_add_grant(grant);
}
-int RGWAccessControlList::get_perm(rgw_user& id, int perm_mask) {
- ldout(cct, 5) << "Searching permissions for uid=" << id << " mask=" << perm_mask << dendl;
- map<string, int>::iterator iter = acl_user_map.find(id.to_str());
- if (iter != acl_user_map.end()) {
- ldout(cct, 5) << "Found permission: " << iter->second << dendl;
- return iter->second & perm_mask;
- }
- ldout(cct, 5) << "Permissions for user not found" << dendl;
- return 0;
+int RGWAccessControlList::get_perm(const RGWIdentityApplier& auth_identity,
+ const int perm_mask)
+{
+ ldout(cct, 5) << "Searching permissions for identity=" << auth_identity
+ << " mask=" << perm_mask << dendl;
+
+ return perm_mask & auth_identity.get_perms_from_aclspec(acl_user_map);
}
int RGWAccessControlList::get_group_perm(ACLGroupTypeEnum group, int perm_mask) {
return 0;
}
-int RGWAccessControlPolicy::get_perm(rgw_user& id, int perm_mask) {
- int perm = acl.get_perm(id, perm_mask);
+int RGWAccessControlPolicy::get_perm(const RGWIdentityApplier& auth_identity,
+ const int perm_mask)
+{
+ int perm = acl.get_perm(auth_identity, perm_mask);
- if (id.compare(owner.get_id()) == 0) {
+ if (auth_identity.is_owner_of(owner.get_id())) {
perm |= perm_mask & (RGW_PERM_READ_ACP | RGW_PERM_WRITE_ACP);
}
if ((perm & perm_mask) != perm_mask) {
perm |= acl.get_group_perm(ACL_GROUP_ALL_USERS, perm_mask);
- if (id.compare(RGW_USER_ANON_ID)) {
+ if (false == auth_identity.is_owner_of(rgw_user(RGW_USER_ANON_ID))) {
/* this is not the anonymous user */
perm |= acl.get_group_perm(ACL_GROUP_AUTHENTICATED_USERS, perm_mask);
}
}
- ldout(cct, 5) << "Getting permissions id=" << id << " owner=" << owner.get_id() << " perm=" << perm << dendl;
+ ldout(cct, 5) << "Getting permissions identity=" << auth_identity
+ << " owner=" << owner.get_id()
+ << " perm=" << perm << dendl;
return perm;
}
-bool RGWAccessControlPolicy::verify_permission(rgw_user& uid, int user_perm_mask, int perm)
+bool RGWAccessControlPolicy::verify_permission(const RGWIdentityApplier& auth_identity,
+ const int user_perm_mask,
+ const int perm)
{
int test_perm = perm | RGW_PERM_READ_OBJS | RGW_PERM_WRITE_OBJS;
- int policy_perm = get_perm(uid, test_perm);
+ int policy_perm = get_perm(auth_identity, test_perm);
/* the swift WRITE_OBJS perm is equivalent to the WRITE obj, just
convert those bits. Note that these bits will only be set on
int acl_perm = policy_perm & perm & user_perm_mask;
- ldout(cct, 10) << " uid=" << uid << " requested perm (type)=" << perm << ", policy perm=" << policy_perm << ", user_perm_mask=" << user_perm_mask << ", acl perm=" << acl_perm << dendl;
+ ldout(cct, 10) << " identity=" << auth_identity
+ << " requested perm (type)=" << perm
+ << ", policy perm=" << policy_perm
+ << ", user_perm_mask=" << user_perm_mask
+ << ", acl perm=" << acl_perm << dendl;
return (perm == acl_perm);
}
};
WRITE_CLASS_ENCODER(ACLGrant)
+class RGWIdentityApplier;
+
class RGWAccessControlList
{
protected:
virtual ~RGWAccessControlList() {}
- int get_perm(rgw_user& id, int perm_mask);
+ int get_perm(const RGWIdentityApplier& auth_identity,
+ int perm_mask);
int get_group_perm(ACLGroupTypeEnum group, int perm_mask);
void encode(bufferlist& bl) const {
ENCODE_START(3, 3, bl);
acl.set_ctx(ctx);
}
- int get_perm(rgw_user& id, int perm_mask);
+ int get_perm(const RGWIdentityApplier& auth_identity,
+ int perm_mask);
int get_group_perm(ACLGroupTypeEnum group, int perm_mask);
- bool verify_permission(rgw_user& uid, int user_perm_mask, int perm);
+ bool verify_permission(const RGWIdentityApplier& auth_identity,
+ int user_perm_mask,
+ int perm);
void encode(bufferlist& bl) const {
ENCODE_START(2, 2, bl);
projects / ceph.git / commitdiff