From: cao.leilc Date: Thu, 8 Dec 2022 08:09:00 +0000 (+0800) Subject: rgw : add num limit for IAM user policies X-Git-Tag: v18.1.0~609^2 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=42ad8b6471efec808a95ce3f23c938d602ea0090;p=ceph-ci.git rgw : add num limit for IAM user policies Fixes: https://tracker.ceph.com/issues/55017 Signed-off-by: caolei --- diff --git a/src/common/options/rgw.yaml.in b/src/common/options/rgw.yaml.in index 33fe0a60794..030151f6d91 100644 --- a/src/common/options/rgw.yaml.in +++ b/src/common/options/rgw.yaml.in @@ -12,6 +12,15 @@ options: services: - rgw with_legacy: true +# An user can have up to 100 IAM user policies. +- name: rgw_user_policies_max_num + type: int + level: advanced + desc: Max number of IAM user policies on a single user + default: 100 + services: + - rgw + with_legacy: true # According to AWS S3(http://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html), # An cors can have up to 100 rules. - name: rgw_cors_rules_max_num diff --git a/src/rgw/rgw_rest_user_policy.cc b/src/rgw/rgw_rest_user_policy.cc index 9606ae7b59d..e50f46a068e 100644 --- a/src/rgw/rgw_rest_user_policy.cc +++ b/src/rgw/rgw_rest_user_policy.cc @@ -149,6 +149,21 @@ void RGWPutUserPolicy::execute(optional_yield y) } bufferlist in_bl; policies[policy_name] = policy; +#define USER_POLICIES_MAX_NUM 100 + int max_num = s->cct->_conf->rgw_user_policies_max_num; + if (max_num < 0) { + max_num = USER_POLICIES_MAX_NUM; + } + if (policies.size() > max_num) { + ldpp_dout(this, 4) << "IAM user policies has reached the num config: " + << max_num << ", cant add another" << dendl; + op_ret = -ERR_INVALID_REQUEST; + s->err.message = + "The number of IAM user policies should not exceed allowed limit " + "of " + + std::to_string(max_num) + " policies."; + return; + } encode(policies, in_bl); user->get_attrs()[RGW_ATTR_USER_POLICY] = in_bl;