From: Mark Houghton <mhoughton@microfocus.com>
Date: Wed, 28 Oct 2020 14:44:03 +0000 (+0000)
Subject: rgw: Check user permissions for governance retention bypass in multi-object delete.
X-Git-Tag: v16.1.0~425^2~3
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=4f1524199132cbf382877a35b040d691b12717d1;p=ceph.git

rgw: Check user permissions for governance retention bypass in multi-object delete.

fixes: https://tracker.ceph.com/issues/47586
Signed-off-by: Mark Houghton <mhoughton@microfocus.com>
---

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index edd7264e2b2..2e112af0986 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -6385,6 +6385,19 @@ void RGWGetHealthCheck::execute(optional_yield y)
 int RGWDeleteMultiObj::verify_permission(optional_yield y)
 {
   if (s->iam_policy || ! s->iam_user_policies.empty()) {
+    if (s->bucket->get_info().obj_lock_enabled() && bypass_governance_mode) {
+      auto r = eval_user_policies(s->iam_user_policies, s->env, boost::none,
+                                               rgw::IAM::s3BypassGovernanceRetention, ARN(s->bucket->get_key()));
+      if (r == Effect::Deny) {
+        bypass_perm = false;
+      } else if (r == Effect::Pass && s->iam_policy) {
+        r = s->iam_policy->eval(s->env, *s->auth.identity, rgw::IAM::s3BypassGovernanceRetention,
+                                     ARN(s->bucket->get_key()));
+        if (r == Effect::Deny) {
+          bypass_perm = false;
+        }
+      }
+    }
     auto usr_policy_res = eval_user_policies(s->iam_user_policies, s->env,
                                               boost::none,
                                               s->object->get_instance().empty() ?