From: Seena Fallah Date: Fri, 28 Feb 2025 15:51:07 +0000 (+0100) Subject: rgw: replication require lock perm if enabled X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=4fde9dddb8c2732ecf95fa1d508ee7c91fc53e74;p=ceph.git rgw: replication require lock perm if enabled Signed-off-by: Seena Fallah --- diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index a0c66e7abdad8..908371c81fc7d 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -1107,6 +1107,24 @@ int RGWGetObj::verify_permission(optional_yield y) // non-impersonated or standard system requests will be handled in rgw_process_authenticated(). const bool is_replication_request = s->system_request; + if (s->bucket->get_info().obj_lock_enabled()) { + get_retention = verify_object_permission(this, s, rgw::IAM::s3GetObjectRetention); + if (is_replication_request && !get_retention) { + s->err.message = "missing s3:GetObjectRetention permission"; + ldpp_dout(this, 4) << "ERROR: fetching object for replication object=" << s->object << " reason=" << s->err.message << dendl; + + return -EACCES; + } + + get_legal_hold = verify_object_permission(this, s, rgw::IAM::s3GetObjectLegalHold); + if (is_replication_request && !get_legal_hold) { + s->err.message = "missing s3:GetObjectLegalHold permission"; + ldpp_dout(this, 4) << "ERROR: fetching object for replication object=" << s->object << " reason=" << s->err.message << dendl; + + return -EACCES; + } + } + if (is_replication_request) { // check for s3:GetObject(Version)Acl permission action = s->object->get_instance().empty() ? rgw::IAM::s3GetObjectAcl : rgw::IAM::s3GetObjectVersionAcl; @@ -1143,11 +1161,6 @@ int RGWGetObj::verify_permission(optional_yield y) return -EACCES; } - if (s->bucket->get_info().obj_lock_enabled()) { - get_retention = verify_object_permission(this, s, rgw::IAM::s3GetObjectRetention); - get_legal_hold = verify_object_permission(this, s, rgw::IAM::s3GetObjectLegalHold); - } - return 0; }