From: Matt Benjamin <mbenjamin@redhat.com>
Date: Mon, 8 Sep 2025 20:26:26 +0000 (-0400)
Subject: rgw: fix policy enforcement for GetObjectAttributes
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=16ab79dacbf7d8e94e70d28192c945cd79c5934c;p=ceph.git

rgw: fix policy enforcement for GetObjectAttributes

Per https://docs.aws.amazon.com/cli/latest/reference/s3api/get-object-attributes.html:

"If the bucket is not versioned, you need the s3:GetObject and s3:GetObjectAttributes permissions."

Fixes: https://tracker.ceph.com/issues/72915

Signed-off-by: Matt Benjamin <mbenjamin@redhat.com>
---

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 421c266b6d15..ad72028aeb1e 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -6209,10 +6209,7 @@ int RGWGetObjAttrs::verify_permission(optional_yield y)
       rgw_iam_add_objtags(this, s, has_s3_existing_tag, has_s3_resource_tag);
     }
 
-    /* XXXX the following conjunction should be &&--but iam_action2 is currently not
-     * hooked up and always fails (but should succeed if the requestor has READ
-     * acess to the object) */
-    perm = (verify_object_permission(this, s, iam_action1) || /* && */
+    perm = (verify_object_permission(this, s, iam_action1) &&
 	    verify_object_permission(this, s, iam_action2));
   }
 
diff --git a/src/rgw/rgw_op.h b/src/rgw/rgw_op.h
index ed3b79a821e4..c98b98ad3ec3 100644
--- a/src/rgw/rgw_op.h
+++ b/src/rgw/rgw_op.h
@@ -2170,7 +2170,6 @@ public:
   }
 };
 
-
 class RGWDeleteMultiObj : public RGWOp {
   /**
    * Handles the deletion of an individual object and uses