From: Casey Bodley Date: Tue, 2 Jan 2024 23:28:12 +0000 (-0500) Subject: rgw/auth: Identity matches account user principals X-Git-Tag: v20.0.0~2159^2~109 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=8e24a611db7a951c2523503e922c9fda4fb68f2e;p=ceph.git rgw/auth: Identity matches account user principals when a user belongs to an account, they match Principal ARNs by account id instead of tenant name, and by user name instead user id Signed-off-by: Casey Bodley --- diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index 5899b65b7362..187ea2c71f0e 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -146,8 +146,13 @@ transform_old_authinfo(CephContext* const cct, return p.get_account() == id.tenant; } else if (p.is_user()) { std::string_view no_subuser; - return p.get_account() == id.tenant - && match_principal(path, id.id, no_subuser, p.get_id()); + // account users can match both account- and tenant-based arns + if (!account_id.empty() && p.get_account() == account_id) { + return match_principal(path, display_name, no_subuser, p.get_id()); + } else { + return p.get_account() == id.tenant + && match_principal(path, id.id, no_subuser, p.get_id()); + } } return false; } @@ -867,9 +872,16 @@ bool rgw::auth::LocalApplier::is_identity(const Principal& p) const { } else if (p.is_account()) { return p.get_account() == user_info.user_id.tenant; } else if (p.is_user()) { - return p.get_account() == user_info.user_id.tenant - && match_principal(user_info.path, user_info.user_id.id, - subuser, p.get_id()); + // account users can match both account- and tenant-based arns + if (!user_info.account_id.empty() && + p.get_account() == user_info.account_id) { + return match_principal(user_info.path, user_info.display_name, + subuser, p.get_id()); + } else { + return p.get_account() == user_info.user_id.tenant + && match_principal(user_info.path, user_info.user_id.id, + subuser, p.get_id()); + } } return false; }