From: Seena Fallah <seenafallah@gmail.com>
Date: Mon, 24 Feb 2025 22:33:45 +0000 (+0100)
Subject: rgw: only allow system override if identity is not impersonating
X-Git-Tag: v20.1.0~329^2~20
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=33a7fa014940c9c3ac6aefd4b509c42819c7a772;p=ceph.git

rgw: only allow system override if identity is not impersonating

Since multisite now delegates permission checks for source objects
to the source zone (a3f40b4), we need to avoid allowing system-level
overrides when the request is impersonating another identity.

SysReqApplier should only grant override permission if the request
is truly system-authenticated and not acting on behalf of another
user or role (i.e., no rgwx-perm-check-uid or rgwx-perm-check-role
in the request).

Signed-off-by: Seena Fallah <seenafallah@gmail.com>
(cherry picked from commit 2a0cb65076fa63439a5d4b7c8876fb551d7ab8ec)
---

diff --git a/src/rgw/rgw_process.cc b/src/rgw/rgw_process.cc
index fe1ff8c6e30..37d5ac0f6ab 100644
--- a/src/rgw/rgw_process.cc
+++ b/src/rgw/rgw_process.cc
@@ -227,9 +227,9 @@ int rgw_process_authenticated(RGWHandler_REST * const handler,
     std::swap(span, s->trace);
   }
   if (ret < 0) {
-    if (s->system_request) {
-      dout(2) << "overriding permissions due to system operation" << dendl;
-    } else if (s->auth.identity->is_admin_of(s->user->get_id())) {
+    // system requests may impersonate another user/role for permission checks
+    // so only rely on is_admin_of() to override permissions
+    if (s->auth.identity->is_admin_of(s->user->get_id())) {
       dout(2) << "overriding permissions due to admin operation" << dendl;
     } else {
       return ret;