From: Casey Bodley Date: Sat, 4 Nov 2023 19:09:46 +0000 (-0400) Subject: rgw/auth: account users also match ACL grants to their account id X-Git-Tag: v19.1.0~99^2~151 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=1e6b7a084627c7fdc1817356f20ad179b4337f5a;p=ceph.git rgw/auth: account users also match ACL grants to their account id ACL grants can now specify an account id for the CanonicalUser to grant access to the entire account. this is implemented only for LocalApplier Signed-off-by: Casey Bodley (cherry picked from commit 1698784e2eb72e99e3eaa477ae8e53b35a6ab377) --- diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index dcf8359968445..1daa709aa5620 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -68,7 +68,7 @@ transform_old_authinfo(CephContext* const cct, } uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override { - return rgw_perms_from_aclspec_default_strategy(id, aclspec, dpp); + return rgw_perms_from_aclspec_default_strategy(id.to_str(), aclspec, dpp); } bool is_admin_of(const rgw_user& acct_id) const override { @@ -147,13 +147,13 @@ transform_old_authinfo(const req_state* const s) uint32_t rgw_perms_from_aclspec_default_strategy( - const rgw_user& uid, + const std::string& uid, const rgw::auth::Identity::aclspec_t& aclspec, const DoutPrefixProvider *dpp) { ldpp_dout(dpp, 5) << "Searching permissions for uid=" << uid << dendl; - const auto iter = aclspec.find(uid.to_str()); + const auto iter = aclspec.find(uid); if (std::end(aclspec) != iter) { ldpp_dout(dpp, 5) << "Found permission: " << iter->second << dendl; return iter->second; @@ -560,7 +560,7 @@ uint32_t rgw::auth::RemoteApplier::get_perms_from_aclspec(const DoutPrefixProvid uint32_t perm = 0; /* For backward compatibility with ACLOwner. */ - perm |= rgw_perms_from_aclspec_default_strategy(info.acct_user, + perm |= rgw_perms_from_aclspec_default_strategy(info.acct_user.to_str(), aclspec, dpp); /* We also need to cover cases where rgw_keystone_implicit_tenants @@ -568,7 +568,7 @@ uint32_t rgw::auth::RemoteApplier::get_perms_from_aclspec(const DoutPrefixProvid if (info.acct_user.tenant.empty()) { const rgw_user tenanted_acct_user(info.acct_user.id, info.acct_user.id); - perm |= rgw_perms_from_aclspec_default_strategy(tenanted_acct_user, + perm |= rgw_perms_from_aclspec_default_strategy(tenanted_acct_user.to_str(), aclspec, dpp); } @@ -782,7 +782,19 @@ ACLOwner rgw::auth::LocalApplier::get_aclowner() const uint32_t rgw::auth::LocalApplier::get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const { - return rgw_perms_from_aclspec_default_strategy(user_info.user_id, aclspec, dpp); + // match acl grants to the specific user id + uint32_t mask = rgw_perms_from_aclspec_default_strategy( + user_info.user_id.to_str(), aclspec, dpp); + + if (!user_info.account_id.empty()) { + // account users also match acl grants to the account id. in aws, grantees + // ONLY refer to accounts. but we continue to match user grants to preserve + // access when moving legacy users into new accounts + mask |= rgw_perms_from_aclspec_default_strategy( + user_info.account_id, aclspec, dpp); + } + + return mask; } bool rgw::auth::LocalApplier::is_admin_of(const rgw_user& uid) const diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index aa81efe03dd42..cf2d3583e8769 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -813,6 +813,6 @@ protected: uint32_t rgw_perms_from_aclspec_default_strategy( - const rgw_user& uid, + const std::string& uid, const rgw::auth::Identity::aclspec_t& aclspec, const DoutPrefixProvider *dpp);