From 11f92eab4cb8304340ae20a6d0bd8bdf2769cf05 Mon Sep 17 00:00:00 2001 From: Abhishek Lekshmanan Date: Tue, 17 Sep 2019 14:07:00 +0200 Subject: [PATCH] rgw: block public access for Policies Signed-off-by: Abhishek Lekshmanan --- src/rgw/rgw_op.cc | 21 +++++++++++++++++++-- src/rgw/rgw_public_access.h | 4 ++-- 2 files changed, 21 insertions(+), 4 deletions(-) diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index be4b6ef282251..42682a6c637bc 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -5509,16 +5509,33 @@ void RGWPutACLs::execute() *_dout << dendl; } - new_policy.encode(bl); map attrs; + attrs = s->bucket_attrs; + if (auto aiter = attrs.find(RGW_ATTR_PUBLIC_ACCESS); + aiter != attrs.end()) + { + bufferlist::const_iterator iter{&aiter->second}; + try { + rgw::IAM::PublicAccessConfiguration access_conf; + access_conf.decode(iter); + if (access_conf.block_public_acls() && new_policy.IsPublic()) { + op_ret = -EACCES; + return; + } + } catch (const buffer::error& e) { + ldpp_dout(this, 0) << __func__ << "decode access conf failed" << dendl; + op_ret = -EIO; + return; + } + } + new_policy.encode(bl); if (!s->object.empty()) { obj = rgw_obj(s->bucket, s->object); store->getRados()->set_atomic(s->obj_ctx, obj); //if instance is empty, we should modify the latest object op_ret = modify_obj_attr(store, s, obj, RGW_ATTR_ACL, bl); } else { - attrs = s->bucket_attrs; attrs[RGW_ATTR_ACL] = bl; op_ret = store->ctl()->bucket->set_bucket_instance_attrs(s->bucket_info, attrs, &s->bucket_info.objv_tracker, diff --git a/src/rgw/rgw_public_access.h b/src/rgw/rgw_public_access.h index b509b9be4c5dc..b0253a5b1b0d1 100644 --- a/src/rgw/rgw_public_access.h +++ b/src/rgw/rgw_public_access.h @@ -27,8 +27,8 @@ class PublicAccessConfiguration { bool RestrictPublicBuckets; public: PublicAccessConfiguration(): - BlockPublicAcls(true), IgnorePublicAcls(false), - BlockPublicPolicy(true), RestrictPublicBuckets(false) + BlockPublicAcls(false), IgnorePublicAcls(false), + BlockPublicPolicy(false), RestrictPublicBuckets(false) {} auto block_public_acls() const { -- 2.39.5