{
return verify_bucket_permission_no_policy(sync_env->dpp,
&(*ps),
- &info->user_acl,
- &bucket_acl,
+ info->user_acl,
+ bucket_acl,
perm);
}
return verify_bucket_permission_no_policy(sync_env->dpp,
&(*ps),
- &bucket_acl,
- &obj_acl,
+ bucket_acl,
+ obj_acl,
perm);
}
uint32_t RGWAccessControlList::get_perm(const DoutPrefixProvider* dpp,
const rgw::auth::Identity& auth_identity,
- const uint32_t perm_mask)
+ const uint32_t perm_mask) const
{
ldpp_dout(dpp, 5) << "Searching permissions for identity=" << auth_identity
<< " mask=" << perm_mask << dendl;
uint32_t RGWAccessControlList::get_referer_perm(const DoutPrefixProvider *dpp,
const uint32_t current_perm,
const std::string http_referer,
- const uint32_t perm_mask)
+ const uint32_t perm_mask) const
{
ldpp_dout(dpp, 5) << "Searching permissions for referer=" << http_referer
<< " mask=" << perm_mask << dendl;
const rgw::auth::Identity& auth_identity,
const uint32_t perm_mask,
const char * const http_referer,
- bool ignore_public_acls)
+ bool ignore_public_acls) const
{
ldpp_dout(dpp, 20) << "-- Getting permissions begin with perm_mask=" << perm_mask
<< dendl;
const uint32_t user_perm_mask,
const uint32_t perm,
const char * const http_referer,
- bool ignore_public_acls)
+ bool ignore_public_acls) const
{
uint32_t test_perm = perm | RGW_PERM_READ_OBJS | RGW_PERM_WRITE_OBJS;
public:
ACLGrant() : group(ACL_GROUP_NONE) {}
- virtual ~ACLGrant() {}
/* there's an assumption here that email/uri/id encodings are
different and there can't be any overlap */
public:
uint32_t get_perm(const DoutPrefixProvider* dpp,
const rgw::auth::Identity& auth_identity,
- uint32_t perm_mask);
+ uint32_t perm_mask) const;
uint32_t get_group_perm(const DoutPrefixProvider *dpp, ACLGroupTypeEnum group, uint32_t perm_mask) const;
uint32_t get_referer_perm(const DoutPrefixProvider *dpp, uint32_t current_perm,
std::string http_referer,
- uint32_t perm_mask);
+ uint32_t perm_mask) const;
void encode(bufferlist& bl) const {
ENCODE_START(4, 3, bl);
bool maps_initialized = true;
const rgw::auth::Identity& auth_identity,
uint32_t perm_mask,
const char * http_referer,
- bool ignore_public_acls=false);
+ bool ignore_public_acls=false) const;
bool verify_permission(const DoutPrefixProvider* dpp,
const rgw::auth::Identity& auth_identity,
uint32_t user_perm_mask,
uint32_t perm,
const char * http_referer = nullptr,
- bool ignore_public_acls=false);
+ bool ignore_public_acls=false) const;
void encode(bufferlist& bl) const {
ENCODE_START(2, 2, bl);
bool verify_user_permission(const DoutPrefixProvider* dpp,
perm_state_base * const s,
- RGWAccessControlPolicy * const user_acl,
+ const RGWAccessControlPolicy& user_acl,
const vector<rgw::IAM::Policy>& user_policies,
const vector<rgw::IAM::Policy>& session_policies,
const rgw::ARN& res,
bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
struct perm_state_base * const s,
- RGWAccessControlPolicy * const user_acl,
+ const RGWAccessControlPolicy& user_acl,
const int perm)
{
if (s->identity->get_identity_type() == TYPE_ROLE)
return false;
- /* S3 doesn't support account ACLs. */
- if (!user_acl)
+ /* S3 doesn't support account ACLs, so user_acl will be uninitialized. */
+ if (user_acl.get_owner().id.empty())
return true;
if ((perm & (int)s->perm_mask) != perm)
return false;
- return user_acl->verify_permission(dpp, *s->identity, perm, perm);
+ return user_acl.verify_permission(dpp, *s->identity, perm, perm);
}
bool verify_user_permission(const DoutPrefixProvider* dpp,
bool mandatory_policy)
{
perm_state_from_req_state ps(s);
- return verify_user_permission(dpp, &ps, s->user_acl.get(), s->iam_user_policies, s->session_policies, res, op, mandatory_policy);
+ return verify_user_permission(dpp, &ps, s->user_acl, s->iam_user_policies, s->session_policies, res, op, mandatory_policy);
}
bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
const int perm)
{
perm_state_from_req_state ps(s);
- return verify_user_permission_no_policy(dpp, &ps, s->user_acl.get(), perm);
+ return verify_user_permission_no_policy(dpp, &ps, s->user_acl, perm);
}
bool verify_requester_payer_permission(struct perm_state_base *s)
bool verify_bucket_permission(const DoutPrefixProvider* dpp,
struct perm_state_base * const s,
const rgw_bucket& bucket,
- RGWAccessControlPolicy * const user_acl,
- RGWAccessControlPolicy * const bucket_acl,
+ const RGWAccessControlPolicy& user_acl,
+ const RGWAccessControlPolicy& bucket_acl,
const boost::optional<Policy>& bucket_policy,
const vector<Policy>& identity_policies,
const vector<Policy>& session_policies,
bool verify_bucket_permission(const DoutPrefixProvider* dpp,
req_state * const s,
const rgw_bucket& bucket,
- RGWAccessControlPolicy * const user_acl,
- RGWAccessControlPolicy * const bucket_acl,
+ const RGWAccessControlPolicy& user_acl,
+ const RGWAccessControlPolicy& bucket_acl,
const boost::optional<Policy>& bucket_policy,
const vector<Policy>& user_policies,
const vector<Policy>& session_policies,
}
bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp, struct perm_state_base * const s,
- RGWAccessControlPolicy * const user_acl,
- RGWAccessControlPolicy * const bucket_acl,
+ const RGWAccessControlPolicy& user_acl,
+ const RGWAccessControlPolicy& bucket_acl,
const int perm)
{
- if (!bucket_acl)
- return false;
-
if ((perm & (int)s->perm_mask) != perm)
return false;
- if (bucket_acl->verify_permission(dpp, *s->identity, perm, perm,
- s->get_referer(),
- s->bucket_access_conf &&
- s->bucket_access_conf->ignore_public_acls()))
+ if (bucket_acl.verify_permission(dpp, *s->identity, perm, perm,
+ s->get_referer(),
+ s->bucket_access_conf &&
+ s->bucket_access_conf->ignore_public_acls()))
return true;
- if (!user_acl)
- return false;
-
- return user_acl->verify_permission(dpp, *s->identity, perm, perm);
+ return user_acl.verify_permission(dpp, *s->identity, perm, perm);
}
bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp, req_state * const s,
- RGWAccessControlPolicy * const user_acl,
- RGWAccessControlPolicy * const bucket_acl,
+ const RGWAccessControlPolicy& user_acl,
+ const RGWAccessControlPolicy& bucket_acl,
const int perm)
{
perm_state_from_req_state ps(s);
return verify_bucket_permission_no_policy(dpp,
&ps,
- s->user_acl.get(),
- s->bucket_acl.get(),
+ s->user_acl,
+ s->bucket_acl,
perm);
}
return verify_bucket_permission(dpp,
&ps,
s->bucket->get_key(),
- s->user_acl.get(),
- s->bucket_acl.get(),
+ s->user_acl,
+ s->bucket_acl,
s->iam_policy,
s->iam_user_policies,
s->session_policies,
static inline bool check_deferred_bucket_perms(const DoutPrefixProvider* dpp,
struct perm_state_base * const s,
const rgw_bucket& bucket,
- RGWAccessControlPolicy * const user_acl,
- RGWAccessControlPolicy * const bucket_acl,
+ const RGWAccessControlPolicy& user_acl,
+ const RGWAccessControlPolicy& bucket_acl,
const boost::optional<Policy>& bucket_policy,
const vector<Policy>& identity_policies,
const vector<Policy>& session_policies,
static inline bool check_deferred_bucket_only_acl(const DoutPrefixProvider* dpp,
struct perm_state_base * const s,
- RGWAccessControlPolicy * const user_acl,
- RGWAccessControlPolicy * const bucket_acl,
+ const RGWAccessControlPolicy& user_acl,
+ const RGWAccessControlPolicy& bucket_acl,
const uint8_t deferred_check,
const int perm)
{
bool verify_object_permission(const DoutPrefixProvider* dpp, struct perm_state_base * const s,
const rgw_obj& obj,
- RGWAccessControlPolicy * const user_acl,
- RGWAccessControlPolicy * const bucket_acl,
- RGWAccessControlPolicy * const object_acl,
+ const RGWAccessControlPolicy& user_acl,
+ const RGWAccessControlPolicy& bucket_acl,
+ const RGWAccessControlPolicy& object_acl,
const boost::optional<Policy>& bucket_policy,
const vector<Policy>& identity_policies,
const vector<Policy>& session_policies,
return true;
}
- if (!object_acl) {
- return false;
- }
-
- bool ret = object_acl->verify_permission(dpp, *s->identity, s->perm_mask, perm,
- nullptr, /* http_referrer */
- s->bucket_access_conf &&
- s->bucket_access_conf->ignore_public_acls());
+ bool ret = object_acl.verify_permission(dpp, *s->identity, s->perm_mask, perm,
+ nullptr, /* http_referrer */
+ s->bucket_access_conf &&
+ s->bucket_access_conf->ignore_public_acls());
if (ret) {
return true;
}
/* we already verified the user mask above, so we pass swift_perm as the mask here,
otherwise the mask might not cover the swift permissions bits */
- if (bucket_acl->verify_permission(dpp, *s->identity, swift_perm, swift_perm,
- s->get_referer()))
+ if (bucket_acl.verify_permission(dpp, *s->identity, swift_perm, swift_perm,
+ s->get_referer()))
return true;
- if (!user_acl)
- return false;
-
- return user_acl->verify_permission(dpp, *s->identity, swift_perm, swift_perm);
+ return user_acl.verify_permission(dpp, *s->identity, swift_perm, swift_perm);
}
bool verify_object_permission(const DoutPrefixProvider* dpp, req_state * const s,
const rgw_obj& obj,
- RGWAccessControlPolicy * const user_acl,
- RGWAccessControlPolicy * const bucket_acl,
- RGWAccessControlPolicy * const object_acl,
+ const RGWAccessControlPolicy& user_acl,
+ const RGWAccessControlPolicy& bucket_acl,
+ const RGWAccessControlPolicy& object_acl,
const boost::optional<Policy>& bucket_policy,
const vector<Policy>& identity_policies,
const vector<Policy>& session_policies,
bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp,
struct perm_state_base * const s,
- RGWAccessControlPolicy * const user_acl,
- RGWAccessControlPolicy * const bucket_acl,
- RGWAccessControlPolicy * const object_acl,
+ const RGWAccessControlPolicy& user_acl,
+ const RGWAccessControlPolicy& bucket_acl,
+ const RGWAccessControlPolicy& object_acl,
const int perm)
{
if (check_deferred_bucket_only_acl(dpp, s, user_acl, bucket_acl, RGW_DEFER_TO_BUCKET_ACLS_RECURSE, perm) ||
return true;
}
- if (!object_acl) {
- return false;
- }
-
- bool ret = object_acl->verify_permission(dpp, *s->identity, s->perm_mask, perm,
- nullptr, /* http referrer */
- s->bucket_access_conf &&
- s->bucket_access_conf->ignore_public_acls());
+ bool ret = object_acl.verify_permission(dpp, *s->identity, s->perm_mask, perm,
+ nullptr, /* http referrer */
+ s->bucket_access_conf &&
+ s->bucket_access_conf->ignore_public_acls());
if (ret) {
return true;
}
/* we already verified the user mask above, so we pass swift_perm as the mask here,
otherwise the mask might not cover the swift permissions bits */
- if (bucket_acl->verify_permission(dpp, *s->identity, swift_perm, swift_perm,
- s->get_referer()))
+ if (bucket_acl.verify_permission(dpp, *s->identity, swift_perm, swift_perm,
+ s->get_referer()))
return true;
- if (!user_acl)
- return false;
-
- return user_acl->verify_permission(dpp, *s->identity, swift_perm, swift_perm);
+ return user_acl.verify_permission(dpp, *s->identity, swift_perm, swift_perm);
}
bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, req_state *s, int perm)
return verify_object_permission_no_policy(dpp,
&ps,
- s->user_acl.get(),
- s->bucket_acl.get(),
- s->object_acl.get(),
+ s->user_acl,
+ s->bucket_acl,
+ s->object_acl,
perm);
}
return verify_object_permission(dpp,
&ps,
rgw_obj(s->bucket->get_key(), s->object->get_key()),
- s->user_acl.get(),
- s->bucket_acl.get(),
- s->object_acl.get(),
+ s->user_acl,
+ s->bucket_acl,
+ s->object_acl,
s->iam_policy,
s->iam_user_policies,
s->session_policies,
} s3_postobj_creds;
} auth;
- std::unique_ptr<RGWAccessControlPolicy> user_acl;
- std::unique_ptr<RGWAccessControlPolicy> bucket_acl;
- std::unique_ptr<RGWAccessControlPolicy> object_acl;
+ RGWAccessControlPolicy user_acl;
+ RGWAccessControlPolicy bucket_acl;
+ RGWAccessControlPolicy object_acl;
rgw::IAM::Environment env;
boost::optional<rgw::IAM::Policy> iam_policy;
bool verify_bucket_permission_no_policy(
const DoutPrefixProvider* dpp,
struct perm_state_base * const s,
- RGWAccessControlPolicy * const user_acl,
- RGWAccessControlPolicy * const bucket_acl,
+ const RGWAccessControlPolicy& user_acl,
+ const RGWAccessControlPolicy& bucket_acl,
const int perm);
bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
struct perm_state_base * const s,
- RGWAccessControlPolicy * const user_acl,
+ const RGWAccessControlPolicy& user_acl,
const int perm);
bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp,
struct perm_state_base * const s,
- RGWAccessControlPolicy * const user_acl,
- RGWAccessControlPolicy * const bucket_acl,
- RGWAccessControlPolicy * const object_acl,
+ const RGWAccessControlPolicy& user_acl,
+ const RGWAccessControlPolicy& bucket_acl,
+ const RGWAccessControlPolicy& object_acl,
const int perm);
/** Check if the req_state's user has the necessary permissions
const rgw::ARN& arn);
bool verify_user_permission(const DoutPrefixProvider* dpp,
req_state * const s,
- RGWAccessControlPolicy * const user_acl,
+ const RGWAccessControlPolicy& user_acl,
const std::vector<rgw::IAM::Policy>& user_policies,
const std::vector<rgw::IAM::Policy>& session_policies,
const rgw::ARN& res,
bool mandatory_policy=true);
bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
req_state * const s,
- RGWAccessControlPolicy * const user_acl,
+ const RGWAccessControlPolicy& user_acl,
const int perm);
bool verify_user_permission(const DoutPrefixProvider* dpp,
req_state * const s,
const DoutPrefixProvider* dpp,
req_state * const s,
const rgw_bucket& bucket,
- RGWAccessControlPolicy * const user_acl,
- RGWAccessControlPolicy * const bucket_acl,
+ const RGWAccessControlPolicy& user_acl,
+ const RGWAccessControlPolicy& bucket_acl,
const boost::optional<rgw::IAM::Policy>& bucket_policy,
const std::vector<rgw::IAM::Policy>& identity_policies,
const std::vector<rgw::IAM::Policy>& session_policies,
bool verify_bucket_permission_no_policy(
const DoutPrefixProvider* dpp,
req_state * const s,
- RGWAccessControlPolicy * const user_acl,
- RGWAccessControlPolicy * const bucket_acl,
+ const RGWAccessControlPolicy& user_acl,
+ const RGWAccessControlPolicy& bucket_acl,
const int perm);
bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp,
req_state * const s,
const DoutPrefixProvider* dpp,
req_state * const s,
const rgw_obj& obj,
- RGWAccessControlPolicy * const user_acl,
- RGWAccessControlPolicy * const bucket_acl,
- RGWAccessControlPolicy * const object_acl,
+ const RGWAccessControlPolicy& user_acl,
+ const RGWAccessControlPolicy& bucket_acl,
+ const RGWAccessControlPolicy& object_acl,
const boost::optional<rgw::IAM::Policy>& bucket_policy,
const std::vector<rgw::IAM::Policy>& identity_policies,
const std::vector<rgw::IAM::Policy>& session_policies,
extern bool verify_object_permission_no_policy(
const DoutPrefixProvider* dpp,
req_state * const s,
- RGWAccessControlPolicy * const user_acl,
- RGWAccessControlPolicy * const bucket_acl,
- RGWAccessControlPolicy * const object_acl,
+ const RGWAccessControlPolicy& user_acl,
+ const RGWAccessControlPolicy& bucket_acl,
+ const RGWAccessControlPolicy& object_acl,
int perm);
extern bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, req_state *s,
int perm);
}
entry.user = s->user->get_id().to_str();
- if (s->object_acl)
- entry.object_owner = s->object_acl->get_owner().id;
+ entry.object_owner = s->object_acl.get_owner().id;
entry.bucket_owner = s->bucket_owner.id;
uint64_t bytes_sent = ACCOUNTING_IO(s)->get_bytes_sent();
} else if (strcasecmp(index, "ZoneGroup") == 0) {
create_metatable<ZoneGroupMetaTable>(L, name, index, false, s);
} else if (strcasecmp(index, "UserACL") == 0) {
- create_metatable<ACLMetaTable>(L, name, index, false, s->user_acl);
+ create_metatable<ACLMetaTable>(L, name, index, false, &s->user_acl);
} else if (strcasecmp(index, "BucketACL") == 0) {
- create_metatable<ACLMetaTable>(L, name, index, false, s->bucket_acl);
+ create_metatable<ACLMetaTable>(L, name, index, false, &s->bucket_acl);
} else if (strcasecmp(index, "ObjectACL") == 0) {
- create_metatable<ACLMetaTable>(L, name, index, false, s->object_acl);
+ create_metatable<ACLMetaTable>(L, name, index, false, &s->object_acl);
} else if (strcasecmp(index, "Environment") == 0) {
create_metatable<StringMapMetaTable<rgw::IAM::Environment>>(L, name, index, false, &(s->env));
} else if (strcasecmp(index, "Policy") == 0) {
static int decode_policy(const DoutPrefixProvider *dpp,
CephContext *cct,
bufferlist& bl,
- RGWAccessControlPolicy *policy)
+ RGWAccessControlPolicy& policy)
{
auto iter = bl.cbegin();
try {
- policy->decode(iter);
+ policy.decode(iter);
} catch (buffer::error& err) {
ldpp_dout(dpp, 0) << "ERROR: could not decode policy, caught buffer::error" << dendl;
return -EIO;
}
if (cct->_conf->subsys.should_gather<ceph_subsys_rgw, 15>()) {
ldpp_dout(dpp, 15) << __func__ << " Read AccessControlPolicy";
- rgw::s3::write_policy_xml(*policy, *_dout);
+ rgw::s3::write_policy_xml(policy, *_dout);
*_dout << dendl;
}
return 0;
map<string, bufferlist>& attrs,
RGWAccessControlPolicy& policy /* out */)
{
- auto aiter = attrs.find(RGW_ATTR_ACL);
- if (aiter != attrs.end()) {
- int ret = decode_policy(dpp, cct, aiter->second, &policy);
- if (ret < 0) {
- return ret;
- }
- } else {
+ auto i = attrs.find(RGW_ATTR_ACL);
+ if (i == attrs.end()) {
return -ENOENT;
}
-
- return 0;
+ return decode_policy(dpp, cct, i->second, policy);
}
/**
rgw::sal::Driver* driver,
const rgw_user& bucket_owner,
map<string, bufferlist>& bucket_attrs,
- RGWAccessControlPolicy *policy,
+ RGWAccessControlPolicy& policy,
optional_yield y)
{
map<string, bufferlist>::iterator aiter = bucket_attrs.find(RGW_ATTR_ACL);
if (r < 0)
return r;
- policy->create_default(user->get_id(), user->get_display_name());
+ policy.create_default(user->get_id(), user->get_display_name());
}
return 0;
}
rgw::sal::Driver* driver,
RGWBucketInfo& bucket_info,
map<string, bufferlist>& bucket_attrs,
- RGWAccessControlPolicy *policy,
+ RGWAccessControlPolicy& policy,
string *storage_class,
rgw::sal::Object* obj,
optional_yield y)
if (ret < 0)
return ret;
- policy->create_default(bucket_info.owner, user->get_display_name());
+ policy.create_default(bucket_info.owner, user->get_display_name());
}
if (storage_class) {
req_state *s,
RGWBucketInfo& bucket_info,
map<string, bufferlist>& bucket_attrs,
- RGWAccessControlPolicy *policy,
+ RGWAccessControlPolicy& policy,
rgw_bucket& bucket,
optional_yield y)
{
int ret = rgw_op_get_bucket_policy_from_attr(dpp, s->cct, driver, bucket_info.owner,
bucket_attrs, policy, y);
if (ret == -ENOENT) {
- ret = -ERR_NO_SUCH_BUCKET;
+ ret = -ERR_NO_SUCH_BUCKET;
}
return ret;
req_state *s,
RGWBucketInfo& bucket_info,
map<string, bufferlist>& bucket_attrs,
- RGWAccessControlPolicy* acl,
+ RGWAccessControlPolicy& acl,
string *storage_class,
boost::optional<Policy>& policy,
rgw::sal::Bucket* bucket,
that we send a proper error code */
RGWAccessControlPolicy bucket_policy;
ret = rgw_op_get_bucket_policy_from_attr(dpp, s->cct, driver, bucket_info.owner,
- bucket_attrs, &bucket_policy, y);
+ bucket_attrs, bucket_policy, y);
if (ret < 0) {
return ret;
}
}
}
- if(s->dialect.compare("s3") == 0) {
- s->bucket_acl = std::make_unique<RGWAccessControlPolicy>();
- } else if(s->dialect.compare("swift") == 0) {
- /* We aren't allocating the account policy for those operations using
- * the Swift's infrastructure that don't really need req_state::user.
- * Typical example here is the implementation of /info. */
- if (!s->user->get_id().empty()) {
- s->user_acl = std::make_unique<RGWAccessControlPolicy>();
- }
- s->bucket_acl = std::make_unique<RGWAccessControlPolicy>();
- } else {
- s->bucket_acl = std::make_unique<RGWAccessControlPolicy>();
- }
-
const RGWZoneGroup& zonegroup = s->penv.site->get_zonegroup();
/* check if copy source is within the current domain */
s->bucket_attrs = s->bucket->get_attrs();
ret = read_bucket_policy(dpp, driver, s, s->bucket->get_info(),
s->bucket->get_attrs(),
- s->bucket_acl.get(), s->bucket->get_key(), y);
+ s->bucket_acl, s->bucket->get_key(), y);
acct_acl_user = {
s->bucket->get_info().owner,
- s->bucket_acl->get_owner().display_name,
+ s->bucket_acl.get_owner().display_name,
};
- s->bucket_owner = s->bucket_acl->get_owner();
+ s->bucket_owner = s->bucket_acl.get_owner();
s->zonegroup_endpoint = rgw::get_zonegroup_endpoint(zonegroup);
s->zonegroup_name = zonegroup.get_name();
}
/* handle user ACL only for those APIs which support it */
- if (s->user_acl) {
+ if (s->dialect == "swift" && !s->user->get_id().empty()) {
std::unique_ptr<rgw::sal::User> acl_user = driver->get_user(acct_acl_user.uid);
ret = acl_user->read_attrs(dpp, y);
if (!ret) {
- ret = get_user_policy_from_attr(dpp, s->cct, acl_user->get_attrs(), *s->user_acl);
+ ret = get_user_policy_from_attr(dpp, s->cct, acl_user->get_attrs(), s->user_acl);
}
if (-ENOENT == ret) {
/* In already existing clusters users won't have ACL. In such case
* 1. if we try to reach an existing bucket, its owner is considered
* as account owner.
* 2. otherwise account owner is identity stored in s->user->user_id. */
- s->user_acl->create_default(acct_acl_user.uid,
- acct_acl_user.display_name);
+ s->user_acl.create_default(acct_acl_user.uid,
+ acct_acl_user.display_name);
ret = 0;
} else if (ret < 0) {
ldpp_dout(dpp, 0) << "NOTICE: couldn't get user attrs for handling ACL "
int rgw_build_object_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* driver,
req_state *s, bool prefetch_data, optional_yield y)
{
- int ret = 0;
-
- if (!rgw::sal::Object::empty(s->object.get())) {
- if (!s->bucket_exists) {
- return -ERR_NO_SUCH_BUCKET;
- }
- s->object_acl = std::make_unique<RGWAccessControlPolicy>();
+ if (rgw::sal::Object::empty(s->object)) {
+ return 0;
+ }
+ if (!s->bucket_exists) {
+ return -ERR_NO_SUCH_BUCKET;
+ }
- s->object->set_atomic();
- if (prefetch_data) {
- s->object->set_prefetch_data();
- }
- ret = read_obj_policy(dpp, driver, s, s->bucket->get_info(), s->bucket_attrs,
- s->object_acl.get(), nullptr, s->iam_policy, s->bucket.get(),
- s->object.get(), y);
+ s->object->set_atomic();
+ if (prefetch_data) {
+ s->object->set_prefetch_data();
}
- return ret;
+ return read_obj_policy(dpp, driver, s, s->bucket->get_info(), s->bucket_attrs,
+ s->object_acl, nullptr, s->iam_policy, s->bucket.get(),
+ s->object.get(), y);
}
static int rgw_iam_remove_objtags(const DoutPrefixProvider *dpp, req_state* s, rgw::sal::Object* object, bool has_existing_obj_tag, bool has_resource_tag) {
int RGWGetObj::read_user_manifest_part(rgw::sal::Bucket* bucket,
const rgw_bucket_dir_entry& ent,
- RGWAccessControlPolicy * const bucket_acl,
+ const RGWAccessControlPolicy& bucket_acl,
const boost::optional<Policy>& bucket_policy,
const off_t start_ofs,
const off_t end_ofs,
ldpp_dout(this, 2) << "overriding permissions due to system operation" << dendl;
} else if (s->auth.identity->is_admin_of(s->user->get_id())) {
ldpp_dout(this, 2) << "overriding permissions due to admin operation" << dendl;
- } else if (!verify_object_permission(this, s, part->get_obj(), s->user_acl.get(),
- bucket_acl, &obj_policy, bucket_policy,
+ } else if (!verify_object_permission(this, s, part->get_obj(), s->user_acl,
+ bucket_acl, obj_policy, bucket_policy,
s->iam_user_policies, s->session_policies, action)) {
return -EPERM;
}
const off_t end,
rgw::sal::Bucket* bucket,
const string& obj_prefix,
- RGWAccessControlPolicy * const bucket_acl,
+ const RGWAccessControlPolicy& bucket_acl,
const boost::optional<Policy>& bucket_policy,
uint64_t * const ptotal_len,
uint64_t * const pobj_size,
string * const pobj_sum,
int (*cb)(rgw::sal::Bucket* bucket,
const rgw_bucket_dir_entry& ent,
- RGWAccessControlPolicy * const bucket_acl,
+ const RGWAccessControlPolicy& bucket_acl,
const boost::optional<Policy>& bucket_policy,
off_t start_ofs,
off_t end_ofs,
map<uint64_t, rgw_slo_part>& slo_parts,
int (*cb)(rgw::sal::Bucket* bucket,
const rgw_bucket_dir_entry& ent,
- RGWAccessControlPolicy *bucket_acl,
+ const RGWAccessControlPolicy& bucket_acl,
const boost::optional<Policy>& bucket_policy,
off_t start_ofs,
off_t end_ofs,
<< dendl;
// SLO is a Swift thing, and Swift has no knowledge of S3 Policies.
- int r = cb(part.bucket, ent, part.bucket_acl,
+ int r = cb(part.bucket, ent, *part.bucket_acl,
(part.bucket_policy ?
boost::optional<Policy>(*part.bucket_policy) : none),
start_ofs, end_ofs, cb_param, true /* swift_slo */);
static int get_obj_user_manifest_iterate_cb(rgw::sal::Bucket* bucket,
const rgw_bucket_dir_entry& ent,
- RGWAccessControlPolicy * const bucket_acl,
+ const RGWAccessControlPolicy& bucket_acl,
const boost::optional<Policy>& bucket_policy,
const off_t start_ofs,
const off_t end_ofs,
return r;
}
bucket_acl = &_bucket_acl;
- r = read_bucket_policy(this, driver, s, ubucket->get_info(), bucket_attrs, bucket_acl, ubucket->get_key(), y);
+ r = read_bucket_policy(this, driver, s, ubucket->get_info(), bucket_attrs, *bucket_acl, ubucket->get_key(), y);
if (r < 0) {
ldpp_dout(this, 0) << "failed to read bucket policy" << dendl;
return r;
pbucket = ubucket.get();
} else {
pbucket = s->bucket.get();
- bucket_acl = s->bucket_acl.get();
+ bucket_acl = &s->bucket_acl;
bucket_policy = &s->iam_policy;
}
* - overall DLO's content size,
* - md5 sum of overall DLO's content (for etag of Swift API). */
r = iterate_user_manifest_parts(this, s->cct, driver, ofs, end,
- pbucket, obj_prefix, bucket_acl, *bucket_policy,
+ pbucket, obj_prefix, *bucket_acl, *bucket_policy,
nullptr, &s->obj_size, &lo_etag,
nullptr /* cb */, nullptr /* cb arg */, y);
if (r < 0) {
}
r = iterate_user_manifest_parts(this, s->cct, driver, ofs, end,
- pbucket, obj_prefix, bucket_acl, *bucket_policy,
+ pbucket, obj_prefix, *bucket_acl, *bucket_policy,
&total_len, nullptr, nullptr,
nullptr, nullptr, y);
if (r < 0) {
}
r = iterate_user_manifest_parts(this, s->cct, driver, ofs, end,
- pbucket, obj_prefix, bucket_acl, *bucket_policy,
+ pbucket, obj_prefix, *bucket_acl, *bucket_policy,
nullptr, nullptr, nullptr,
get_obj_user_manifest_iterate_cb, (void *)this, y);
if (r < 0) {
}
bucket = tmp_bucket.get();
bucket_acl = &_bucket_acl;
- r = read_bucket_policy(this, driver, s, tmp_bucket->get_info(), tmp_bucket->get_attrs(), bucket_acl,
+ r = read_bucket_policy(this, driver, s, tmp_bucket->get_info(), tmp_bucket->get_attrs(), *bucket_acl,
tmp_bucket->get_key(), y);
if (r < 0) {
ldpp_dout(this, 0) << "failed to read bucket ACL for bucket "
}
} else {
bucket = s->bucket.get();
- bucket_acl = s->bucket_acl.get();
+ bucket_acl = &s->bucket_acl;
bucket_policy = s->iam_policy.get_ptr();
}
RGWAccessControlPolicy old_policy;
int r = rgw_op_get_bucket_policy_from_attr(this, s->cct, driver, info.owner,
s->bucket->get_attrs(),
- &old_policy, y);
+ old_policy, y);
if (r >= 0 && old_policy != policy) {
s->err.message = "Cannot modify existing access control policy";
op_ret = -EEXIST;
cs_object->set_prefetch_data();
/* check source object permissions */
- int ret = read_obj_policy(this, driver, s, copy_source_bucket_info, cs_attrs, &cs_acl, nullptr,
+ int ret = read_obj_policy(this, driver, s, copy_source_bucket_info, cs_attrs, cs_acl, nullptr,
policy, cs_bucket.get(), cs_object.get(), y, true);
if (ret < 0) {
return ret;
* contain such keys yet. */
if (has_policy) {
if (s->dialect.compare("swift") == 0) {
- rgw::swift::merge_policy(policy_rw_mask, *s->bucket_acl, policy);
+ rgw::swift::merge_policy(policy_rw_mask, s->bucket_acl, policy);
}
buffer::list bl;
policy.encode(bl);
rgw_placement_rule src_placement;
/* check source object permissions */
- op_ret = read_obj_policy(this, driver, s, src_bucket->get_info(), src_bucket->get_attrs(), &src_acl, &src_placement.storage_class,
+ op_ret = read_obj_policy(this, driver, s, src_bucket->get_info(), src_bucket->get_attrs(), src_acl, &src_placement.storage_class,
src_policy, src_bucket.get(), s->src_object.get(), y);
if (op_ret < 0) {
return op_ret;
/* check dest bucket permissions */
op_ret = read_bucket_policy(this, driver, s, s->bucket->get_info(),
s->bucket->get_attrs(),
- &dest_bucket_policy, s->bucket->get_key(), y);
+ dest_bucket_policy, s->bucket->get_key(), y);
if (op_ret < 0) {
return op_ret;
}
{
stringstream ss;
if (rgw::sal::Object::empty(s->object.get())) {
- rgw::s3::write_policy_xml(*s->bucket_acl, ss);
+ rgw::s3::write_policy_xml(s->bucket_acl, ss);
} else {
- rgw::s3::write_policy_xml(*s->object_acl, ss);
+ rgw::s3::write_policy_xml(s->object_acl, ss);
}
acls = ss.str();
}
void RGWPutACLs::execute(optional_yield y)
{
- RGWAccessControlPolicy* const existing_policy = \
- (rgw::sal::Object::empty(s->object.get()) ? s->bucket_acl.get() : s->object_acl.get());
+ const RGWAccessControlPolicy& existing_policy = \
+ (rgw::sal::Object::empty(s->object.get()) ? s->bucket_acl : s->object_acl);
- const ACLOwner& existing_owner = existing_policy->get_owner();
+ const ACLOwner& existing_owner = existing_policy.get_owner();
op_ret = get_params(y);
if (op_ret < 0) {
if (s->cct->_conf->subsys.should_gather<ceph_subsys_rgw, 15>()) {
ldpp_dout(this, 15) << "Old AccessControlPolicy";
- rgw::s3::write_policy_xml(*existing_policy, *_dout);
+ rgw::s3::write_policy_xml(existing_policy, *_dout);
*_dout << dendl;
ldpp_dout(this, 15) << "New AccessControlPolicy:";
optional_yield y)
{
RGWAccessControlPolicy bacl;
- int ret = read_bucket_policy(dpp, driver, s, binfo, battrs, &bacl, binfo.bucket, y);
+ int ret = read_bucket_policy(dpp, driver, s, binfo, battrs, bacl, binfo.bucket, y);
if (ret < 0) {
return false;
}
/* We can use global user_acl because each BulkDelete request is allowed
* to work on entities from a single account only. */
- return verify_bucket_permission(dpp, s, binfo.bucket, s->user_acl.get(),
- &bacl, policy, s->iam_user_policies, s->session_policies, rgw::IAM::s3DeleteBucket);
+ return verify_bucket_permission(dpp, s, binfo.bucket, s->user_acl,
+ bacl, policy, s->iam_user_policies, s->session_policies, rgw::IAM::s3DeleteBucket);
}
bool RGWBulkDelete::Deleter::delete_single(const acct_path_t& path, optional_yield y)
optional_yield y)
{
RGWAccessControlPolicy bacl;
- op_ret = read_bucket_policy(this, driver, s, binfo, battrs, &bacl, binfo.bucket, y);
+ op_ret = read_bucket_policy(this, driver, s, binfo, battrs, bacl, binfo.bucket, y);
if (op_ret < 0) {
ldpp_dout(this, 20) << "cannot read_policy() for bucket" << dendl;
return false;
}
}
- return verify_bucket_permission_no_policy(this, s, s->user_acl.get(),
- &bacl, RGW_PERM_WRITE);
+ return verify_bucket_permission_no_policy(this, s, s->user_acl,
+ bacl, RGW_PERM_WRITE);
}
int RGWBulkUploadOp::handle_file(const std::string_view path,
void RGWGetBucketPolicyStatus::execute(optional_yield y)
{
- isPublic = (s->iam_policy && rgw::IAM::is_public(*s->iam_policy)) || s->bucket_acl->is_public(this);
+ isPublic = (s->iam_policy && rgw::IAM::is_public(*s->iam_policy)) || s->bucket_acl.is_public(this);
}
int RGWPutBucketPublicAccessBlock::verify_permission(optional_yield y)
rgw::sal::Driver* driver,
const rgw_user& bucket_owner,
std::map<std::string, bufferlist>& bucket_attrs,
- RGWAccessControlPolicy *policy,
+ RGWAccessControlPolicy& policy,
optional_yield y);
class RGWHandler {
int read_user_manifest_part(
rgw::sal::Bucket* bucket,
const rgw_bucket_dir_entry& ent,
- RGWAccessControlPolicy * const bucket_acl,
+ const RGWAccessControlPolicy& bucket_acl,
const boost::optional<rgw::IAM::Policy>& bucket_policy,
const off_t start_ofs,
const off_t end_ofs,
s->user->get_attrs(),
s->user->get_info().quota.user_quota,
s->user->get_max_buckets(),
- *s->user_acl);
+ s->user_acl);
dump_errno(s);
dump_header(s, "Accept-Ranges", "bytes");
end_header(s, NULL, NULL, NO_CONTENT_LENGTH, true);
s->user->get_attrs(),
s->user->get_info().quota.user_quota,
s->user->get_max_buckets(),
- *s->user_acl);
+ s->user_acl);
dump_errno(s);
end_header(s, nullptr, nullptr, s->formatter->get_len(), true);
}
if (rgw::sal::Object::empty(s->object.get())) {
std::string read_acl, write_acl;
- rgw::swift::format_container_acls(*s->bucket_acl, read_acl, write_acl);
+ rgw::swift::format_container_acls(s->bucket_acl, read_acl, write_acl);
if (read_acl.size()) {
dump_header(s, "X-Container-Read", read_acl);
attrs,
s->user->get_info().quota.user_quota,
s->user->get_max_buckets(),
- *s->user_acl);
+ s->user_acl);
}
set_req_state_err(s, op_ret);
static int get_swift_container_settings(req_state * const s,
rgw::sal::Driver* const driver,
- RGWAccessControlPolicy * const policy,
+ RGWAccessControlPolicy& policy,
bool * const has_policy,
uint32_t * rw_mask,
RGWCORSConfiguration * const cors_config,
read_list,
write_list,
*rw_mask,
- *policy);
+ policy);
if (r < 0) {
return r;
}
bool has_policy;
uint32_t policy_rw_mask = 0;
- int r = get_swift_container_settings(s, driver, &policy, &has_policy,
+ int r = get_swift_container_settings(s, driver, policy, &has_policy,
&policy_rw_mask, &cors_config, &has_cors);
if (r < 0) {
return r;
static int get_swift_account_settings(req_state * const s,
rgw::sal::Driver* const driver,
- RGWAccessControlPolicy* const policy,
+ RGWAccessControlPolicy& policy,
bool * const has_policy)
{
*has_policy = false;
int r = rgw::swift::create_account_policy(s, driver,
s->user->get_id(),
s->user->get_display_name(),
- acl_attr, *policy);
+ acl_attr, policy);
if (r < 0) {
return r;
}
return -EINVAL;
}
- int ret = get_swift_account_settings(s, driver, &policy, &has_policy);
+ int ret = get_swift_account_settings(s, driver, policy, &has_policy);
if (ret < 0) {
return ret;
}
return -EINVAL;
}
- int r = get_swift_container_settings(s, driver, &policy, &has_policy,
+ int r = get_swift_container_settings(s, driver, policy, &has_policy,
&policy_rw_mask, &cors_config, &has_cors);
if (r < 0) {
return r;
projects / ceph-ci.git / commitdiff