From: Seena Fallah Date: Thu, 17 Apr 2025 22:09:12 +0000 (+0200) Subject: rgw: change is_admin_of() to is_admin() X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=876bea14c48882c01028bcd2d1550ea7c2286aad;p=ceph.git rgw: change is_admin_of() to is_admin() As admin propery of a user is something global and nothing related to any other owner, we don't need any comparision. Signed-off-by: Seena Fallah (cherry picked from commit 1a253ea065a5de9636b769b41cc46a4fbc18c3f8) --- diff --git a/src/rgw/driver/rados/rgw_rest_user.cc b/src/rgw/driver/rados/rgw_rest_user.cc index 71bb8c4c0390c..845f4be1adecf 100644 --- a/src/rgw/driver/rados/rgw_rest_user.cc +++ b/src/rgw/driver/rados/rgw_rest_user.cc @@ -122,7 +122,7 @@ void RGWOp_User_Info::execute(optional_yield y) // dump_keys is false if user-info-without-keys is 'read' and // the user is not the system user or an admin user int keys_perm = s->user->get_info().caps.check_cap("users", RGW_CAP_READ); - if (keys_perm == 0 || op_state.system || s->auth.identity->is_admin_of(uid)) { + if (keys_perm == 0 || op_state.system || s->auth.identity->is_admin()) { dump_keys = true; ldpp_dout(s, 20) << "dump_keys is set to true" << dendl; } diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index 14e096f22c568..64d6e630dc289 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -203,7 +203,7 @@ static auto transform_old_authinfo(const RGWUserInfo& user, const rgw_user id; const std::string display_name; const std::string path; - const bool is_admin; + const bool user_is_admin; const uint32_t type; const std::optional account; const std::vector policies; @@ -216,7 +216,7 @@ static auto transform_old_authinfo(const RGWUserInfo& user, id(user.user_id), display_name(user.display_name), path(user.path), - is_admin(user.admin), + user_is_admin(user.admin), type(user.type), account(std::move(account)), policies(std::move(policies)) @@ -238,8 +238,8 @@ static auto transform_old_authinfo(const RGWUserInfo& user, return rgw_perms_from_aclspec_default_strategy(id.to_str(), aclspec, dpp); } - bool is_admin_of(const rgw_owner& o) const override { - return is_admin; + bool is_admin() const override { + return user_is_admin; } bool is_owner_of(const rgw_owner& o) const override { @@ -302,7 +302,7 @@ static auto transform_old_authinfo(const RGWUserInfo& user, void to_str(std::ostream& out) const override { out << "RGWDummyIdentityApplier(auth_id=" << id - << ", is_admin=" << is_admin << ")"; + << ", is_admin=" << user_is_admin << ")"; } auto load_acct_info(const DoutPrefixProvider* dpp) const -> std::unique_ptr override { @@ -817,7 +817,7 @@ uint32_t rgw::auth::RemoteApplier::get_perms_from_aclspec(const DoutPrefixProvid return perm; } -bool rgw::auth::RemoteApplier::is_admin_of(const rgw_owner& o) const +bool rgw::auth::RemoteApplier::is_admin() const { return info.is_admin; } @@ -1057,7 +1057,7 @@ uint32_t rgw::auth::LocalApplier::get_perms_from_aclspec(const DoutPrefixProvide return mask; } -bool rgw::auth::LocalApplier::is_admin_of(const rgw_owner& o) const +bool rgw::auth::LocalApplier::is_admin() const { return user_info.admin || user_info.system; } diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index a7a09b36b214e..cb7ab91768f31 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -48,9 +48,9 @@ public: * applier that is being used. */ virtual uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const = 0; - /* Verify whether a given identity *can be treated as* an admin of rgw_owner - * specified in @o. On error throws rgw::auth::Exception storing the reason. */ - virtual bool is_admin_of(const rgw_owner& o) const = 0; + /* Verify whether a given identity *can be treated as* an admin. + * On error throws rgw::auth::Exception storing the reason. */ + virtual bool is_admin() const = 0; /* Verify whether a given identity is the rgw_owner specified in @o. * On internal error throws rgw::auth::Exception storing the reason. */ @@ -480,7 +480,7 @@ public: return RGW_PERM_NONE; } - bool is_admin_of(const rgw_owner& o) const override { + bool is_admin() const override { return false; } @@ -664,7 +664,7 @@ public: ACLOwner get_aclowner() const override; uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override; - bool is_admin_of(const rgw_owner& o) const override; + bool is_admin() const override; bool is_owner_of(const rgw_owner& o) const override; bool is_root() const override; bool is_identity(const Principal& p) const override; @@ -730,7 +730,7 @@ public: ACLOwner get_aclowner() const override; uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override; - bool is_admin_of(const rgw_owner& o) const override; + bool is_admin() const override; bool is_owner_of(const rgw_owner& o) const override; bool is_root() const override; bool is_identity(const Principal& p) const override; @@ -813,7 +813,7 @@ public: uint32_t get_perms_from_aclspec(const DoutPrefixProvider* dpp, const aclspec_t& aclspec) const override { return 0; } - bool is_admin_of(const rgw_owner& o) const override { + bool is_admin() const override { return false; } bool is_owner_of(const rgw_owner& o) const override; @@ -861,7 +861,7 @@ public: return RGW_PERM_NONE; } - bool is_admin_of(const rgw_owner& o) const override { + bool is_admin() const override { return false; } diff --git a/src/rgw/rgw_auth_filters.h b/src/rgw/rgw_auth_filters.h index dc6e5f7ce8439..aed3449f13b11 100644 --- a/src/rgw/rgw_auth_filters.h +++ b/src/rgw/rgw_auth_filters.h @@ -73,8 +73,8 @@ public: return get_decoratee().get_perms_from_aclspec(dpp, aclspec); } - bool is_admin_of(const rgw_owner& o) const override { - return get_decoratee().is_admin_of(o); + bool is_admin() const override { + return get_decoratee().is_admin(); } bool is_owner_of(const rgw_owner& o) const override { @@ -281,12 +281,12 @@ public: return DecoratedApplier::get_tenant(); } - bool is_admin_of(const rgw_owner& o) const override { + bool is_admin() const override { if (is_system && !is_impersonating) { return true; } - return DecoratedApplier::is_admin_of(o); + return DecoratedApplier::is_admin(); } }; diff --git a/src/rgw/rgw_lib.cc b/src/rgw/rgw_lib.cc index 5ffb7cf632cc0..471a6373c93e8 100644 --- a/src/rgw/rgw_lib.cc +++ b/src/rgw/rgw_lib.cc @@ -283,7 +283,7 @@ namespace rgw { if (ret < 0) { if (s->system_request) { ldpp_dout(op, 2) << "overriding permissions due to system operation" << dendl; - } else if (s->auth.identity->is_admin_of(s->user->get_id())) { + } else if (s->auth.identity->is_admin()) { ldpp_dout(op, 2) << "overriding permissions due to admin operation" << dendl; } else { abort_req(s, op, ret); @@ -420,7 +420,7 @@ namespace rgw { if (ret < 0) { if (s->system_request) { ldpp_dout(op, 2) << "overriding permissions due to system operation" << dendl; - } else if (s->auth.identity->is_admin_of(s->user->get_id())) { + } else if (s->auth.identity->is_admin()) { ldpp_dout(op, 2) << "overriding permissions due to admin operation" << dendl; } else { abort_req(s, op, ret); diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index 441f527a7a6ae..c5a18ed080253 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -428,7 +428,7 @@ static int read_obj_policy(const DoutPrefixProvider *dpp, return ret; } - if (s->auth.identity->is_admin_of(bucket_policy.get_owner().id)) { + if (s->auth.identity->is_admin()) { return -ENOENT; } @@ -1858,7 +1858,7 @@ int RGWGetObj::read_user_manifest_part(rgw::sal::Bucket* bucket, * stored inside different accounts. */ if (s->system_request) { ldpp_dout(this, 2) << "overriding permissions due to system operation" << dendl; - } else if (s->auth.identity->is_admin_of(s->user->get_id())) { + } else if (s->auth.identity->is_admin()) { ldpp_dout(this, 2) << "overriding permissions due to admin operation" << dendl; } else if (!verify_object_permission(this, s, part->get_obj(), s->user_acl, bucket_acl, obj_policy, bucket_policy, diff --git a/src/rgw/rgw_process.cc b/src/rgw/rgw_process.cc index 8cf1c41775f6e..59f877c3736b5 100644 --- a/src/rgw/rgw_process.cc +++ b/src/rgw/rgw_process.cc @@ -228,8 +228,8 @@ int rgw_process_authenticated(RGWHandler_REST * const handler, } if (ret == -EACCES || ret == -EPERM || ret == -ERR_AUTHORIZATION) { // system requests may impersonate another user/role for permission checks - // so only rely on is_admin_of() to override permissions - if (s->auth.identity->is_admin_of(s->user->get_id())) { + // so only rely on is_admin() to override permissions + if (s->auth.identity->is_admin()) { dout(2) << "overriding permissions due to admin operation" << dendl; } else { return ret; diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index 946424f17df87..6c6e40914732c 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -417,7 +417,7 @@ int RGWGetObj_ObjStore_S3::send_response_data(bufferlist& bl, off_t bl_ofs, auto action = s->object->get_instance().empty() ? rgw::IAM::s3GetObjectTagging : rgw::IAM::s3GetObjectVersionTagging; // since we are already under s->system_request, if the request is not impersonating, // it can be assumed that it is not a user-mode replication. - bool keep_tags = s->auth.identity->is_admin_of(s->user->get_id()) || verify_object_permission(this, s, action); + bool keep_tags = s->auth.identity->is_admin() || verify_object_permission(this, s, action); // remove tags from attrs if the user doesn't have permission bufferlist tags_bl; diff --git a/src/rgw/rgw_sts.cc b/src/rgw/rgw_sts.cc index 7e8e37b3419d0..951af012b482f 100644 --- a/src/rgw/rgw_sts.cc +++ b/src/rgw/rgw_sts.cc @@ -124,7 +124,7 @@ int Credentials::generateCredentials(const DoutPrefixProvider *dpp, if (identity) { token.acct_name = identity->get_acct_name(); token.perm_mask = identity->get_perm_mask(); - token.is_admin = identity->is_admin_of(token.user); + token.is_admin = identity->is_admin(); token.acct_type = identity->get_identity_type(); } else { token.acct_name = {}; diff --git a/src/rgw/rgw_swift_auth.h b/src/rgw/rgw_swift_auth.h index eb34984398ca1..af53be759100e 100644 --- a/src/rgw/rgw_swift_auth.h +++ b/src/rgw/rgw_swift_auth.h @@ -159,7 +159,7 @@ class SwiftAnonymousApplier : public rgw::auth::LocalApplier { : LocalApplier(cct, std::move(user), std::nullopt, {}, LocalApplier::NO_SUBUSER, std::nullopt, LocalApplier::NO_ACCESS_KEY) { } - bool is_admin_of(const rgw_owner& o) const {return false;} + bool is_admin() const {return false;} bool is_owner_of(const rgw_owner& o) const { auto* uid = std::get_if(&o); return uid && uid->id == RGW_USER_ANON_ID; diff --git a/src/test/rgw/test_rgw_iam_policy.cc b/src/test/rgw/test_rgw_iam_policy.cc index 79362a0875562..8e9be5c11e5e9 100644 --- a/src/test/rgw/test_rgw_iam_policy.cc +++ b/src/test/rgw/test_rgw_iam_policy.cc @@ -160,7 +160,7 @@ public: return 0; }; - bool is_admin_of(const rgw_owner& o) const override { + bool is_admin() const override { ceph_abort(); return false; } diff --git a/src/test/rgw/test_rgw_lua.cc b/src/test/rgw/test_rgw_lua.cc index 8cd23b90b2f8a..21f12c4efd141 100644 --- a/src/test/rgw/test_rgw_lua.cc +++ b/src/test/rgw/test_rgw_lua.cc @@ -42,7 +42,7 @@ public: return 0; }; - bool is_admin_of(const rgw_owner& o) const override { + bool is_admin() const override { return false; }