]> git-server-git.apps.pok.os.sepia.ceph.com Git - ceph.git/commitdiff
projects / ceph.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 24090a2)
rgw: read_obj_policy() consults s3:prefix when deciding between 403/404 68651/head
authorCasey Bodley <cbodley@redhat.com>
Thu, 23 Apr 2026 15:53:16 +0000 (11:53 -0400)
committerCasey Bodley <cbodley@redhat.com>
Tue, 28 Apr 2026 12:40:23 +0000 (08:40 -0400)
when read_obj_policy() gets ENOENT, it only returns 404 NoSuchKey if the
requester has s3:ListBucket permission. however, policy that allows
s3:ListBucket may be conditional on the s3:prefix to restrict listings
to certain paths/object names. add the requested object name to the iam
environment as s3:prefix to match aws behavior here

Fixes: https://tracker.ceph.com/issues/74398
Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 363a81ca8d0bf2f1e84b2d48aa02be40d5398147)

src/rgw/rgw_op.cc patch | blob | history

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 414972e4674450495522b237933e5678c992f07d..e3bb57533ca86bc439a36c9341155da1145bbc93 100644 (file)
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -465,6 +465,8 @@ static int read_obj_policy(const DoutPrefixProvider *dpp,
       return -ENOENT;
     }
 
+    s->env.emplace("s3:prefix", object->get_name());
+
     if (verify_bucket_permission(dpp, s, bucket->get_key(), s->user_acl,
                                  bucket_policy, policy, s->iam_identity_policies,
                                  s->session_policies, rgw::IAM::s3ListBucket)) {
Unnamed repository; edit this file 'description' to name the repository.