RGW
+#rgw:subuser, TokenKind::cond_key, TokenID::rgwsubuser, (uint64_t) Type::string, true, false
 # STS
 #sts:authentication, TokenKind::cond_key, TokenID::stsauthentication, (uint64_t) Type::boolean, true, false
 #

diff --git a/src/rgw/rgw_iam_policy_keywords.h b/src/rgw/rgw_iam_policy_keywords.h
index 8130ace456c60336fd698e2d99a494f9a593dc72..c1cfa9052d60ab2104c88d919e0de6c6e269e669 100644 (file)
--- a/src/rgw/rgw_iam_policy_keywords.h
+++ b/src/rgw/rgw_iam_policy_keywords.h
@@ -89,6 +89,7 @@ enum class TokenID {
   s3authType,
   s3signatureAge,
   s3x_amz_content_sha256,
+  rgwsubuser,
 #else
   CondKey,
 #endif

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 8c15e5bd2e3fc9f60d80b6f1fc26d9359d9c33cc..0f02ac9364b91cebdcfd5b396dfa3b245f7e5c6c 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -922,6 +922,10 @@ void rgw_build_iam_environment(rgw::sal::Driver* driver,
     s->env.emplace("aws:username", s->user->get_id().id);
   }
 
+  if (s->auth.identity) {
+    s->env.emplace("rgw:subuser", s->auth.identity->get_subuser().c_str());
+  }
+
   i = m.find("HTTP_X_AMZ_SECURITY_TOKEN");
   if (i != m.end()) {
     s->env.emplace("sts:authentication", "true");