From: Casey Bodley Date: Thu, 16 Nov 2023 20:13:25 +0000 (-0500) Subject: rgw/acl/s3: create_canned_acl() as free function X-Git-Tag: v19.0.0~9^2~6 X-Git-Url: http://git.apps.os.sepia.ceph.com/?a=commitdiff_plain;h=bce77ab23b57fce2ffd9608fdfb7e8e4a0f33f9f;p=ceph-ci.git rgw/acl/s3: create_canned_acl() as free function adds canned acls to base class RGWAccessControlPolicy Signed-off-by: Casey Bodley --- diff --git a/src/rgw/rgw_acl_s3.cc b/src/rgw/rgw_acl_s3.cc index 52eeb44f243..f593b5cee52 100644 --- a/src/rgw/rgw_acl_s3.cc +++ b/src/rgw/rgw_acl_s3.cc @@ -359,46 +359,48 @@ static int parse_acl_header(const DoutPrefixProvider *dpp, rgw::sal::Driver* dri return 0; } -int RGWAccessControlList_S3::create_canned(ACLOwner& owner, ACLOwner& bucket_owner, const string& canned_acl) +static int create_canned(const ACLOwner& owner, const ACLOwner& bucket_owner, + const string& canned_acl, RGWAccessControlList& acl) { - acl_user_map.clear(); - grant_map.clear(); - - ACLGrant owner_grant; - const rgw_user& bid = bucket_owner.id; const std::string& bname = bucket_owner.display_name; /* owner gets full control */ - owner_grant.set_canon(owner.id, owner.display_name, RGW_PERM_FULL_CONTROL); - add_grant(owner_grant); + { + ACLGrant grant; + grant.set_canon(owner.id, owner.display_name, RGW_PERM_FULL_CONTROL); + acl.add_grant(grant); + } if (canned_acl.size() == 0 || canned_acl.compare("private") == 0) { return 0; } - ACLGrant bucket_owner_grant; - ACLGrant group_grant; - if (canned_acl.compare("public-read") == 0) { - group_grant.set_group(ACL_GROUP_ALL_USERS, RGW_PERM_READ); - add_grant(group_grant); - } else if (canned_acl.compare("public-read-write") == 0) { - group_grant.set_group(ACL_GROUP_ALL_USERS, RGW_PERM_READ); - add_grant(group_grant); - group_grant.set_group(ACL_GROUP_ALL_USERS, RGW_PERM_WRITE); - add_grant(group_grant); - } else if (canned_acl.compare("authenticated-read") == 0) { - group_grant.set_group(ACL_GROUP_AUTHENTICATED_USERS, RGW_PERM_READ); - add_grant(group_grant); - } else if (canned_acl.compare("bucket-owner-read") == 0) { - bucket_owner_grant.set_canon(bid, bname, RGW_PERM_READ); + if (canned_acl == "public-read") { + ACLGrant grant; + grant.set_group(ACL_GROUP_ALL_USERS, RGW_PERM_READ); + acl.add_grant(grant); + } else if (canned_acl == "public-read-write") { + ACLGrant grant; + grant.set_group(ACL_GROUP_ALL_USERS, RGW_PERM_READ); + acl.add_grant(grant); + grant.set_group(ACL_GROUP_ALL_USERS, RGW_PERM_WRITE); + acl.add_grant(grant); + } else if (canned_acl == "authenticated-read") { + ACLGrant grant; + grant.set_group(ACL_GROUP_AUTHENTICATED_USERS, RGW_PERM_READ); + acl.add_grant(grant); + } else if (canned_acl == "bucket-owner-read") { if (bid != owner.id) { - add_grant(bucket_owner_grant); + ACLGrant grant; + grant.set_canon(bid, bname, RGW_PERM_READ); + acl.add_grant(grant); } - } else if (canned_acl.compare("bucket-owner-full-control") == 0) { - bucket_owner_grant.set_canon(bid, bname, RGW_PERM_FULL_CONTROL); + } else if (canned_acl == "bucket-owner-full-control") { if (bid != owner.id) { - add_grant(bucket_owner_grant); + ACLGrant grant; + grant.set_canon(bid, bname, RGW_PERM_FULL_CONTROL); + acl.add_grant(grant); } } else { return -EINVAL; @@ -626,3 +628,20 @@ ACLGroupTypeEnum ACLGrant_S3::uri_to_group(string& uri) return ACL_GROUP_NONE; } + +namespace rgw::s3 { + +int create_canned_acl(const ACLOwner& owner, + const ACLOwner& bucket_owner, + const std::string& canned_acl, + RGWAccessControlPolicy& policy) +{ + if (owner.id == rgw_user("anonymous")) { + policy.set_owner(bucket_owner); + } else { + policy.set_owner(owner); + } + return create_canned(owner, bucket_owner, canned_acl, policy.get_acl()); +} + +} // namespace rgw::s3 diff --git a/src/rgw/rgw_acl_s3.h b/src/rgw/rgw_acl_s3.h index e024f5c42ff..740cbf35f82 100644 --- a/src/rgw/rgw_acl_s3.h +++ b/src/rgw/rgw_acl_s3.h @@ -55,7 +55,6 @@ public: bool xml_end(const char *el) override; void to_xml(const DoutPrefixProvider* dpp, std::ostream& out); - int create_canned(ACLOwner& owner, ACLOwner& bucket_owner, const std::string& canned_acl); int create_from_grants(std::list& grants); }; @@ -80,16 +79,6 @@ public: int rebuild(const DoutPrefixProvider *dpp, rgw::sal::Driver* driver, ACLOwner *owner, RGWAccessControlPolicy& dest, std::string &err_msg); - virtual int create_canned(ACLOwner& _owner, ACLOwner& bucket_owner, const std::string& canned_acl) { - RGWAccessControlList_S3& _acl = static_cast(acl); - if (_owner.id == rgw_user("anonymous")) { - owner = bucket_owner; - } else { - owner = _owner; - } - int ret = _acl.create_canned(owner, bucket_owner, canned_acl); - return ret; - } int create_from_headers(const DoutPrefixProvider *dpp, rgw::sal::Driver* driver, const RGWEnv *env, ACLOwner& _owner); }; @@ -106,3 +95,13 @@ class RGWACLXMLParser_S3 : public RGWXMLParser public: explicit RGWACLXMLParser_S3(CephContext *_cct) : cct(_cct) {} }; + +namespace rgw::s3 { + +/// Construct a policy from a s3 canned acl string. +int create_canned_acl(const ACLOwner& owner, + const ACLOwner& bucket_owner, + const std::string& canned_acl, + RGWAccessControlPolicy& policy); + +} // namespace rgw::s3 diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index e4c90bc81e1..0e557a13415 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -2393,7 +2393,8 @@ static int create_s3_policy(req_state *s, rgw::sal::Driver* driver, return s3policy.create_from_headers(s, driver, s->info.env, owner); } - return s3policy.create_canned(owner, s->bucket_owner, s->canned_acl); + return rgw::s3::create_canned_acl(owner, s->bucket_owner, + s->canned_acl, s3policy); } class RGWLocationConstraint : public XMLObj @@ -3215,15 +3216,14 @@ int RGWPostObj_ObjStore_S3::get_policy(optional_yield y) string canned_acl; part_str(parts, "acl", &canned_acl); - RGWAccessControlPolicy_S3 s3policy; ldpp_dout(this, 20) << "canned_acl=" << canned_acl << dendl; - if (s3policy.create_canned(s->owner, s->bucket_owner, canned_acl) < 0) { + int r = rgw::s3::create_canned_acl(s->owner, s->bucket_owner, + canned_acl, policy); + if (r < 0) { err_msg = "Bad canned ACLs"; - return -EINVAL; + return r; } - policy = s3policy; - return 0; }