From: Casey Bodley <cbodley@redhat.com>
Date: Thu, 16 Apr 2026 16:49:43 +0000 (-0400)
Subject: rgw/sns: ListTopics uses account root arn for policy evaluation
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=b81bc9531732a8a4b9dec00fb72dbfeb6f00f98f;p=ceph.git

rgw/sns: ListTopics uses account root arn for policy evaluation

when called by a non-root account user, permissions from identity policy
were not being applied correctly and always resulted in:
> evaluate_iam_policies: implicit deny from identity-based policy

passing a non-empty ARN argument to verify_user_permission() fixes this.
while other SNS APIs use a specific topic's arn, ListTopics doesn't
operate on individual topics so we use the account root user's arn

Fixes: https://tracker.ceph.com/issues/74595

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---

diff --git a/src/rgw/rgw_rest_pubsub.cc b/src/rgw/rgw_rest_pubsub.cc
index fe4c949869f7..afefb18be21b 100644
--- a/src/rgw/rgw_rest_pubsub.cc
+++ b/src/rgw/rgw_rest_pubsub.cc
@@ -6,6 +6,7 @@
 #include <optional>
 #include <regex>
 #include "include/function2.hpp"
+#include "rgw_account.h"
 #include "rgw_iam_policy.h"
 #include "rgw_rest_pubsub.h"
 #include "rgw_pubsub.h"
@@ -467,9 +468,13 @@ private:
 
 public:
   int verify_permission(optional_yield) override {
-    // check account permissions up front
-    if (s->auth.identity->get_account() &&
-        !verify_user_permission(this, s, {}, rgw::IAM::snsListTopics)) {
+    // account permissions are checked up front. for non-account users,
+    // execute() instead checks permissions against each topic
+    if (!s->auth.identity->get_account()) {
+      return 0;
+    }
+    const auto arn = rgw::account::root_arn(s->auth.identity->get_account()->id);
+    if (!verify_user_permission(this, s, arn, rgw::IAM::snsListTopics)) {
       return -ERR_AUTHORIZATION;
     }