From 065ecd3f437542adffdb62fb8f2542be78b1e57d Mon Sep 17 00:00:00 2001 From: Abhishek Lekshmanan Date: Wed, 29 Jan 2020 12:56:33 +0100 Subject: [PATCH] rgw: implement IgnorePublicACLs This allows for ignoring bucket/object acls that are configured to be public Signed-off-by: Abhishek Lekshmanan --- src/rgw/rgw_acl.cc | 10 ++++++---- src/rgw/rgw_acl.h | 6 ++++-- src/rgw/rgw_common.cc | 10 ++++++++-- 3 files changed, 18 insertions(+), 8 deletions(-) diff --git a/src/rgw/rgw_acl.cc b/src/rgw/rgw_acl.cc index ac6313f8150..ff27a7ae676 100644 --- a/src/rgw/rgw_acl.cc +++ b/src/rgw/rgw_acl.cc @@ -116,7 +116,8 @@ uint32_t RGWAccessControlList::get_referer_perm(const uint32_t current_perm, uint32_t RGWAccessControlPolicy::get_perm(const DoutPrefixProvider* dpp, const rgw::auth::Identity& auth_identity, const uint32_t perm_mask, - const char * const http_referer) + const char * const http_referer, + bool ignore_public_acls) { ldpp_dout(dpp, 20) << "-- Getting permissions begin with perm_mask=" << perm_mask << dendl; @@ -132,7 +133,7 @@ uint32_t RGWAccessControlPolicy::get_perm(const DoutPrefixProvider* dpp, } /* should we continue looking up? */ - if ((perm & perm_mask) != perm_mask) { + if (!ignore_public_acls && ((perm & perm_mask) != perm_mask)) { perm |= acl.get_group_perm(ACL_GROUP_ALL_USERS, perm_mask); if (false == auth_identity.is_owner_of(rgw_user(RGW_USER_ANON_ID))) { @@ -157,11 +158,12 @@ bool RGWAccessControlPolicy::verify_permission(const DoutPrefixProvider* dpp, const rgw::auth::Identity& auth_identity, const uint32_t user_perm_mask, const uint32_t perm, - const char * const http_referer) + const char * const http_referer, + bool ignore_public_acls) { uint32_t test_perm = perm | RGW_PERM_READ_OBJS | RGW_PERM_WRITE_OBJS; - uint32_t policy_perm = get_perm(dpp, auth_identity, test_perm, http_referer); + uint32_t policy_perm = get_perm(dpp, auth_identity, test_perm, http_referer, ignore_public_acls); /* the swift WRITE_OBJS perm is equivalent to the WRITE obj, just convert those bits. Note that these bits will only be set on diff --git a/src/rgw/rgw_acl.h b/src/rgw/rgw_acl.h index 0ba06ef8b6c..278e8b4cbe9 100644 --- a/src/rgw/rgw_acl.h +++ b/src/rgw/rgw_acl.h @@ -418,12 +418,14 @@ public: uint32_t get_perm(const DoutPrefixProvider* dpp, const rgw::auth::Identity& auth_identity, uint32_t perm_mask, - const char * http_referer); + const char * http_referer, + bool ignore_public_acls=false); bool verify_permission(const DoutPrefixProvider* dpp, const rgw::auth::Identity& auth_identity, uint32_t user_perm_mask, uint32_t perm, - const char * http_referer = nullptr); + const char * http_referer = nullptr, + bool ignore_public_acls=false); void encode(bufferlist& bl) const { ENCODE_START(2, 2, bl); diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index e44854bfa64..b38f3448ca0 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -1332,7 +1332,10 @@ bool verify_object_permission(const DoutPrefixProvider* dpp, struct perm_state_b return false; } - bool ret = object_acl->verify_permission(dpp, *s->identity, s->perm_mask, perm); + bool ret = object_acl->verify_permission(dpp, *s->auth.identity, s->perm_mask, perm, + nullptr, /* http_referrer */ + s->bucket_access_conf && + s->bucket_access_conf->ignore_public_acls()); if (ret) { return true; } @@ -1396,7 +1399,10 @@ bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, return false; } - bool ret = object_acl->verify_permission(dpp, *s->identity, s->perm_mask, perm); + bool ret = object_acl->verify_permission(dpp, *s->auth.identity, s->perm_mask, perm, + nullptr, /* http referrer */ + s->bucket_access_conf && + s->bucket_access_conf->ignore_public_acls()); if (ret) { return true; } -- 2.39.5