From: Shreyansh Sancheti <ssanchet@redhat.com>
Date: Tue, 20 Feb 2024 06:27:32 +0000 (-0500)
Subject: RGW: a subuser with no permission can still list buckets and create buckets
X-Git-Tag: v20.0.0~2183^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=3cc27f0676c7ba2677f92969339b18b665c53c02;p=ceph.git

RGW: a subuser with no permission can still list buckets and create buckets

A S3 subuser having no permissions was able to do a normal user ops,
from aws docs there's no functionality for a s3 subuser as we do have
with swift. The fix here is to check the "subuser perm mask" before going
forward with "no_acl" check.

Fixes: https://tracker.ceph.com/issues/63791
Signed-off-by: Shreyansh Sancheti <ssanchet@redhat.com>
---

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 3ee98fa18ca1..c0cbb7f86efc 100644
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -1182,13 +1182,14 @@ bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
   if (s->identity->get_identity_type() == TYPE_ROLE)
     return false;
 
-  /* S3 doesn't support account ACLs, so user_acl will be uninitialized. */
-  if (user_acl.get_owner().id.empty())
-    return true;
-
+  /* S3 doesn't have a subuser, it takes user permissions  */
   if ((perm & (int)s->perm_mask) != perm)
     return false;
 
+  /* S3 doesn't support account ACLs, so user_acl will be uninitialized. */
+  if (user_acl.get_owner().id.empty())
+    return true;
+  
   return user_acl.verify_permission(dpp, *s->identity, perm, perm);
 }