From: ivan Date: Fri, 13 Oct 2023 10:45:43 +0000 (+0300) Subject: rgw: add subuser to user policy condition check X-Git-Tag: v19.0.0~155^2 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=a8c8bb5d572125f867d182985a36368c428839c6;p=ceph-ci.git rgw: add subuser to user policy condition check Signed-off-by: ivan --- diff --git a/src/rgw/rgw_iam_policy_keywords.gperf b/src/rgw/rgw_iam_policy_keywords.gperf index af73dd13074..6b09a6aff81 100644 --- a/src/rgw/rgw_iam_policy_keywords.gperf +++ b/src/rgw/rgw_iam_policy_keywords.gperf @@ -115,6 +115,8 @@ Null, TokenKind::cond_op, TokenID::Null, (uint64_t) Type::null, true, true #s3:authType, TokenKind::cond_key, TokenID::s3authType, (uint64_t) Type::string, true, false #s3:signatureAge, TokenKind::cond_key, TokenID::s3signatureAge, (uint64_t) Type::number, true, false #s3:x-amz-content-sha256, TokenKind::cond_key, TokenID::s3x_amz_content_sha256, (uint64_t) Type::string, true, false +# RGW +#rgw:subuser, TokenKind::cond_key, TokenID::rgwsubuser, (uint64_t) Type::string, true, false # STS #sts:authentication, TokenKind::cond_key, TokenID::stsauthentication, (uint64_t) Type::boolean, true, false # diff --git a/src/rgw/rgw_iam_policy_keywords.h b/src/rgw/rgw_iam_policy_keywords.h index 8130ace456c..c1cfa9052d6 100644 --- a/src/rgw/rgw_iam_policy_keywords.h +++ b/src/rgw/rgw_iam_policy_keywords.h @@ -89,6 +89,7 @@ enum class TokenID { s3authType, s3signatureAge, s3x_amz_content_sha256, + rgwsubuser, #else CondKey, #endif diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index 8c15e5bd2e3..0f02ac9364b 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -922,6 +922,10 @@ void rgw_build_iam_environment(rgw::sal::Driver* driver, s->env.emplace("aws:username", s->user->get_id().id); } + if (s->auth.identity) { + s->env.emplace("rgw:subuser", s->auth.identity->get_subuser().c_str()); + } + i = m.find("HTTP_X_AMZ_SECURITY_TOKEN"); if (i != m.end()) { s->env.emplace("sts:authentication", "true");