rgw/auth: RoleApplier matches account principals

account principals of the form ``arn:aws:iam::123456789012:root``
or ``123456789012`` delegate authority to the account, which means that
it applies to all of the account's users and roles

Signed-off-by: Casey Bodley <cbodley@redhat.com>

diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc
index f8673a771c86bba52fc4b3e8d0b18496b80adf74..dd9337818c79efa2010bb579f3a1050c66b95ee8 100644 (file)
--- a/src/rgw/rgw_auth.cc
+++ b/src/rgw/rgw_auth.cc
@@ -976,6 +976,9 @@ void rgw::auth::RoleApplier::to_str(std::ostream& out) const {
 bool rgw::auth::RoleApplier::is_identity(const Principal& p) const {
   if (p.is_wildcard()) {
     return true;
+  } else if (p.is_account()) {
+    return match_account_or_tenant(role.account_id, role.tenant,
+                                   p.get_account());
   } else if (p.is_role()) {
     return p.get_id() == role.name // TODO: match path/name
         && p.get_account() == role.tenant;