From 2287ce9ff213d600a8b93887154dfed4991421b4 Mon Sep 17 00:00:00 2001
From: Yehuda Sadeh <yehuda@redhat.com>
Date: Mon, 30 Nov 2015 13:46:05 -0800
Subject: [PATCH] rgw: don't allow cross-tenant bucket creation

Signed-off-by: Yehuda Sadeh <yehuda@redhat.com>
---
 src/rgw/rgw_op.cc | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 93391098aa7..815879d231b 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -1338,10 +1338,10 @@ int RGWCreateBucket::verify_permission()
   if (!rgw_user_is_authenticated(s->user))
     return -EACCES;
 
-  /* XXX: maybe we need to check ACLs here! */
-  // if ((s->perm_mask & RGW_PERM_WRITE) == 0) {
-  //   return -EACCES;
-  // }
+  if (s->user.user_id.tenant != s->bucket_tenant) {
+    ldout(s->cct, 10) << "user cannot create a bucket in a different tenant (user_id.tenant=" << s->user.user_id.tenant << " requested=" << s->bucket_tenant << ")" << dendl;
+    return -EACCES;
+  }
 
   if (s->user.max_buckets) {
     RGWUserBuckets buckets;
-- 
2.39.5