From: Pritha Srivastava Date: Mon, 2 Apr 2018 06:58:29 +0000 (+0530) Subject: rgw: Permission evaluation for User Policies. X-Git-Tag: v14.0.1~335^2~5 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=acee911064bf211f1e13a534ac7a226f693cae5b;p=ceph.git rgw: Permission evaluation for User Policies. Signed-off-by: Pritha Srivastava --- diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index e0c22bc3488..2e17cac7bc0 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -1069,12 +1069,23 @@ bool verify_user_permission(struct req_state * const s, const uint64_t op) { auto usr_policy_res = eval_user_policies(user_policies, s->env, boost::none, op, res); - if (usr_policy_res == Effect::Deny) + if (usr_policy_res == Effect::Deny) { return false; + } - auto perm = op_to_perm(op); + if (op == rgw::IAM::s3CreateBucket || op == rgw::IAM::s3ListAllMyBuckets) { + auto perm = op_to_perm(op); - return verify_user_permission_no_policy(s, user_acl, perm); + return verify_user_permission_no_policy(s, user_acl, perm); + } + + if (usr_policy_res == Effect::Pass) { + return false; + } + else if (usr_policy_res == Effect::Allow) { + return true; + } + return false; } bool verify_user_permission_no_policy(struct req_state * const s, diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc index 1735773bfc6..2eebd750b1b 100644 --- a/src/rgw/rgw_iam_policy.cc +++ b/src/rgw/rgw_iam_policy.cc @@ -1446,6 +1446,45 @@ const char* action_bit_string(uint64_t action) { case s3DeleteObjectVersionTagging: return "s3:DeleteObjectVersionTagging"; + + case iamPutUserPolicy: + return "iam:PutUserPolicy"; + + case iamGetUserPolicy: + return "iam:GetUserPolicy"; + + case iamListUserPolicies: + return "iam:ListUserPolicies"; + + case iamDeleteUserPolicy: + return "iam:DeleteUserPolicy"; + + case iamCreateRole: + return "iam:CreateRole"; + + case iamDeleteRole: + return "iam:DeleteRole"; + + case iamGetRole: + return "iam:GetRole"; + + case iamModifyRole: + return "iam:ModifyRole"; + + case iamListRoles: + return "iam:ListRoles"; + + case iamPutRolePolicy: + return "iam:PutRolePolicy"; + + case iamGetRolePolicy: + return "iam:GetRolePolicy"; + + case iamListRolePolicies: + return "iam:ListRolePolicies"; + + case iamDeleteRolePolicy: + return "iam:DeleteRolePolicy"; } return "s3Invalid"; } diff --git a/src/rgw/rgw_rest_user_policy.cc b/src/rgw/rgw_rest_user_policy.cc index aa1624afc7d..213db72358d 100644 --- a/src/rgw/rgw_rest_user_policy.cc +++ b/src/rgw/rgw_rest_user_policy.cc @@ -37,9 +37,23 @@ void RGWRestUserPolicy::send_response() int RGWRestUserPolicy::verify_permission() { - int ret = check_caps(s->user->caps); - ldout(s->cct, 0) << "INFO: verify_permissions ret" << ret << dendl; - return ret; + if (s->auth.identity->is_anonymous()) { + return -EACCES; + } + + if(int ret = check_caps(s->user->caps); ret == 0) { + return ret; + } + + uint64_t op = get_op(); + string user_name = s->info.args.get("UserName"); + rgw_user user_id(user_name); + if (! verify_user_permission(s, rgw::IAM::ARN(rgw::IAM::ARN(user_id.id, + "user", + user_id.tenant)), op)) { + return -EACCES; + } + return 0; } bool RGWRestUserPolicy::validate_input() @@ -68,6 +82,11 @@ int RGWUserPolicyWrite::check_caps(RGWUserCaps& caps) return caps.check_cap("user-policy", RGW_CAP_WRITE); } +uint64_t RGWPutUserPolicy::get_op() +{ + return rgw::IAM::iamPutUserPolicy; +} + int RGWPutUserPolicy::get_params() { policy_name = s->info.args.get("PolicyName"); @@ -95,8 +114,6 @@ void RGWPutUserPolicy::execute() } bufferlist bl = bufferlist::static_from_string(policy); - ldout(s->cct, 0) << "policy: " << policy << dendl; - ldout(s->cct, 0) << "bufferlist: " << bl.c_str() << dendl; RGWUserInfo info; rgw_user user_id(user_name); @@ -134,7 +151,11 @@ void RGWPutUserPolicy::execute() ldout(s->cct, 20) << "failed to parse policy: " << e.what() << dendl; op_ret = -ERR_MALFORMED_DOC; } - ldout(s->cct, 20) << "op_ret is : " << op_ret << dendl; +} + +uint64_t RGWGetUserPolicy::get_op() +{ + return rgw::IAM::iamGetUserPolicy; } int RGWGetUserPolicy::get_params() @@ -193,6 +214,11 @@ void RGWGetUserPolicy::execute() } } +uint64_t RGWListUserPolicies::get_op() +{ + return rgw::IAM::iamListUserPolicies; +} + int RGWListUserPolicies::get_params() { user_name = s->info.args.get("UserName"); @@ -242,6 +268,11 @@ void RGWListUserPolicies::execute() } } +uint64_t RGWDeleteUserPolicy::get_op() +{ + return rgw::IAM::iamDeleteUserPolicy; +} + int RGWDeleteUserPolicy::get_params() { policy_name = s->info.args.get("PolicyName"); diff --git a/src/rgw/rgw_rest_user_policy.h b/src/rgw/rgw_rest_user_policy.h index 577ff487bae..d7f14a356a1 100644 --- a/src/rgw/rgw_rest_user_policy.h +++ b/src/rgw/rgw_rest_user_policy.h @@ -14,6 +14,7 @@ protected: public: int verify_permission() override; + virtual uint64_t get_op() = 0; void send_response() override; void dump(Formatter *f) const; }; @@ -36,6 +37,7 @@ public: void execute() override; int get_params(); const char* name() const override { return "put_user-policy"; } + uint64_t get_op() override; RGWOpType get_type() override { return RGW_OP_PUT_USER_POLICY; } }; @@ -45,6 +47,7 @@ public: void execute() override; int get_params(); const char* name() const override { return "get_user_policy"; } + uint64_t get_op() override; RGWOpType get_type() override { return RGW_OP_GET_USER_POLICY; } }; @@ -54,6 +57,7 @@ public: void execute() override; int get_params(); const char* name() const override { return "list_user_policies"; } + uint64_t get_op() override; RGWOpType get_type() override { return RGW_OP_LIST_USER_POLICIES; } }; @@ -63,6 +67,7 @@ public: void execute() override; int get_params(); const char* name() const override { return "delete_user_policy"; } + uint64_t get_op() override; RGWOpType get_type() override { return RGW_OP_DELETE_USER_POLICY; } };