From: Adam C. Emerson <aemerson@redhat.com>
Date: Mon, 4 Feb 2019 18:08:20 +0000 (-0500)
Subject: Merge pull request #25278 from ZVampirEM77/wip-deleteobject-policy
X-Git-Tag: v14.1.0~216
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=81d1f3a6a71aba36b22a58a2b668b4a612b7eb05;p=ceph.git

Merge pull request #25278 from ZVampirEM77/wip-deleteobject-policy

rgw: fix obj can still be deleted even if deleteobject policy is set
rgw: cleanup for RGWDeleteObj::verify_permission(

Reviewed-by: Pritha Srivastava <prsrivas@redhat.com>
Reviewed-by: Adam C. Emerson <aemerson@redhat.com>
Reviewed-by: Abhishek Lekshmanan <abhishek@suse.com>
Reviewed-by: Matt Benjamin <mbenjamin@redhat.com>
---

81d1f3a6a71aba36b22a58a2b668b4a612b7eb05
diff --cc src/rgw/rgw_op.cc
index 3b12fffa8b6,37e45ec0374..d576107bc83
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@@ -4450,23 -4275,19 +4450,23 @@@ int RGWDeleteObj::verify_permission(
                                                rgw::IAM::s3DeleteObjectVersion,
                                                ARN(s->bucket, s->object.name));
      if (usr_policy_res == Effect::Deny) {
-       return false;
+       return -EACCES;
      }
 -    auto r = s->iam_policy->eval(s->env, *s->auth.identity,
 +
 +    rgw::IAM::Effect r = Effect::Pass;
 +    if (s->iam_policy) {
 +      r = s->iam_policy->eval(s->env, *s->auth.identity,
  				 s->object.instance.empty() ?
  				 rgw::IAM::s3DeleteObject :
  				 rgw::IAM::s3DeleteObjectVersion,
  				 ARN(s->bucket, s->object.name));
 +    }
      if (r == Effect::Allow)
-       return true;
+       return 0;
      else if (r == Effect::Deny)
-       return false;
+       return -EACCES;
      else if (usr_policy_res == Effect::Allow)
-       return true;
+       return 0;
    }
  
    if (!verify_bucket_permission_no_policy(this, s, RGW_PERM_WRITE)) {