From: Matt Benjamin Date: Mon, 8 Sep 2025 20:26:26 +0000 (-0400) Subject: rgw: fix policy enforcement for GetObjectAttributes X-Git-Tag: testing/wip-pdonnell-testing-20260323.122957-tentacle~577 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=3b90adb1e0224b6b97097d86ed75835cf827506f;p=ceph-ci.git rgw: fix policy enforcement for GetObjectAttributes Per https://docs.aws.amazon.com/cli/latest/reference/s3api/get-object-attributes.html: "If the bucket is not versioned, you need the s3:GetObject and s3:GetObjectAttributes permissions." Fixes: https://tracker.ceph.com/issues/72915 Resolves: rhbz#2313820 Signed-off-by: Matt Benjamin (cherry picked from commit 16ab79dacbf7d8e94e70d28192c945cd79c5934c) --- diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index 93c5d17934e..92167f21583 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -6490,10 +6490,7 @@ int RGWGetObjAttrs::verify_permission(optional_yield y) rgw_iam_add_objtags(this, s, has_s3_existing_tag, has_s3_resource_tag); } - /* XXXX the following conjunction should be &&--but iam_action2 is currently not - * hooked up and always fails (but should succeed if the requestor has READ - * acess to the object) */ - perm = (verify_object_permission(this, s, iam_action1) || /* && */ + perm = (verify_object_permission(this, s, iam_action1) && verify_object_permission(this, s, iam_action2)); } diff --git a/src/rgw/rgw_op.h b/src/rgw/rgw_op.h index ba2f1a7663f..ff22778a36d 100644 --- a/src/rgw/rgw_op.h +++ b/src/rgw/rgw_op.h @@ -2111,7 +2111,6 @@ public: } }; - class RGWDeleteMultiObj : public RGWOp { /** * Handles the deletion of an individual object and uses