From: Alexey Odinokov Date: Thu, 13 Mar 2025 20:35:55 +0000 (-0500) Subject: rgw: fixing tempest ObjectTestACLs and ObjectACLsNegativeTest cases X-Git-Tag: v19.2.3~197^2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=b5e1196f1369b4bd17952cf5db943848a35b6471;p=ceph.git rgw: fixing tempest ObjectTestACLs and ObjectACLsNegativeTest cases The issue was introduced in https://github.com/ceph/ceph/commit/d82ff164505cd7a7abe6937879052ad03f1da939 and backported to Squid by: https://github.com/ceph/ceph/commit/f0fb48d19409c012ae8422304b63ca013c1055db As a result rgw couldn't find the correct bucket in case the user from different tenant was given access to the container using ACL, because rgw started to look inside the user's tenant, but not the tenant from the request. This partial revert helps to fix the issue Signed-off-by: Alexey Odinokov (cherry picked from commit a413adcf8b281f50a72d3fa4dcb30302e599be8c) --- diff --git a/src/rgw/rgw_rest_swift.cc b/src/rgw/rgw_rest_swift.cc index bde5925dfd1..ff20e67c5e5 100644 --- a/src/rgw/rgw_rest_swift.cc +++ b/src/rgw/rgw_rest_swift.cc @@ -2950,7 +2950,10 @@ int RGWHandler_REST_SWIFT::postauth_init(optional_yield y) && s->user->get_id().id == RGW_USER_ANON_ID) { s->bucket_tenant = s->account_name; } else { - s->bucket_tenant = s->auth.identity->get_tenant(); + /* tenant must be taken from request. Can't use auth.identity->get_tenant(), + because there are cases when users from different tenant may be granted + access via ACL to this bucket */ + s->bucket_tenant = s->user->get_tenant(); } s->bucket_name = t->url_bucket;