From: Casey Bodley <cbodley@redhat.com>
Date: Tue, 1 Jul 2025 03:50:37 +0000 (-0400)
Subject: rgw/iam: add s3:Get/PutAccountPublicAccessBlock actions
X-Git-Tag: v21.0.1~135^2~11
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=7d836abcbfa47074e85af9529ba140969a7b7362;p=ceph.git

rgw/iam: add s3:Get/PutAccountPublicAccessBlock actions

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---

diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc
index 5ef051c7a97..c312632ed57 100644
--- a/src/rgw/rgw_iam_policy.cc
+++ b/src/rgw/rgw_iam_policy.cc
@@ -142,6 +142,8 @@ static const actpair actpairs[] =
  { "s3:ReplicateObject", s3ReplicateObject },
  { "s3:ReplicateTags", s3ReplicateTags },
  { "s3:GetObjectVersionForReplication", s3GetObjectVersionForReplication },
+ { "s3:PutAccountPublicAccessBlock", s3PutAccountPublicAccessBlock },
+ { "s3:GetAccountPublicAccessBlock", s3GetAccountPublicAccessBlock },
  { "s3-object-lambda:GetObject", s3objectlambdaGetObject },
  { "s3-object-lambda:ListBucket", s3objectlambdaListBucket },
  { "iam:PutUserPolicy", iamPutUserPolicy },
@@ -1510,6 +1512,12 @@ const char* action_bit_string(uint64_t action) {
   case s3GetObjectVersionForReplication:
     return "s3:GetObjectVersionForReplication";
 
+  case s3PutAccountPublicAccessBlock:
+    return "s3:PutAccountPublicAccessBlock";
+
+  case s3GetAccountPublicAccessBlock:
+    return "s3:GetAccountPublicAccessBlock";
+
   case s3objectlambdaGetObject:
     return "s3-object-lambda:GetObject";
 
diff --git a/src/rgw/rgw_iam_policy.h b/src/rgw/rgw_iam_policy.h
index 8d7f83030ad..2915f0de3ca 100644
--- a/src/rgw/rgw_iam_policy.h
+++ b/src/rgw/rgw_iam_policy.h
@@ -121,6 +121,8 @@ enum {
   s3ReplicateObject,
   s3GetObjectVersionForReplication,
   s3ReplicateTags,
+  s3PutAccountPublicAccessBlock,
+  s3GetAccountPublicAccessBlock,
   s3All,
 
   s3objectlambdaGetObject,
diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc
index b0f83ac4ec7..2ccdc577089 100644
--- a/src/test/rgw/test_rgw_iam_policy.cc
+++ b/src/test/rgw/test_rgw_iam_policy.cc
@@ -90,6 +90,7 @@ using rgw::IAM::s3GetBucketObjectLockConfiguration;
 using rgw::IAM::s3GetObjectRetention;
 using rgw::IAM::s3GetObjectLegalHold;
 using rgw::IAM::s3DescribeJob;
+using rgw::IAM::s3GetAccountPublicAccessBlock;
 using rgw::IAM::s3objectlambdaGetObject;
 using rgw::IAM::s3objectlambdaListBucket;
 using rgw::IAM::iamGenerateCredentialReport;
@@ -456,6 +457,7 @@ TEST_F(PolicyTest, Parse3) {
   act2[s3GetPublicAccessBlock] = 1;
   act2[s3GetBucketEncryption] = 1;
   act2[s3GetObjectVersionForReplication] = 1;
+  act2[s3GetAccountPublicAccessBlock] = 1;
 
   EXPECT_EQ(p->statements[2].action, act2);
   EXPECT_EQ(p->statements[2].notaction, None);
@@ -529,6 +531,7 @@ TEST_F(PolicyTest, Eval3) {
   s3allow[s3GetPublicAccessBlock] = 1;
   s3allow[s3GetBucketEncryption] = 1;
   s3allow[s3GetObjectVersionForReplication] = 1;
+  s3allow[s3GetAccountPublicAccessBlock] = 1;
 
   ARN arn1(Partition::aws, Service::s3,
 		       "", arbitrary_tenant, "mybucket");
@@ -927,6 +930,7 @@ TEST_F(ManagedPolicyTest, AmazonS3ReadOnlyAccess)
   act[s3GetBucketPublicAccessBlock] = 1;
   act[s3GetBucketEncryption] = 1;
   act[s3GetObjectVersionForReplication] = 1;
+  act[s3GetAccountPublicAccessBlock] = 1;
   // s3:List*
   act[s3ListMultipartUploadParts] = 1;
   act[s3ListBucket] = 1;