From: Casey Bodley <cbodley@redhat.com>
Date: Tue, 26 May 2026 16:03:48 +0000 (-0400)
Subject: rgw/s3control: skip account id check for admin users
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=44d810e305f91b647f1aa030bf8c30c95b5d4cb2;p=ceph.git

rgw/s3control: skip account id check for admin users

allow access to admin users that don't belong to the requested account.
this is also necessary for multisite, where requests are forwarded to
the metadata master as the multisite system user instead of the original
requester

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---

diff --git a/src/rgw/rgw_rest_s3control.cc b/src/rgw/rgw_rest_s3control.cc
index 89b97a67fae..01b92851394 100644
--- a/src/rgw/rgw_rest_s3control.cc
+++ b/src/rgw/rgw_rest_s3control.cc
@@ -52,13 +52,16 @@ static int get_account_id(req_state* s, rgw_account_id& account_id)
     return -EINVAL;
   }
 
-  const auto& account = s->auth.identity->get_account();
-  if (!account) {
-    return -ERR_METHOD_NOT_ALLOWED;
-  }
-  if (account_id != account->id) {
-    s->err.message = "x-amz-account-id must match the requester";
-    return -EINVAL;
+  if (!s->auth.identity->is_admin()) {
+    // verify that the requester belongs to the specified account
+    const auto& account = s->auth.identity->get_account();
+    if (!account) {
+      return -ERR_METHOD_NOT_ALLOWED;
+    }
+    if (account_id != account->id) {
+      s->err.message = "x-amz-account-id must match the requester";
+      return -EINVAL;
+    }
   }
   return 0;
 }