From: Casey Bodley <cbodley@redhat.com>
Date: Thu, 23 Apr 2026 15:53:16 +0000 (-0400)
Subject: rgw: read_obj_policy() consults s3:prefix when deciding between 403/404
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=b2bfc15c0dc11f04ce7e82f487a9c111d3c40289;p=ceph.git

rgw: read_obj_policy() consults s3:prefix when deciding between 403/404

when read_obj_policy() gets ENOENT, it only returns 404 NoSuchKey if the
requester has s3:ListBucket permission. however, policy that allows
s3:ListBucket may be conditional on the s3:prefix to restrict listings
to certain paths/object names. add the requested object name to the iam
environment as s3:prefix to match aws behavior here

Fixes: https://tracker.ceph.com/issues/74398

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 363a81ca8d0bf2f1e84b2d48aa02be40d5398147)
---

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 414972e46744..e3bb57533ca8 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -465,6 +465,8 @@ static int read_obj_policy(const DoutPrefixProvider *dpp,
       return -ENOENT;
     }
 
+    s->env.emplace("s3:prefix", object->get_name());
+
     if (verify_bucket_permission(dpp, s, bucket->get_key(), s->user_acl,
                                  bucket_policy, policy, s->iam_identity_policies,
                                  s->session_policies, rgw::IAM::s3ListBucket)) {