From: Seena Fallah <seenafallah@gmail.com>
Date: Wed, 23 Apr 2025 22:22:08 +0000 (+0200)
Subject: rgw: use is_admin() for permission checks
X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=37c2d36da71302aced44714610417b0c7ff77ac9;p=ceph.git

rgw: use is_admin() for permission checks

Signed-off-by: Seena Fallah <seenafallah@gmail.com>
(cherry picked from commit cc033cb16ff2971d215a92fab3038b185251cc22)
---

diff --git a/src/rgw/rgw_lib.cc b/src/rgw/rgw_lib.cc
index 471a6373c93e8..bcf686de3d286 100644
--- a/src/rgw/rgw_lib.cc
+++ b/src/rgw/rgw_lib.cc
@@ -281,9 +281,7 @@ namespace rgw {
       ldpp_dout(s, 2) << "verifying op permissions" << dendl;
       ret = op->verify_permission(null_yield);
       if (ret < 0) {
-	if (s->system_request) {
-	  ldpp_dout(op, 2) << "overriding permissions due to system operation" << dendl;
-	} else if (s->auth.identity->is_admin()) {
+	if (s->auth.identity->is_admin()) {
 	  ldpp_dout(op, 2) << "overriding permissions due to admin operation" << dendl;
 	} else {
 	  abort_req(s, op, ret);
@@ -418,9 +416,7 @@ namespace rgw {
     ldpp_dout(s, 2) << "verifying op permissions" << dendl;
     ret = op->verify_permission(null_yield);
     if (ret < 0) {
-      if (s->system_request) {
-	ldpp_dout(op, 2) << "overriding permissions due to system operation" << dendl;
-      } else if (s->auth.identity->is_admin()) {
+      if (s->auth.identity->is_admin()) {
 	ldpp_dout(op, 2) << "overriding permissions due to admin operation" << dendl;
       } else {
 	abort_req(s, op, ret);
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index c5a18ed080253..5811156afa254 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -360,7 +360,7 @@ static int read_bucket_policy(const DoutPrefixProvider *dpp,
                               rgw_bucket& bucket,
 			      optional_yield y)
 {
-  if (!s->system_request && bucket_info.flags & BUCKET_SUSPENDED) {
+  if (!s->auth.identity->is_admin() && bucket_info.flags & BUCKET_SUSPENDED) {
     ldpp_dout(dpp, 0) << "NOTICE: bucket " << bucket_info.bucket.name
         << " is suspended" << dendl;
     return -ERR_USER_SUSPENDED;
@@ -397,7 +397,7 @@ static int read_obj_policy(const DoutPrefixProvider *dpp,
   std::unique_ptr<rgw::sal::Object> mpobj;
   rgw_obj obj;
 
-  if (!s->system_request && bucket_info.flags & BUCKET_SUSPENDED) {
+  if (!s->auth.identity->is_admin() && bucket_info.flags & BUCKET_SUSPENDED) {
     ldpp_dout(dpp, 0) << "NOTICE: bucket " << bucket_info.bucket.name
         << " is suspended" << dendl;
     return -ERR_USER_SUSPENDED;
@@ -604,7 +604,7 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d
     // send a PutBucketPolicy or DeleteBucketPolicy request as an admin/system
     // user. We can allow such requests, because even if the policy denied
     // access, admin/system users override that error from verify_permission().
-    if (!s->system_request) {
+    if (!s->auth.identity->is_admin()) {
       ret = -EACCES;
     }
   }
@@ -1856,9 +1856,7 @@ int RGWGetObj::read_user_manifest_part(rgw::sal::Bucket* bucket,
 
   /* We can use global user_acl because LOs cannot have segments
    * stored inside different accounts. */
-  if (s->system_request) {
-    ldpp_dout(this, 2) << "overriding permissions due to system operation" << dendl;
-  } else if (s->auth.identity->is_admin()) {
+  if (s->auth.identity->is_admin()) {
     ldpp_dout(this, 2) << "overriding permissions due to admin operation" << dendl;
   } else if (!verify_object_permission(this, s, part->get_obj(), s->user_acl,
 				       bucket_acl, obj_policy, bucket_policy,