From 1afdf04dda322f4e5112eb85f1c9663dbbb5a4ed Mon Sep 17 00:00:00 2001
From: Pritha Srivastava <prsrivas@redhat.com>
Date: Thu, 2 Feb 2023 11:05:41 +0530
Subject: [PATCH] rgw/sts: changing identity to boost::none, when role policy
 is verified for putobj permissions, in case of renaming a large file.

While renaming a large file, putobj is invoked as an intermediate
step, and role policy is verified for the source object if temp creds
are used. Since the role policy is attached to the identity (role)
itself and the role policy does not contain a Principal, there is no
need to verify the identity and hence boost::none is passed in place
of the identity.

fixes: https://tracker.ceph.com/issues/58628

Signed-off-by: Pritha Srivastava <prsrivas@redhat.com>
(cherry picked from commit c2f5716e5196073abfc50917e5f687888f6dff42)
---
 src/rgw/rgw_op.cc | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 1056c1ea043f7..be739eefd0161 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -3616,7 +3616,7 @@ int RGWPutObj::verify_permission(optional_yield y)
         auto usr_policy_res = Effect::Pass;
         rgw::ARN obj_arn(cs_object->get_obj());
         for (auto& user_policy : s->iam_user_policies) {
-          if (usr_policy_res = user_policy.eval(s->env, *s->auth.identity,
+          if (usr_policy_res = user_policy.eval(s->env, boost::none,
 			      cs_object->get_instance().empty() ?
 			      rgw::IAM::s3GetObject :
 			      rgw::IAM::s3GetObjectVersion,
-- 
2.39.5