rgw : add check for tenant provided in RGWCreateRole

Fixes: https://tracker.ceph.com/issues/51206
Signed-off-by: caolei <halei15848934852@163.com>
(cherry picked from commit 3c99ac14080c9f5b1611c9bbe4a223a9fd2927a0)

Conflicts:
	src/rgw/rgw_rest_role.cc

Cherry-pick notes:
- Pacific constructs role explicitly vs. using store->get_role(), and does not wrap in a unique_ptr

diff --git a/src/rgw/rgw_rest_role.cc b/src/rgw/rgw_rest_role.cc
index 1e9cdf71b217d9dacd854035233358fe2c69b366..61964ba53eef41f471e538d5e09a42657b2af185 100644 (file)
--- a/src/rgw/rgw_rest_role.cc
+++ b/src/rgw/rgw_rest_role.cc
@@ -130,8 +130,15 @@ void RGWCreateRole::execute(optional_yield y)
   if (op_ret < 0) {
     return;
   }
+  std::string user_tenant = s->user->get_tenant();
   RGWRole role(s->cct, store->getRados()->pctl, role_name, role_path, trust_policy,
-                s->user->get_tenant(), max_session_duration);
+             user_tenant, max_session_duration);
+  if (!user_tenant.empty() && role.get_tenant() != user_tenant) {
+    ldpp_dout(this, 20) << "ERROR: the tenant provided in the role name does not match with the tenant of the user creating the role"
+                        << dendl;
+    op_ret = -EINVAL;
+    return;
+  }
   op_ret = role.create(s, true, y);
 
   if (op_ret == -EEXIST) {