From: Matt Benjamin Date: Sat, 13 Aug 2022 17:08:03 +0000 (-0400) Subject: rgw/iam: thread DoutPrefixProvider into policy evaluation X-Git-Tag: v18.0.0~222^2~3 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=66d98b383ab2d8bdc6c3cf5777e645aa1d201b7f;p=ceph-ci.git rgw/iam: thread DoutPrefixProvider into policy evaluation Also conditionally prints policy and resource in verify_bucket_permission. Signed-off-by: Matt Benjamin --- diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index 54869a0d7cf..044f83ddee9 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -1102,7 +1102,8 @@ struct perm_state_from_req_state : public perm_state_base { } }; -Effect eval_or_pass(const boost::optional& policy, +Effect eval_or_pass(const DoutPrefixProvider* dpp, + const boost::optional& policy, const rgw::IAM::Environment& env, boost::optional id, const uint64_t op, @@ -1116,13 +1117,14 @@ Effect eval_or_pass(const boost::optional& policy, } -Effect eval_identity_or_session_policies(const vector& policies, +Effect eval_identity_or_session_policies(const DoutPrefixProvider* dpp, + const vector& policies, const rgw::IAM::Environment& env, const uint64_t op, const ARN& arn) { auto policy_res = Effect::Pass, prev_res = Effect::Pass; for (auto& policy : policies) { - if (policy_res = eval_or_pass(policy, env, boost::none, op, arn); policy_res == Effect::Deny) + if (policy_res = eval_or_pass(dpp, policy, env, boost::none, op, arn); policy_res == Effect::Deny) return policy_res; else if (policy_res == Effect::Allow) prev_res = Effect::Allow; @@ -1140,13 +1142,13 @@ bool verify_user_permission(const DoutPrefixProvider* dpp, const rgw::ARN& res, const uint64_t op) { - auto identity_policy_res = eval_identity_or_session_policies(user_policies, s->env, op, res); + auto identity_policy_res = eval_identity_or_session_policies(dpp, user_policies, s->env, op, res); if (identity_policy_res == Effect::Deny) { return false; } if (! session_policies.empty()) { - auto session_policy_res = eval_identity_or_session_policies(session_policies, s->env, op, res); + auto session_policy_res = eval_identity_or_session_policies(dpp, session_policies, s->env, op, res); if (session_policy_res == Effect::Deny) { return false; } @@ -1238,19 +1240,23 @@ bool verify_bucket_permission(const DoutPrefixProvider* dpp, if (!verify_requester_payer_permission(s)) return false; - auto identity_policy_res = eval_identity_or_session_policies(identity_policies, s->env, op, ARN(bucket)); + auto identity_policy_res = eval_identity_or_session_policies(dpp, identity_policies, s->env, op, ARN(bucket)); if (identity_policy_res == Effect::Deny) return false; rgw::IAM::PolicyPrincipal princ_type = rgw::IAM::PolicyPrincipal::Other; - auto r = eval_or_pass(bucket_policy, s->env, *s->identity, + if (bucket_policy) { + ldpp_dout(dpp, 16) << __func__ << ": policy: " << bucket_policy.get() + << "resource: " << ARN(bucket) << dendl; + } + auto r = eval_or_pass(dpp, bucket_policy, s->env, *s->identity, op, ARN(bucket), princ_type); if (r == Effect::Deny) return false; //Take into account session policies, if the identity making a request is a role if (!session_policies.empty()) { - auto session_policy_res = eval_identity_or_session_policies(session_policies, s->env, op, ARN(bucket)); + auto session_policy_res = eval_identity_or_session_policies(dpp, session_policies, s->env, op, ARN(bucket)); if (session_policy_res == Effect::Deny) { return false; } @@ -1373,13 +1379,13 @@ bool verify_bucket_permission(const DoutPrefixProvider* dpp, req_state * const s int verify_bucket_owner_or_policy(req_state* const s, const uint64_t op) { - auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env, op, ARN(s->bucket->get_key())); + auto identity_policy_res = eval_identity_or_session_policies(s, s->iam_user_policies, s->env, op, ARN(s->bucket->get_key())); if (identity_policy_res == Effect::Deny) { return -EACCES; } rgw::IAM::PolicyPrincipal princ_type = rgw::IAM::PolicyPrincipal::Other; - auto e = eval_or_pass(s->iam_policy, + auto e = eval_or_pass(s, s->iam_policy, s->env, *s->auth.identity, op, ARN(s->bucket->get_key()), princ_type); if (e == Effect::Deny) { @@ -1387,7 +1393,8 @@ int verify_bucket_owner_or_policy(req_state* const s, } if (!s->session_policies.empty()) { - auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env, op, ARN(s->bucket->get_key())); + auto session_policy_res = eval_identity_or_session_policies(s, s->session_policies, s->env, op, + ARN(s->bucket->get_key())); if (session_policy_res == Effect::Deny) { return -EACCES; } @@ -1458,17 +1465,17 @@ bool verify_object_permission(const DoutPrefixProvider* dpp, struct perm_state_b if (!verify_requester_payer_permission(s)) return false; - auto identity_policy_res = eval_identity_or_session_policies(identity_policies, s->env, op, ARN(obj)); + auto identity_policy_res = eval_identity_or_session_policies(dpp, identity_policies, s->env, op, ARN(obj)); if (identity_policy_res == Effect::Deny) return false; rgw::IAM::PolicyPrincipal princ_type = rgw::IAM::PolicyPrincipal::Other; - auto r = eval_or_pass(bucket_policy, s->env, *s->identity, op, ARN(obj), princ_type); + auto r = eval_or_pass(dpp, bucket_policy, s->env, *s->identity, op, ARN(obj), princ_type); if (r == Effect::Deny) return false; if (!session_policies.empty()) { - auto session_policy_res = eval_identity_or_session_policies(session_policies, s->env, op, ARN(obj)); + auto session_policy_res = eval_identity_or_session_policies(dpp, session_policies, s->env, op, ARN(obj)); if (session_policy_res == Effect::Deny) { return false; } diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h index 4bc18b24136..884bceeacbb 100644 --- a/src/rgw/rgw_common.h +++ b/src/rgw/rgw_common.h @@ -2180,7 +2180,8 @@ bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, /** Check if the req_state's user has the necessary permissions * to do the requested action */ -rgw::IAM::Effect eval_identity_or_session_policies(const std::vector& user_policies, +rgw::IAM::Effect eval_identity_or_session_policies(const DoutPrefixProvider* dpp, + const std::vector& user_policies, const rgw::IAM::Environment& env, const uint64_t op, const rgw::ARN& arn); diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index 7625ebd2ead..4e2f5b0dd5e 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -409,7 +409,7 @@ static int read_obj_policy(const DoutPrefixProvider *dpp, const rgw_user& bucket_owner = bucket_policy.get_owner().get_id(); if (bucket_owner.compare(s->user->get_id()) != 0 && ! s->auth.identity->is_admin_of(bucket_owner)) { - auto r = eval_identity_or_session_policies(s->iam_user_policies, s->env, + auto r = eval_identity_or_session_policies(dpp, s->iam_user_policies, s->env, rgw::IAM::s3ListBucket, ARN(bucket->get_key())); if (r == Effect::Allow) return -ENOENT; @@ -424,7 +424,7 @@ static int read_obj_policy(const DoutPrefixProvider *dpp, return -EACCES; } if (! s->session_policies.empty()) { - r = eval_identity_or_session_policies(s->session_policies, s->env, + r = eval_identity_or_session_policies(dpp, s->session_policies, s->env, rgw::IAM::s3ListBucket, ARN(bucket->get_key())); if (r == Effect::Allow) return -ENOENT; @@ -3666,7 +3666,7 @@ int RGWPutObj::verify_permission(optional_yield y) if (has_s3_resource_tag) rgw_iam_add_buckettags(this, s); - auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env, + auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env, rgw::IAM::s3PutObject, s->object->get_obj()); if (identity_policy_res == Effect::Deny) @@ -3686,7 +3686,7 @@ int RGWPutObj::verify_permission(optional_yield y) } if (!s->session_policies.empty()) { - auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env, + auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env, rgw::IAM::s3PutObject, s->object->get_obj()); if (session_policy_res == Effect::Deny) { @@ -4262,7 +4262,7 @@ void RGWPostObj::execute(optional_yield y) } if (s->iam_policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) { - auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env, + auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env, rgw::IAM::s3PutObject, s->object->get_obj()); if (identity_policy_res == Effect::Deny) { @@ -4285,7 +4285,7 @@ void RGWPostObj::execute(optional_yield y) } if (!s->session_policies.empty()) { - auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env, + auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env, rgw::IAM::s3PutObject, s->object->get_obj()); if (session_policy_res == Effect::Deny) { @@ -4844,7 +4844,7 @@ int RGWDeleteObj::verify_permission(optional_yield y) if (s->iam_policy || ! s->iam_user_policies.empty() || ! s->session_policies.empty()) { if (s->bucket->get_info().obj_lock_enabled() && bypass_governance_mode) { - auto r = eval_identity_or_session_policies(s->iam_user_policies, s->env, + auto r = eval_identity_or_session_policies(this, s->iam_user_policies, s->env, rgw::IAM::s3BypassGovernanceRetention, ARN(s->bucket->get_key(), s->object->get_name())); if (r == Effect::Deny) { bypass_perm = false; @@ -4855,14 +4855,14 @@ int RGWDeleteObj::verify_permission(optional_yield y) bypass_perm = false; } } else if (r == Effect::Pass && !s->session_policies.empty()) { - r = eval_identity_or_session_policies(s->session_policies, s->env, + r = eval_identity_or_session_policies(this, s->session_policies, s->env, rgw::IAM::s3BypassGovernanceRetention, ARN(s->bucket->get_key(), s->object->get_name())); if (r == Effect::Deny) { bypass_perm = false; } } } - auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env, + auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env, s->object->get_instance().empty() ? rgw::IAM::s3DeleteObject : rgw::IAM::s3DeleteObjectVersion, @@ -4886,7 +4886,7 @@ int RGWDeleteObj::verify_permission(optional_yield y) return -EACCES; if (!s->session_policies.empty()) { - auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env, + auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env, s->object->get_instance().empty() ? rgw::IAM::s3DeleteObject : rgw::IAM::s3DeleteObjectVersion, @@ -5182,7 +5182,7 @@ int RGWCopyObj::verify_permission(optional_yield y) rgw_iam_add_objtags(this, s, s->src_object.get(), has_s3_existing_tag, has_s3_resource_tag); ARN obj_arn(s->src_object->get_obj()); - auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env, + auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env, s->src_object->get_instance().empty() ? rgw::IAM::s3GetObject : rgw::IAM::s3GetObjectVersion, @@ -5204,7 +5204,7 @@ int RGWCopyObj::verify_permission(optional_yield y) return -EACCES; } if (!s->session_policies.empty()) { - auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env, + auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env, s->src_object->get_instance().empty() ? rgw::IAM::s3GetObject : rgw::IAM::s3GetObjectVersion, @@ -5287,7 +5287,7 @@ int RGWCopyObj::verify_permission(optional_yield y) *md_directive); ARN obj_arn(dest_object->get_obj()); - auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, + auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env, rgw::IAM::s3PutObject, obj_arn); @@ -5306,7 +5306,8 @@ int RGWCopyObj::verify_permission(optional_yield y) return -EACCES; } if (!s->session_policies.empty()) { - auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env, rgw::IAM::s3PutObject, obj_arn); + auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env, + rgw::IAM::s3PutObject, obj_arn); if (session_policy_res == Effect::Deny) { return false; } @@ -6108,7 +6109,7 @@ int RGWInitMultipart::verify_permission(optional_yield y) rgw_iam_add_objtags(this, s, has_s3_existing_tag, has_s3_resource_tag); if (s->iam_policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) { - auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env, + auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env, rgw::IAM::s3PutObject, s->object->get_obj()); if (identity_policy_res == Effect::Deny) { @@ -6129,7 +6130,7 @@ int RGWInitMultipart::verify_permission(optional_yield y) } if (!s->session_policies.empty()) { - auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env, + auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env, rgw::IAM::s3PutObject, s->object->get_obj()); if (session_policy_res == Effect::Deny) { @@ -6222,7 +6223,7 @@ int RGWCompleteMultipart::verify_permission(optional_yield y) rgw_iam_add_objtags(this, s, has_s3_existing_tag, has_s3_resource_tag); if (s->iam_policy || ! s->iam_user_policies.empty() || ! s->session_policies.empty()) { - auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env, + auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env, rgw::IAM::s3PutObject, s->object->get_obj()); if (identity_policy_res == Effect::Deny) { @@ -6243,7 +6244,7 @@ int RGWCompleteMultipart::verify_permission(optional_yield y) } if (!s->session_policies.empty()) { - auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env, + auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env, rgw::IAM::s3PutObject, s->object->get_obj()); if (session_policy_res == Effect::Deny) { @@ -6480,7 +6481,7 @@ int RGWAbortMultipart::verify_permission(optional_yield y) rgw_iam_add_objtags(this, s, has_s3_existing_tag, has_s3_resource_tag); if (s->iam_policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) { - auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env, + auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env, rgw::IAM::s3AbortMultipartUpload, s->object->get_obj()); if (identity_policy_res == Effect::Deny) { @@ -6501,7 +6502,7 @@ int RGWAbortMultipart::verify_permission(optional_yield y) } if (!s->session_policies.empty()) { - auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env, + auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env, rgw::IAM::s3PutObject, s->object->get_obj()); if (session_policy_res == Effect::Deny) { @@ -6687,7 +6688,7 @@ int RGWDeleteMultiObj::verify_permission(optional_yield y) if (s->iam_policy || ! s->iam_user_policies.empty() || ! s->session_policies.empty()) { if (s->bucket->get_info().obj_lock_enabled() && bypass_governance_mode) { ARN bucket_arn(s->bucket->get_key()); - auto r = eval_identity_or_session_policies(s->iam_user_policies, s->env, + auto r = eval_identity_or_session_policies(this, s->iam_user_policies, s->env, rgw::IAM::s3BypassGovernanceRetention, ARN(s->bucket->get_key())); if (r == Effect::Deny) { bypass_perm = false; @@ -6698,7 +6699,7 @@ int RGWDeleteMultiObj::verify_permission(optional_yield y) bypass_perm = false; } } else if (r == Effect::Pass && !s->session_policies.empty()) { - r = eval_identity_or_session_policies(s->session_policies, s->env, + r = eval_identity_or_session_policies(this, s->session_policies, s->env, rgw::IAM::s3BypassGovernanceRetention, ARN(s->bucket->get_key())); if (r == Effect::Deny) { bypass_perm = false; @@ -6708,7 +6709,7 @@ int RGWDeleteMultiObj::verify_permission(optional_yield y) bool not_versioned = rgw::sal::Object::empty(s->object.get()) || s->object->get_instance().empty(); - auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env, + auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env, not_versioned ? rgw::IAM::s3DeleteObject : rgw::IAM::s3DeleteObjectVersion, @@ -6732,7 +6733,7 @@ int RGWDeleteMultiObj::verify_permission(optional_yield y) return -EACCES; if (!s->session_policies.empty()) { - auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env, + auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env, not_versioned ? rgw::IAM::s3DeleteObject : rgw::IAM::s3DeleteObjectVersion, @@ -6843,7 +6844,7 @@ void RGWDeleteMultiObj::execute(optional_yield y) std::string version_id; std::unique_ptr obj = bucket->get_object(*iter); if (s->iam_policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) { - auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env, + auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env, iter->instance.empty() ? rgw::IAM::s3DeleteObject : rgw::IAM::s3DeleteObjectVersion, @@ -6871,7 +6872,7 @@ void RGWDeleteMultiObj::execute(optional_yield y) } if (!s->session_policies.empty()) { - auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env, + auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env, iter->instance.empty() ? rgw::IAM::s3DeleteObject : rgw::IAM::s3DeleteObjectVersion, @@ -7333,7 +7334,7 @@ bool RGWBulkUploadOp::handle_file_verify_permission(RGWBucketInfo& binfo, bucket_owner = bacl.get_owner(); if (policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) { - auto identity_policy_res = eval_identity_or_session_policies(s->iam_user_policies, s->env, + auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env, rgw::IAM::s3PutObject, obj); if (identity_policy_res == Effect::Deny) { return false; @@ -7348,7 +7349,7 @@ bool RGWBulkUploadOp::handle_file_verify_permission(RGWBucketInfo& binfo, } if (!s->session_policies.empty()) { - auto session_policy_res = eval_identity_or_session_policies(s->session_policies, s->env, + auto session_policy_res = eval_identity_or_session_policies(this, s->session_policies, s->env, rgw::IAM::s3PutObject, obj); if (session_policy_res == Effect::Deny) { return false;