From: Radoslaw Zarzynski <rzarzynski@mirantis.com>
Date: Wed, 30 Nov 2016 16:49:25 +0000 (+0100)
Subject: rgw: implement the basic security check for BulkUpload of Swift API.
X-Git-Tag: v12.0.2~214^2~6
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=9ed7edaaf7a94f21ac84df91bceb3576ba8b784b;p=ceph.git

rgw: implement the basic security check for BulkUpload of Swift API.

Signed-off-by: Radoslaw Zarzynski <rzarzynski@mirantis.com>
---

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 9db697a5ac89..9cb691059832 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -5500,6 +5500,26 @@ void RGWBulkDelete::execute()
 
 int RGWBulkUploadOp::verify_permission()
 {
+  if (s->auth.identity->is_anonymous()) {
+    return -EACCES;
+  }
+
+  if (! verify_user_permission(s, RGW_PERM_WRITE)) {
+    return -EACCES;
+  }
+
+  if (s->user->user_id.tenant != s->bucket_tenant) {
+    ldout(s->cct, 10) << "user cannot create a bucket in a different tenant"
+                      << " (user_id.tenant=" << s->user->user_id.tenant
+                      << " requested=" << s->bucket_tenant << ")"
+                      << dendl;
+    return -EACCES;
+  }
+
+  if (s->user->max_buckets < 0) {
+    return -EPERM;
+  }
+
   return 0;
 }