From: Pritha Srivastava Date: Fri, 26 Oct 2018 05:33:07 +0000 (+0530) Subject: rgw: Fixes to User Policy code for CreateBucket and ListAllBuckets. X-Git-Tag: v14.1.0~510^2~2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=0bf7b2d2fb3a2373a2b22a4173622fd234c93240;p=ceph.git rgw: Fixes to User Policy code for CreateBucket and ListAllBuckets. Signed-off-by: Pritha Srivastava --- diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index 16c62b2c153..17334ac6190 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -288,7 +288,7 @@ static boost::optional get_iam_policy_from_attr(CephContext* cct, } } -static vector get_iam_user_policy_from_attr(CephContext* cct, +vector get_iam_user_policy_from_attr(CephContext* cct, RGWRados* store, map& attrs, const string& tenant) { @@ -2006,7 +2006,10 @@ int RGWGetObj::init_common() int RGWListBuckets::verify_permission() { - if (!verify_user_permission(this, s, ARN(), rgw::IAM::s3ListAllMyBuckets)) { + rgw::IAM::Partition partition = rgw::IAM::Partition::aws; + rgw::IAM::Service service = rgw::IAM::Service::s3; + + if (!verify_user_permission(this, s, ARN(partition, service, "", s->user->user_id.tenant, "*"), rgw::IAM::s3ListAllMyBuckets)) { return -EACCES; } @@ -2558,7 +2561,11 @@ int RGWCreateBucket::verify_permission() return -EACCES; } - if (!verify_user_permission(this, s, ARN(s->bucket), rgw::IAM::s3CreateBucket)) { + rgw_bucket bucket; + bucket.name = s->bucket_name; + bucket.tenant = s->bucket_tenant; + ARN arn = ARN(bucket); + if (!verify_user_permission(this, s, arn, rgw::IAM::s3CreateBucket)) { return -EACCES; } diff --git a/src/rgw/rgw_op.h b/src/rgw/rgw_op.h index e7f4225de13..aff24d07392 100644 --- a/src/rgw/rgw_op.h +++ b/src/rgw/rgw_op.h @@ -1813,7 +1813,10 @@ extern int rgw_build_object_policies(RGWRados *store, struct req_state *s, bool prefetch_data); extern rgw::IAM::Environment rgw_build_iam_environment(RGWRados* store, struct req_state* s); - +extern vector get_iam_user_policy_from_attr(CephContext* cct, + RGWRados* store, + map& attrs, + const string& tenant); static inline int get_system_versioning_params(req_state *s, uint64_t *olh_epoch, diff --git a/src/rgw/rgw_rest.cc b/src/rgw/rgw_rest.cc index 324d28d4999..7b3314b52fd 100644 --- a/src/rgw/rgw_rest.cc +++ b/src/rgw/rgw_rest.cc @@ -1814,8 +1814,28 @@ static http_op op_from_method(const char *method) int RGWHandler_REST::init_permissions(RGWOp* op) { - if (op->get_type() == RGW_OP_CREATE_BUCKET) + if (op->get_type() == RGW_OP_CREATE_BUCKET) { + // We don't need user policies in case of STS token returned by AssumeRole, hence the check for user type + if (! s->user->user_id.empty() && s->user->type != TYPE_NONE) { + try { + map uattrs; + if (auto ret = rgw_get_user_attrs_by_uid(store, s->user->user_id, uattrs); ! ret) { + if (s->iam_user_policies.empty()) { + s->iam_user_policies = get_iam_user_policy_from_attr(s->cct, store, uattrs, s->user->user_id.tenant); + } else { + // This scenario can happen when a STS token has a policy, then we need to append other user policies + // to the existing ones. (e.g. token returned by GetSessionToken) + auto user_policies = get_iam_user_policy_from_attr(s->cct, store, uattrs, s->user->user_id.tenant); + s->iam_user_policies.insert(s->iam_user_policies.end(), user_policies.begin(), user_policies.end()); + } + } + } catch (const std::exception& e) { + lderr(s->cct) << "Error reading IAM User Policy: " << e.what() << dendl; + } + } + s->env = rgw_build_iam_environment(store, s); return 0; + } return do_init_permissions(); }