From: Seena Fallah <seenafallah@gmail.com>
Date: Fri, 20 Sep 2024 23:09:18 +0000 (+0200)
Subject: rgw: use effective owner in PutBucketReplication
X-Git-Tag: v20.0.0~255^2
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=ad51353f59b79d456dc2aade27599055664ff71d;p=ceph.git

rgw: use effective owner in PutBucketReplication

As PutBucketReplication requests are forwarded to the master, it
needs to use the effective owner to set the correct (client) as the
uid for sync pipe rather than the system user.

sync policies require a valid UID for authorization when operating in
rgw_sync_pipe_params::Mode::MODE_USER mode. Currently, when forwarding
requests to the master, rgwx-uid holds the ACLOwner string rather than
a UID, which can't be used for sync policy checks. Until this is
properly implemented, we are rejecting PutBucketReplication calls for
account holders.

Fixes: https://tracker.ceph.com/issues/68172
Signed-off-by: Seena Fallah <seenafallah@gmail.com>
---

diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
index 30ebe8e8965..5e1275950fe 100644
--- a/src/rgw/rgw_rest_s3.cc
+++ b/src/rgw/rgw_rest_s3.cc
@@ -1303,12 +1303,19 @@ struct ReplicationConfiguration {
         return -EINVAL;
       }
 
+      if (!std::holds_alternative<rgw_user>(s->owner.id)) {
+        // Currently, replication configuration is only supported for rgw_user
+        ldpp_dout(s, 1) << "NOTICE: replication configuration is only supported for rgw_user" << dendl;
+        return -ERR_NOT_IMPLEMENTED;
+      }
+
       pipe->id = id;
       pipe->params.priority = priority;
 
-      const auto& user_id = s->user->get_id();
+      // Here we are sure that s->owner.id is of type rgw_user
+      const auto& tenant_owner = std::get_if<rgw_user>(&s->owner.id)->tenant;
 
-      rgw_bucket_key dest_bk(user_id.tenant,
+      rgw_bucket_key dest_bk(tenant_owner,
                              destination.bucket);
 
       if (source && !source->zone_names.empty()) {
@@ -1331,7 +1338,7 @@ struct ReplicationConfiguration {
       }
       if (destination.acl_translation) {
         rgw_user u;
-        u.tenant = user_id.tenant;
+        u.tenant = tenant_owner;
         u.from_str(destination.acl_translation->owner); /* explicit tenant will override tenant,
                                                            otherwise will inherit it from s->user */
         pipe->params.dest.acl_translation.emplace();
@@ -1342,7 +1349,7 @@ struct ReplicationConfiguration {
       *enabled = (status == "Enabled");
 
       pipe->params.mode = rgw_sync_pipe_params::Mode::MODE_USER;
-      pipe->params.user = user_id.to_str();
+      pipe->params.user = to_string(s->owner.id);
 
       return 0;
     }