From: Mark Houghton <mhoughton@microfocus.com>
Date: Wed, 28 Oct 2020 14:44:03 +0000 (+0000)
Subject: rgw: Check user permissions for governance retention bypass in multi-object delete.
X-Git-Tag: v14.2.22~43^2~2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=53bcad6dc9a7c7f469adbe8755b6f5d57ac96e31;p=ceph.git

rgw: Check user permissions for governance retention bypass in multi-object delete.

fixes: https://tracker.ceph.com/issues/47586
Signed-off-by: Mark Houghton <mhoughton@microfocus.com>
(cherry picked from commit 4f1524199132cbf382877a35b040d691b12717d1)

Conflicts:
	rgw_op.cc
---

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 01e2a7929a1b..07dc025b6b8c 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -6281,6 +6281,21 @@ void RGWGetHealthCheck::execute()
 int RGWDeleteMultiObj::verify_permission()
 {
   if (s->iam_policy || ! s->iam_user_policies.empty()) {
+    if (s->bucket_info.obj_lock_enabled()  && bypass_governance_mode) {
+      auto r = eval_user_policies(s->iam_user_policies, s->env, boost::none,
+				  rgw::IAM::s3BypassGovernanceRetention,
+				  ARN(s->bucket));
+      if (r == Effect::Deny) {
+        bypass_perm = false;
+      } else if (r == Effect::Pass && s->iam_policy) {
+        r = s->iam_policy->eval(s->env, *s->auth.identity,
+				rgw::IAM::s3BypassGovernanceRetention,
+				ARN(s->bucket));
+        if (r == Effect::Deny) {
+          bypass_perm = false;
+        }
+      }
+    }
     auto usr_policy_res = eval_user_policies(s->iam_user_policies, s->env,
                                               boost::none,
                                               s->object.instance.empty() ?