From: Alexey Odinokov Date: Thu, 13 Mar 2025 20:35:55 +0000 (-0500) Subject: rgw: fixing tempest ObjectTestACLs and ObjectACLsNegativeTest cases X-Git-Tag: v20.3.0~224^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=a413adcf8b281f50a72d3fa4dcb30302e599be8c;p=ceph.git rgw: fixing tempest ObjectTestACLs and ObjectACLsNegativeTest cases The issue was introduced in https://github.com/ceph/ceph/commit/d82ff164505cd7a7abe6937879052ad03f1da939 and backported to Squid by: https://github.com/ceph/ceph/commit/f0fb48d19409c012ae8422304b63ca013c1055db As a result rgw couldn't find the correct bucket in case the user from different tenant was given access to the container using ACL, because rgw started to look inside the user's tenant, but not the tenant from the request. This partial revert helps to fix the issue Signed-off-by: Alexey Odinokov --- diff --git a/src/rgw/rgw_rest_swift.cc b/src/rgw/rgw_rest_swift.cc index 88af0fc9c273..52f3b4fb2b81 100644 --- a/src/rgw/rgw_rest_swift.cc +++ b/src/rgw/rgw_rest_swift.cc @@ -2947,7 +2947,10 @@ int RGWHandler_REST_SWIFT::postauth_init(optional_yield y) && s->user->get_id().id == RGW_USER_ANON_ID) { s->bucket_tenant = s->account_name; } else { - s->bucket_tenant = s->auth.identity->get_tenant(); + /* tenant must be taken from request. Can't use auth.identity->get_tenant(), + because there are cases when users from different tenant may be granted + access via ACL to this bucket */ + s->bucket_tenant = s->user->get_tenant(); } s->bucket_name = t->url_bucket;