From: Casey Bodley Date: Mon, 30 Jun 2025 22:06:08 +0000 (-0400) Subject: rgw: add helper for bucket + account PublicAccessBlock config X-Git-Tag: v21.0.1~135^2~13 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=4bdc679b97c50af7fd4273768a1c7955e684feff;p=ceph.git rgw: add helper for bucket + account PublicAccessBlock config get_public_access_conf() takes an optional account, and checks RGW_ATTR_PUBLIC_ACCESS on that in addition to the bucket. if both attrs are found, return the union of their configurations Signed-off-by: Casey Bodley --- diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index bdb0d3fe157..0e63f048ab4 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -395,6 +395,37 @@ get_public_access_conf_from_attr(const map& attrs) return configuration; } +static int read_public_access_conf(const DoutPrefixProvider *dpp, + optional_yield y, rgw::sal::Driver* driver, + const rgw_owner& bucket_owner, + const std::map& bucket_attrs, + PublicAccessBlockConfiguration& config) +{ + auto bucket_config = get_public_access_conf_from_attr(bucket_attrs); + + const auto* account_id = std::get_if(&bucket_owner); + if (!account_id) { + config = std::move(bucket_config); + return 0; + } + + // if the bucket owner is an account, check for account-level config + RGWAccountInfo account_info; + std::map account_attrs; + RGWObjVersionTracker objv; // ignored + int r = driver->load_account_by_id(dpp, y, *account_id, account_info, + account_attrs, objv); + if (r < 0) { + ldpp_dout(dpp, 1) << "ERROR: " << __func__ << " failed to load bucket " + "owner's account=" << *account_id << " with " << cpp_strerror(r) << dendl; + return r; + } + + auto account_config = get_public_access_conf_from_attr(account_attrs); + config = config_union(bucket_config, account_config); + return 0; +} + static int read_bucket_policy(const DoutPrefixProvider *dpp, rgw::sal::Driver* driver, req_state *s, @@ -623,7 +654,13 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d return -EINVAL; } - s->public_access_block = get_public_access_conf_from_attr(s->bucket_attrs); + ret = read_public_access_conf(dpp, y, driver, + s->bucket->get_owner(), + s->bucket->get_attrs(), + s->public_access_block); + if (ret < 0) { + return ret; + } s->bucket_object_ownership = rgw::s3::get_object_ownership(s->bucket_attrs); } diff --git a/src/rgw/rgw_public_access.cc b/src/rgw/rgw_public_access.cc index 77c372f149c..7a0b644e424 100644 --- a/src/rgw/rgw_public_access.cc +++ b/src/rgw/rgw_public_access.cc @@ -35,3 +35,14 @@ std::ostream& operator<< (std::ostream& os, const PublicAccessBlockConfiguration return os; } +auto config_union(const PublicAccessBlockConfiguration& lhs, + const PublicAccessBlockConfiguration& rhs) + -> PublicAccessBlockConfiguration +{ + return { + .BlockPublicAcls = lhs.BlockPublicAcls || rhs.BlockPublicAcls, + .IgnorePublicAcls = lhs.IgnorePublicAcls || rhs.IgnorePublicAcls, + .BlockPublicPolicy = lhs.BlockPublicPolicy || rhs.BlockPublicPolicy, + .RestrictPublicBuckets = lhs.RestrictPublicBuckets || rhs.RestrictPublicBuckets, + }; +} diff --git a/src/rgw/rgw_public_access.h b/src/rgw/rgw_public_access.h index dc282ef3ad8..dd3fb8c223f 100644 --- a/src/rgw/rgw_public_access.h +++ b/src/rgw/rgw_public_access.h @@ -14,6 +14,8 @@ */ #pragma once + +#include #include "include/encoding.h" class XMLObj; @@ -44,7 +46,12 @@ struct PublicAccessBlockConfiguration { } void decode_xml(XMLObj *obj); - void dump_xml(Formatter *f) const; + void dump_xml(ceph::Formatter *f) const; }; WRITE_CLASS_ENCODER(PublicAccessBlockConfiguration) std::ostream& operator<< (std::ostream& os, const PublicAccessBlockConfiguration& access_conf); + +/// Return the union of two configurations by memberwise logical-or. +auto config_union(const PublicAccessBlockConfiguration& lhs, + const PublicAccessBlockConfiguration& rhs) + -> PublicAccessBlockConfiguration;