From: Casey Bodley <cbodley@redhat.com>
Date: Thu, 16 Apr 2026 17:58:13 +0000 (-0400)
Subject: rgw/iam: add helper rgw::account::root_arn()
X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=ccdbebd925b77eb7c5d0ba9a3a175642babcf291;p=ceph.git

rgw/iam: add helper rgw::account::root_arn()

we need account root arns for various permission checks, and don't have
a consistent way to construct them

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---

diff --git a/src/rgw/rgw_account.cc b/src/rgw/rgw_account.cc
index 3c11c59c619c..88e6eca6d98b 100644
--- a/src/rgw/rgw_account.cc
+++ b/src/rgw/rgw_account.cc
@@ -21,6 +21,7 @@
 #include "common/random_string.h"
 #include "common/utf8.h"
 
+#include "rgw_arn.h"
 #include "rgw_oidc_provider.h"
 #include "rgw_quota.h"
 #include "rgw_role.h"
@@ -101,6 +102,12 @@ bool validate_name(std::string_view name, std::string* err_msg)
   return true;
 }
 
+ARN root_arn(std::string id)
+{
+  const std::string region; // empty
+  return {Partition::aws, Service::iam, region, std::move(id), "root"};
+}
+
 
 int create(const DoutPrefixProvider* dpp,
            rgw::sal::Driver* driver,
diff --git a/src/rgw/rgw_account.h b/src/rgw/rgw_account.h
index ee686207a070..19c0707c0a2e 100644
--- a/src/rgw/rgw_account.h
+++ b/src/rgw/rgw_account.h
@@ -27,6 +27,8 @@ class DoutPrefixProvider;
 class RGWFormatterFlusher;
 class optional_yield;
 
+namespace rgw { class ARN; }
+
 namespace rgw::account {
 
 /// generate a randomized account id in a specific format
@@ -38,6 +40,9 @@ bool validate_id(std::string_view id, std::string* err_msg = nullptr);
 /// check an account name for any invalid characters
 bool validate_name(std::string_view name, std::string* err_msg = nullptr);
 
+/// construct the account root arn
+ARN root_arn(std::string account_id);
+
 
 struct AdminOpState {
   std::string account_id;
diff --git a/src/rgw/rgw_rest_iam_account.cc b/src/rgw/rgw_rest_iam_account.cc
index 47225042e4eb..a2ff9c30b644 100644
--- a/src/rgw/rgw_rest_iam_account.cc
+++ b/src/rgw/rgw_rest_iam_account.cc
@@ -1,6 +1,7 @@
 // -*- mode:C++; tab-width:8; c-basic-offset:2; indent-tabs-mode:nil -*-
 // vim: ts=8 sw=2 sts=2 expandtab ft=cpp
 
+#include "rgw_account.h"
 #include "rgw_process_env.h"
 #include "rgw_rest_iam_account.h"
 
@@ -12,7 +13,7 @@ int RGWGetAccountSummary::verify_permission(optional_yield y)
   } else {
     return -ERR_METHOD_NOT_ALLOWED;
   }
-  const rgw::ARN arn{"", "root", account_id, true};
+  const auto arn = rgw::account::root_arn(account_id);
   if (verify_user_permission(this, s, arn, rgw::IAM::iamGetAccountSummary)) {
     return 0;
   }