const uint64_t op)
{
auto usr_policy_res = eval_user_policies(user_policies, s->env, boost::none, op, res);
- if (usr_policy_res == Effect::Deny)
+ if (usr_policy_res == Effect::Deny) {
return false;
+ }
- auto perm = op_to_perm(op);
+ if (op == rgw::IAM::s3CreateBucket || op == rgw::IAM::s3ListAllMyBuckets) {
+ auto perm = op_to_perm(op);
- return verify_user_permission_no_policy(s, user_acl, perm);
+ return verify_user_permission_no_policy(s, user_acl, perm);
+ }
+
+ if (usr_policy_res == Effect::Pass) {
+ return false;
+ }
+ else if (usr_policy_res == Effect::Allow) {
+ return true;
+ }
+ return false;
}
bool verify_user_permission_no_policy(struct req_state * const s,
case s3DeleteObjectVersionTagging:
return "s3:DeleteObjectVersionTagging";
+
+ case iamPutUserPolicy:
+ return "iam:PutUserPolicy";
+
+ case iamGetUserPolicy:
+ return "iam:GetUserPolicy";
+
+ case iamListUserPolicies:
+ return "iam:ListUserPolicies";
+
+ case iamDeleteUserPolicy:
+ return "iam:DeleteUserPolicy";
+
+ case iamCreateRole:
+ return "iam:CreateRole";
+
+ case iamDeleteRole:
+ return "iam:DeleteRole";
+
+ case iamGetRole:
+ return "iam:GetRole";
+
+ case iamModifyRole:
+ return "iam:ModifyRole";
+
+ case iamListRoles:
+ return "iam:ListRoles";
+
+ case iamPutRolePolicy:
+ return "iam:PutRolePolicy";
+
+ case iamGetRolePolicy:
+ return "iam:GetRolePolicy";
+
+ case iamListRolePolicies:
+ return "iam:ListRolePolicies";
+
+ case iamDeleteRolePolicy:
+ return "iam:DeleteRolePolicy";
}
return "s3Invalid";
}
int RGWRestUserPolicy::verify_permission()
{
- int ret = check_caps(s->user->caps);
- ldout(s->cct, 0) << "INFO: verify_permissions ret" << ret << dendl;
- return ret;
+ if (s->auth.identity->is_anonymous()) {
+ return -EACCES;
+ }
+
+ if(int ret = check_caps(s->user->caps); ret == 0) {
+ return ret;
+ }
+
+ uint64_t op = get_op();
+ string user_name = s->info.args.get("UserName");
+ rgw_user user_id(user_name);
+ if (! verify_user_permission(s, rgw::IAM::ARN(rgw::IAM::ARN(user_id.id,
+ "user",
+ user_id.tenant)), op)) {
+ return -EACCES;
+ }
+ return 0;
}
bool RGWRestUserPolicy::validate_input()
return caps.check_cap("user-policy", RGW_CAP_WRITE);
}
+uint64_t RGWPutUserPolicy::get_op()
+{
+ return rgw::IAM::iamPutUserPolicy;
+}
+
int RGWPutUserPolicy::get_params()
{
policy_name = s->info.args.get("PolicyName");
}
bufferlist bl = bufferlist::static_from_string(policy);
- ldout(s->cct, 0) << "policy: " << policy << dendl;
- ldout(s->cct, 0) << "bufferlist: " << bl.c_str() << dendl;
RGWUserInfo info;
rgw_user user_id(user_name);
ldout(s->cct, 20) << "failed to parse policy: " << e.what() << dendl;
op_ret = -ERR_MALFORMED_DOC;
}
- ldout(s->cct, 20) << "op_ret is : " << op_ret << dendl;
+}
+
+uint64_t RGWGetUserPolicy::get_op()
+{
+ return rgw::IAM::iamGetUserPolicy;
}
int RGWGetUserPolicy::get_params()
}
}
+uint64_t RGWListUserPolicies::get_op()
+{
+ return rgw::IAM::iamListUserPolicies;
+}
+
int RGWListUserPolicies::get_params()
{
user_name = s->info.args.get("UserName");
}
}
+uint64_t RGWDeleteUserPolicy::get_op()
+{
+ return rgw::IAM::iamDeleteUserPolicy;
+}
+
int RGWDeleteUserPolicy::get_params()
{
policy_name = s->info.args.get("PolicyName");
public:
int verify_permission() override;
+ virtual uint64_t get_op() = 0;
void send_response() override;
void dump(Formatter *f) const;
};
void execute() override;
int get_params();
const char* name() const override { return "put_user-policy"; }
+ uint64_t get_op() override;
RGWOpType get_type() override { return RGW_OP_PUT_USER_POLICY; }
};
void execute() override;
int get_params();
const char* name() const override { return "get_user_policy"; }
+ uint64_t get_op() override;
RGWOpType get_type() override { return RGW_OP_GET_USER_POLICY; }
};
void execute() override;
int get_params();
const char* name() const override { return "list_user_policies"; }
+ uint64_t get_op() override;
RGWOpType get_type() override { return RGW_OP_LIST_USER_POLICIES; }
};
void execute() override;
int get_params();
const char* name() const override { return "delete_user_policy"; }
+ uint64_t get_op() override;
RGWOpType get_type() override { return RGW_OP_DELETE_USER_POLICY; }
};
projects / ceph-ci.git / commitdiff