rgw: TempURL properly handles accounts created with the implicit tenant.

This is because in Jewel in the TempURL implementation we aren't trying
to rgw_get_user_info_by_uid() on rgw_user with the tenant field filled
like in the Keystone auth case.

The bug isn't present in master as we have there a new auth infrastructure.

Fixes: http://tracker.ceph.com/issues/17961
Signed-off-by: Radoslaw Zarzynski <rzarzynski@mirantis.com>

diff --git a/src/rgw/rgw_swift.cc b/src/rgw/rgw_swift.cc
index 0fdb310f30e61df0daf5512a55b76bc248b3d834..42f5c07883036350266da1576790cfba0bec9400 100644 (file)
--- a/src/rgw/rgw_swift.cc
+++ b/src/rgw/rgw_swift.cc
@@ -617,10 +617,28 @@ int authenticate_temp_url(RGWRados * const store, req_state * const s)
    * about account is neccessary to obtain its bucket tenant. Without that,
    * the access would be limited to accounts with empty tenant. */
   string bucket_tenant;
-  if (!s->account_name.empty()) {
+  if (! s->account_name.empty()) {
     RGWUserInfo uinfo;
-
-    if (rgw_get_user_info_by_uid(store, s->account_name, uinfo) < 0) {
+    const rgw_user acct_user(s->account_name);
+
+    ldout(s->cct, 20) << "temp url: loading RGWUserInfo for rgw_user="
+                      << acct_user << dendl;
+
+    if (acct_user.tenant.empty()) {
+      rgw_user tenanted_acct_user(acct_user);
+      tenanted_acct_user.tenant = acct_user.id;
+
+      /* The account name specified in the URL doesn't have the tenant part.
+       * This means we have to handle the special case for Keystone-created
+       * accounts when the "rgw_keystone_implicit_tenants" was turned on.
+       * For more details about this mechanism please refer to the comment
+       * in RGWSwift::update_user_info(). */
+      if (rgw_get_user_info_by_uid(store, tenanted_acct_user, uinfo) < 0) {
+        if (rgw_get_user_info_by_uid(store, acct_user, uinfo) < 0) {
+          return -EPERM;
+        }
+      }
+    } else if (rgw_get_user_info_by_uid(store, acct_user, uinfo) < 0) {
       return -EPERM;
     }