From: Casey Bodley Date: Tue, 30 Jan 2024 23:14:28 +0000 (-0500) Subject: rgw/auth: account users match account arns X-Git-Tag: v19.1.0~99^2~85 X-Git-Url: http://git-server-git.apps.pok.os.sepia.ceph.com/?a=commitdiff_plain;h=f7816c0c0a159fc0028cc47b3678902a6b4a2806;p=ceph.git rgw/auth: account users match account arns Signed-off-by: Casey Bodley (cherry picked from commit 8ce9c0769f0de31ac4a827684aef4f6f441a369f) --- diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index 187ea2c71f0e..b7e71f6e02d7 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -71,6 +71,17 @@ static bool match_owner(const rgw_owner& owner, const rgw_user& uid, ), owner); } +static bool match_account_or_tenant(const rgw_account_id& account_id, + std::string_view tenant, + std::string_view expected) +{ + if (!account_id.empty()) { + return account_id == expected; + } else { + return tenant == expected; + } +} + std::unique_ptr transform_old_authinfo(CephContext* const cct, const rgw_user& auth_id, @@ -143,7 +154,8 @@ transform_old_authinfo(CephContext* const cct, if (p.is_wildcard()) { return true; } else if (p.is_account()) { - return p.get_account() == id.tenant; + return match_account_or_tenant(account_id, id.tenant, + p.get_account()); } else if (p.is_user()) { std::string_view no_subuser; // account users can match both account- and tenant-based arns @@ -870,7 +882,9 @@ bool rgw::auth::LocalApplier::is_identity(const Principal& p) const { if (p.is_wildcard()) { return true; } else if (p.is_account()) { - return p.get_account() == user_info.user_id.tenant; + return match_account_or_tenant(user_info.account_id, + user_info.user_id.tenant, + p.get_account()); } else if (p.is_user()) { // account users can match both account- and tenant-based arns if (!user_info.account_id.empty() &&