From: Pritha Srivastava <prsrivas@redhat.com>
Date: Fri, 30 Nov 2018 15:11:44 +0000 (+0530)
Subject: rgw: Fix for role permission evaluation based on TYPE_ROLE.
X-Git-Tag: v14.1.0~510^2~1
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=9941a37497b907d62e3a29af00e55e35d4439324;p=ceph.git

rgw: Fix for role permission evaluation based on TYPE_ROLE.

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
---

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 0aa9b42032c9..afe1f3ada36e 100644
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -1134,8 +1134,11 @@ bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp, struct req_
                             RGWAccessControlPolicy * const user_acl,
                             const int perm)
 {
+  if (s->user->type == TYPE_ROLE)
+    return false;
+
   /* S3 doesn't support account ACLs. */
-  if ((s->user->type != TYPE_NONE || s->user->user_id == rgw_user(RGW_USER_ANON_ID)) && !user_acl)
+  if (!user_acl)
     return true;
 
   if ((perm & (int)s->perm_mask) != perm)
diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index 9e311ac268cb..0a002fd4a25a 100644
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -634,7 +634,8 @@ enum RGWUserSourceType
   TYPE_NONE=0,
   TYPE_RGW=1,
   TYPE_KEYSTONE=2,
-  TYPE_LDAP=3
+  TYPE_LDAP=3,
+  TYPE_ROLE=4
 };
 
 struct RGWUserInfo
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 17334ac61905..c76cfd0f6122 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -572,7 +572,7 @@ int rgw_build_bucket_policies(RGWRados* store, struct req_state* s)
   }
   // We don't need user policies in case of STS token returned by AssumeRole,
   // hence the check for user type
-  if (! s->user->user_id.empty() && s->user->type != TYPE_NONE) {
+  if (! s->user->user_id.empty() && s->user->type != TYPE_ROLE) {
     try {
       map<string, bufferlist> uattrs;
       if (ret = rgw_get_user_attrs_by_uid(store, s->user->user_id, uattrs); ! ret) {
diff --git a/src/rgw/rgw_rest.cc b/src/rgw/rgw_rest.cc
index 7b3314b52fd6..f7142731b41d 100644
--- a/src/rgw/rgw_rest.cc
+++ b/src/rgw/rgw_rest.cc
@@ -1816,7 +1816,7 @@ int RGWHandler_REST::init_permissions(RGWOp* op)
 {
   if (op->get_type() == RGW_OP_CREATE_BUCKET) {
     // We don't need user policies in case of STS token returned by AssumeRole, hence the check for user type
-    if (! s->user->user_id.empty() && s->user->type != TYPE_NONE) {
+    if (! s->user->user_id.empty() && s->user->type != TYPE_ROLE) {
       try {
         map<string, bufferlist> uattrs;
         if (auto ret = rgw_get_user_attrs_by_uid(store, s->user->user_id, uattrs); ! ret) {
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index e4671660c02d..686b5f370094 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -4483,8 +4483,9 @@ rgw::auth::s3::STSEngine::authenticate(
     }
     // This is mostly needed to assign the owner of a bucket during its creation
     user_info.user_id = token.user;
+    user_info.type = token.acct_type;
   }
-  if (! token.user.empty() && token.acct_type != TYPE_NONE) {
+  if (! token.user.empty() && token.acct_type != TYPE_ROLE) {
     // get user info
     int ret = rgw_get_user_info_by_uid(store, token.user, user_info, NULL);
     if (ret < 0) {
diff --git a/src/rgw/rgw_sts.cc b/src/rgw/rgw_sts.cc
index 4158179dfa60..2558b64a22e9 100644
--- a/src/rgw/rgw_sts.cc
+++ b/src/rgw/rgw_sts.cc
@@ -112,7 +112,7 @@ int Credentials::generateCredentials(CephContext* cct,
     token.acct_name = {};
     token.perm_mask = 0;
     token.is_admin = 0;
-    token.acct_type = TYPE_NONE;
+    token.acct_type = TYPE_ROLE;
   }
 
   buffer::list input, enc_output;