From: Seena Fallah Date: Wed, 1 May 2024 16:27:44 +0000 (+0200) Subject: rgw: implement RestrictPublicBuckets from PublicAccessBlock X-Git-Tag: v20.3.0~134^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=07ad231606d35c5de4290bc15349aae7f7c9d168;p=ceph.git rgw: implement RestrictPublicBuckets from PublicAccessBlock According to the AWS docs (https://docs.aws.amazon.com/AmazonS3/latest/userguide/access-control-block-public-access.html) If RestrictPublicBuckets is set to true and there are public policies in place, Only access from the bucket owner's account is possible. Fixes: https://tracker.ceph.com/issues/65741 Signed-off-by: Seena Fallah --- diff --git a/PendingReleaseNotes b/PendingReleaseNotes index 9e8b929dbbbe..2fca442c65ac 100644 --- a/PendingReleaseNotes +++ b/PendingReleaseNotes @@ -124,6 +124,9 @@ ISA-L is recommended for new pools because the Jerasure library is no longer maintained. +* RGW: Added support for the `RestrictPublicBuckets` property of the S3 `PublicAccessBlock` + configuration. + >=19.2.1 * CephFS: Command `fs subvolume create` now allows tagging subvolumes through option diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index 97e8973b1625..5c048223d98d 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -1141,12 +1141,12 @@ struct perm_state_from_req_state : public perm_state_base { }; Effect eval_or_pass(const DoutPrefixProvider* dpp, - const boost::optional& policy, - const rgw::IAM::Environment& env, - boost::optional id, - const uint64_t op, - const ARN& resource, - boost::optional princ_type=boost::none) { + const boost::optional& policy, + const rgw::IAM::Environment& env, + boost::optional id, + const uint64_t op, + const ARN& resource, + boost::optional princ_type=boost::none) { if (!policy) return Effect::Pass; else @@ -1336,7 +1336,7 @@ bool verify_requester_payer_permission(struct perm_state_base *s) if (s->identity->is_owner_of(s->bucket_info.owner)) return true; - + if (s->identity->is_anonymous()) { return false; } @@ -1367,6 +1367,15 @@ bool verify_bucket_permission(const DoutPrefixProvider* dpp, ldpp_dout(dpp, 16) << __func__ << ": policy: " << bucket_policy.get() << " resource: " << arn << dendl; } + + // If RestrictPublicBuckets is enabled and the bucket policy allows public access, + // deny the request if the requester is not in the bucket owner account + const bool restrict_public_buckets = s->bucket_access_conf && s->bucket_access_conf->restrict_public_buckets(); + if (restrict_public_buckets && bucket_policy && rgw::IAM::is_public(*bucket_policy) && !s->identity->is_owner_of(s->bucket_info.owner)) { + ldpp_dout(dpp, 10) << __func__ << ": public policies are blocked by the RestrictPublicBuckets block public access setting" << dendl; + return false; + } + const auto effect = evaluate_iam_policies( dpp, s->env, *s->identity, account_root, op, arn, bucket_policy, identity_policies, session_policies); @@ -1516,6 +1525,14 @@ bool verify_object_permission(const DoutPrefixProvider* dpp, struct perm_state_b if (!verify_requester_payer_permission(s)) return false; + // If RestrictPublicBuckets is enabled and the bucket policy allows public access, + // deny the request if the requester is not in the bucket owner account + const bool restrict_public_buckets = s->bucket_access_conf && s->bucket_access_conf->restrict_public_buckets(); + if (restrict_public_buckets && bucket_policy && rgw::IAM::is_public(*bucket_policy) && !s->identity->is_owner_of(s->bucket_info.owner)) { + ldpp_dout(dpp, 10) << __func__ << ": public policies are blocked by the RestrictPublicBuckets block public access setting" << dendl; + return false; + } + const auto effect = evaluate_iam_policies( dpp, s->env, *s->identity, account_root, op, ARN(obj), bucket_policy, identity_policies, session_policies);