From: Enming Zhang Date: Wed, 12 Jul 2017 14:21:54 +0000 (+0800) Subject: rgw: acl grants num limit X-Git-Tag: ses5-milestone9~1^2~9^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=a1b05dd2f6511a18603051112e18af410f8beb6c;p=ceph.git rgw: acl grants num limit According to AWS S3 in this document[1], an ACL can have up to 100 grants. If the nums of grants is larger than 100, S3 will return like following: 400 MalformedACLErrorThe XML you provided was not well-formed or did not validate against our published schema10EC67824572C378AWL3NnQChs/HCfOTu5MtyEc9uzRuxpYMhmvXQry2CovCcuxO2/tMqY1zGoWOur86ipQt3v/WEiA= Now if the nums of request acl grants is larger than the maximum allowed, rgw will return like following: 400 MalformedACLErrorThe request is rejected, because the acl grants number you requested is larger than the maximum 101 grants allowed in an acl.222tx000000000000000000017-00596b5fad-101a-default101a-default-default The maximum number of acl grants can be configured in config file with the configuration item: rgw_acl_grants_max_num [1] http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html Signed-off-by: Enming Zhang --- diff --git a/src/common/config_opts.h b/src/common/config_opts.h index 15dc65600e043..b36022d111511 100644 --- a/src/common/config_opts.h +++ b/src/common/config_opts.h @@ -1796,3 +1796,5 @@ OPTION(rgw_reshard_bucket_lock_duration, OPT_INT, 120) // duration of lock on bu OPTION(rgw_dynamic_resharding, OPT_BOOL, true) OPTION(rgw_max_objs_per_shard, OPT_INT, 100000) OPTION(rgw_reshard_thread_interval, OPT_U32, 60 * 10) // maximum time between rounds of reshard thread processing + +OPTION(rgw_acl_grants_max_num, OPT_INT, 100) // According to AWS S3(http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html), An ACL can have up to 100 grants. diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index d7fb6cfdcf2ff..05b92d2ee5a47 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -74,6 +74,7 @@ rgw_http_errors rgw_http_s3_errors({ { ERR_MALFORMED_XML, {400, "MalformedXML" }}, { ERR_AMZ_CONTENT_SHA256_MISMATCH, {400, "XAmzContentSHA256Mismatch" }}, { ERR_INVALID_TAG, {400, "InvalidTag"}}, + { ERR_MALFORMED_ACL_ERROR, {400, "MalformedACLError" }}, { ERR_LENGTH_REQUIRED, {411, "MissingContentLength" }}, { EACCES, {403, "AccessDenied" }}, { EPERM, {403, "AccessDenied" }}, diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h index 1ca88ebb99a78..b8dfb49d74a3b 100644 --- a/src/rgw/rgw_common.h +++ b/src/rgw/rgw_common.h @@ -213,6 +213,7 @@ using ceph::crypto::MD5; #define ERR_TAG_CONFLICT 2209 #define ERR_INVALID_TAG 2210 #define ERR_ZERO_IN_URL 2211 +#define ERR_MALFORMED_ACL_ERROR 2212 #define ERR_BUSY_RESHARDING 2300 diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index c02b3d8396ddf..c99d8a8f12f1f 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -4610,6 +4610,27 @@ void RGWPutACLs::execute() return; } + const RGWAccessControlList& req_acl = policy->get_acl(); + const multimap& req_grant_map = req_acl.get_grant_map(); +#define ACL_GRANTS_MAX_NUM 100 + int max_num = s->cct->_conf->rgw_acl_grants_max_num; + if (max_num < 0) { + max_num = ACL_GRANTS_MAX_NUM; + } + + int grants_num = req_grant_map.size(); + if (grants_num > max_num) { + ldout(s->cct, 4) << "An acl can have up to " + << max_num + << " grants, request acl grants num: " + << grants_num << dendl; + op_ret = -ERR_MALFORMED_ACL_ERROR; + s->err.message = "The request is rejected, because the acl grants number you requested is larger than the maximum " + + std::to_string(max_num) + + " grants allowed in an acl."; + return; + } + // forward bucket acl requests to meta master zone if (s->object.empty() && !store->is_meta_master()) { bufferlist in_data;