From: Abhishek Lekshmanan Date: Wed, 29 Jan 2020 11:56:33 +0000 (+0100) Subject: rgw: implement IgnorePublicACLs X-Git-Tag: v15.1.1~555^2~12 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=065ecd3f437542adffdb62fb8f2542be78b1e57d;p=ceph.git rgw: implement IgnorePublicACLs This allows for ignoring bucket/object acls that are configured to be public Signed-off-by: Abhishek Lekshmanan --- diff --git a/src/rgw/rgw_acl.cc b/src/rgw/rgw_acl.cc index ac6313f81507..ff27a7ae676a 100644 --- a/src/rgw/rgw_acl.cc +++ b/src/rgw/rgw_acl.cc @@ -116,7 +116,8 @@ uint32_t RGWAccessControlList::get_referer_perm(const uint32_t current_perm, uint32_t RGWAccessControlPolicy::get_perm(const DoutPrefixProvider* dpp, const rgw::auth::Identity& auth_identity, const uint32_t perm_mask, - const char * const http_referer) + const char * const http_referer, + bool ignore_public_acls) { ldpp_dout(dpp, 20) << "-- Getting permissions begin with perm_mask=" << perm_mask << dendl; @@ -132,7 +133,7 @@ uint32_t RGWAccessControlPolicy::get_perm(const DoutPrefixProvider* dpp, } /* should we continue looking up? */ - if ((perm & perm_mask) != perm_mask) { + if (!ignore_public_acls && ((perm & perm_mask) != perm_mask)) { perm |= acl.get_group_perm(ACL_GROUP_ALL_USERS, perm_mask); if (false == auth_identity.is_owner_of(rgw_user(RGW_USER_ANON_ID))) { @@ -157,11 +158,12 @@ bool RGWAccessControlPolicy::verify_permission(const DoutPrefixProvider* dpp, const rgw::auth::Identity& auth_identity, const uint32_t user_perm_mask, const uint32_t perm, - const char * const http_referer) + const char * const http_referer, + bool ignore_public_acls) { uint32_t test_perm = perm | RGW_PERM_READ_OBJS | RGW_PERM_WRITE_OBJS; - uint32_t policy_perm = get_perm(dpp, auth_identity, test_perm, http_referer); + uint32_t policy_perm = get_perm(dpp, auth_identity, test_perm, http_referer, ignore_public_acls); /* the swift WRITE_OBJS perm is equivalent to the WRITE obj, just convert those bits. Note that these bits will only be set on diff --git a/src/rgw/rgw_acl.h b/src/rgw/rgw_acl.h index 0ba06ef8b6cc..278e8b4cbe93 100644 --- a/src/rgw/rgw_acl.h +++ b/src/rgw/rgw_acl.h @@ -418,12 +418,14 @@ public: uint32_t get_perm(const DoutPrefixProvider* dpp, const rgw::auth::Identity& auth_identity, uint32_t perm_mask, - const char * http_referer); + const char * http_referer, + bool ignore_public_acls=false); bool verify_permission(const DoutPrefixProvider* dpp, const rgw::auth::Identity& auth_identity, uint32_t user_perm_mask, uint32_t perm, - const char * http_referer = nullptr); + const char * http_referer = nullptr, + bool ignore_public_acls=false); void encode(bufferlist& bl) const { ENCODE_START(2, 2, bl); diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index e44854bfa642..b38f3448ca00 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -1332,7 +1332,10 @@ bool verify_object_permission(const DoutPrefixProvider* dpp, struct perm_state_b return false; } - bool ret = object_acl->verify_permission(dpp, *s->identity, s->perm_mask, perm); + bool ret = object_acl->verify_permission(dpp, *s->auth.identity, s->perm_mask, perm, + nullptr, /* http_referrer */ + s->bucket_access_conf && + s->bucket_access_conf->ignore_public_acls()); if (ret) { return true; } @@ -1396,7 +1399,10 @@ bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, return false; } - bool ret = object_acl->verify_permission(dpp, *s->identity, s->perm_mask, perm); + bool ret = object_acl->verify_permission(dpp, *s->auth.identity, s->perm_mask, perm, + nullptr, /* http referrer */ + s->bucket_access_conf && + s->bucket_access_conf->ignore_public_acls()); if (ret) { return true; }