From: Javier M. Mellid Date: Wed, 30 Sep 2015 09:32:41 +0000 (+0200) Subject: rgw: Check request-payer configuration X-Git-Tag: v10.0.1~125^2~2 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=d09cdae3938882197f4eae20e277d8bdcbacbfc5;p=ceph.git rgw: Check request-payer configuration In order to access buckets configured as 'requester pays', client must include 'x-amz-request-payer' directive with the value 'requester'. Fixes: #13427 Signed-off-by: Javier M. Mellid --- diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index 279dca2e4f79..614a3918e6a8 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -704,6 +704,24 @@ void RGWHTTPArgs::get_bool(const char *name, bool *val, bool def_val) } } +bool verify_requester_payer_permission(struct req_state *s) +{ + if (!s->bucket_info.requester_pays) + return true; + + if (s->bucket_info.owner == s->user.user_id) + return true; + + const char *request_payer = s->info.env->get("HTTP_X_AMZ_REQUEST_PAYER"); + if (!request_payer) + return false; + + if (strcasecmp(request_payer, "requester") == 0) + return true; + + return false; +} + bool verify_bucket_permission(struct req_state *s, int perm) { if (!s->bucket_acl) @@ -712,6 +730,9 @@ bool verify_bucket_permission(struct req_state *s, int perm) if ((perm & (int)s->perm_mask) != perm) return false; + if (!verify_requester_payer_permission(s)) + return false; + return s->bucket_acl->verify_permission(s->user.user_id, perm, perm); } @@ -722,6 +743,9 @@ static inline bool check_deferred_bucket_acl(struct req_state *s, uint8_t deferr bool verify_object_permission(struct req_state *s, RGWAccessControlPolicy *bucket_acl, RGWAccessControlPolicy *object_acl, int perm) { + if (!verify_requester_payer_permission(s)) + return false; + if (check_deferred_bucket_acl(s, RGW_DEFER_TO_BUCKET_ACLS_RECURSE, perm) || check_deferred_bucket_acl(s, RGW_DEFER_TO_BUCKET_ACLS_FULL_CONTROL, RGW_PERM_FULL_CONTROL)) { return true;