From: Radoslaw Zarzynski Date: Sun, 25 Oct 2015 14:17:56 +0000 (+0100) Subject: rgw: rework authorization parts to accomodate Bulk Delete API. X-Git-Tag: v10.0.2~36^2~17 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=2ff837f469e33adffc703dafbcdb285314575000;p=ceph.git rgw: rework authorization parts to accomodate Bulk Delete API. Signed-off-by: Radoslaw Zarzynski --- diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index 3111880f795..57aaf1b7ead 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -727,9 +727,11 @@ bool verify_requester_payer_permission(struct req_state *s) return false; } -bool verify_bucket_permission(struct req_state *s, int perm) +bool verify_bucket_permission(struct req_state * const s, + RGWAccessControlPolicy * const bucket_acl, + const int perm) { - if (!s->bucket_acl) + if (!bucket_acl) return false; if ((perm & (int)s->perm_mask) != perm) @@ -738,21 +740,33 @@ bool verify_bucket_permission(struct req_state *s, int perm) if (!verify_requester_payer_permission(s)) return false; - return s->bucket_acl->verify_permission(s->user.user_id, perm, perm); + return bucket_acl->verify_permission(s->user.user_id, perm, perm); } -static inline bool check_deferred_bucket_acl(struct req_state *s, uint8_t deferred_check, int perm) +bool verify_bucket_permission(struct req_state * const s, const int perm) { - return (s->defer_to_bucket_acls == deferred_check && verify_bucket_permission(s, perm)); + return verify_bucket_permission(s, s->bucket_acl, perm); } -bool verify_object_permission(struct req_state *s, RGWAccessControlPolicy *bucket_acl, RGWAccessControlPolicy *object_acl, int perm) +static inline bool check_deferred_bucket_acl(struct req_state * const s, + RGWAccessControlPolicy * const bucket_acl, + const uint8_t deferred_check, + const int perm) { if (!verify_requester_payer_permission(s)) return false; - if (check_deferred_bucket_acl(s, RGW_DEFER_TO_BUCKET_ACLS_RECURSE, perm) || - check_deferred_bucket_acl(s, RGW_DEFER_TO_BUCKET_ACLS_FULL_CONTROL, RGW_PERM_FULL_CONTROL)) { + return (s->defer_to_bucket_acls == deferred_check \ + && verify_bucket_permission(s, bucket_acl, perm)); +} + +bool verify_object_permission(struct req_state * const s, + RGWAccessControlPolicy * const bucket_acl, + RGWAccessControlPolicy * const object_acl, + const int perm) +{ + if (check_deferred_bucket_acl(s, bucket_acl, RGW_DEFER_TO_BUCKET_ACLS_RECURSE, perm) || + check_deferred_bucket_acl(s, bucket_acl, RGW_DEFER_TO_BUCKET_ACLS_FULL_CONTROL, RGW_PERM_FULL_CONTROL)) { return true; } diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h index bff070a06ae..234e4d16abd 100644 --- a/src/rgw/rgw_common.h +++ b/src/rgw/rgw_common.h @@ -1651,8 +1651,14 @@ extern string rgw_trim_quotes(const string& val); /** Check if the req_state's user has the necessary permissions * to do the requested action */ +extern bool verify_bucket_permission(struct req_state * s, + RGWAccessControlPolicy * bucket_acl, + int perm); extern bool verify_bucket_permission(struct req_state *s, int perm); -extern bool verify_object_permission(struct req_state *s, RGWAccessControlPolicy *bucket_acl, RGWAccessControlPolicy *object_acl, int perm); +extern bool verify_object_permission(struct req_state *s, + RGWAccessControlPolicy *bucket_acl, + RGWAccessControlPolicy *object_acl, + int perm); extern bool verify_object_permission(struct req_state *s, int perm); /** Convert an input URL into a sane object name * by converting %-escaped strings into characters, etc*/