From: Yehuda Sadeh Date: Tue, 5 Nov 2013 22:54:20 +0000 (-0800) Subject: rgw: deny writes to a secondary zone by non-system users X-Git-Tag: v0.67.8~10 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=b29238729f87c73dfdcf16dddcf293577678dea2;p=ceph.git rgw: deny writes to a secondary zone by non-system users Fixes: #6678 We don't want to allow regular users to write to secondary zones, otherwise we'd end up with data inconsistencies. Signed-off-by: Yehuda Sadeh (cherry picked from commit 6961b5254f16ac3362c3a51f5490328d23640dbf) Conflicts: src/rgw/rgw_rados.h --- diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index c9601f90dbb..c1bfc2c5fb8 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -418,6 +418,13 @@ int RGWOp::verify_op_mask() return -EPERM; } + if (!s->system_request && + (required_mask & (RGW_OP_TYPE_WRITE | RGW_OP_TYPE_DELETE)) && + !store->zone.is_master) { + ldout(s->cct, 5) << "NOTICE: modify request to a non-master zone by a non-system user, permission denied" << dendl; + return -EPERM; + } + return 0; } diff --git a/src/rgw/rgw_rados.cc b/src/rgw/rgw_rados.cc index dcc3a435345..0be95c36a69 100644 --- a/src/rgw/rgw_rados.cc +++ b/src/rgw/rgw_rados.cc @@ -337,6 +337,10 @@ int RGWZoneParams::init(CephContext *cct, RGWRados *store, RGWRegion& region) return -EIO; } + is_master = (name == region.master_zone) || (region.master_zone.empty() && name == "default"); + + ldout(cct, 2) << "zone " << name << " is " << (is_master ? "" : "NOT ") << "master" << dendl; + return 0; } diff --git a/src/rgw/rgw_rados.h b/src/rgw/rgw_rados.h index 9aa6060e2a6..1a590718030 100644 --- a/src/rgw/rgw_rados.h +++ b/src/rgw/rgw_rados.h @@ -428,11 +428,14 @@ struct RGWZoneParams { rgw_bucket user_uid_pool; string name; + bool is_master; RGWAccessKey system_key; map placement_pools; + RGWZoneParams() : is_master(false) {} + static string get_pool_name(CephContext *cct); void init_name(CephContext *cct, RGWRegion& region); int init(CephContext *cct, RGWRados *store, RGWRegion& region);