From: Casey Bodley <cbodley@redhat.com>
Date: Wed, 26 Feb 2025 21:42:43 +0000 (-0500)
Subject: rgw: use object ARN for InitMultipart permissions
X-Git-Tag: v19.2.3~279^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=26ea1ae5700b27f3c12f4b107e38470d0ed89e85;p=ceph.git

rgw: use object ARN for InitMultipart permissions

from https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpuoverview.html#mpuAndPermissions:
> You must be allowed to perform the s3:PutObject action on an object to create a multipart upload request.

but it was calling the verify_bucket_permission() overload which
defaulted to the bucket ARN. pass the object ARN instead, like we do for
RGWPutObj and RGWCompleteMultipart

Fixes: https://tracker.ceph.com/issues/70191

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 64ab3a3e49d0e7bc716ee5301e15a1ba61127bb4)
---

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 414e1196691e..04ebe8837180 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -6204,7 +6204,8 @@ int RGWInitMultipart::verify_permission(optional_yield y)
   // add server-side encryption headers
   rgw_iam_add_crypt_attrs(s->env, s->info.crypt_attribute_map);
 
-  if (!verify_bucket_permission(this, s, rgw::IAM::s3PutObject)) {
+  if (!verify_bucket_permission(this, s, ARN(s->object->get_obj()),
+                                rgw::IAM::s3PutObject)) {
     return -EACCES;
   }