From 44d810e305f91b647f1aa030bf8c30c95b5d4cb2 Mon Sep 17 00:00:00 2001
From: Casey Bodley <cbodley@redhat.com>
Date: Tue, 26 May 2026 12:03:48 -0400
Subject: [PATCH] rgw/s3control: skip account id check for admin users

allow access to admin users that don't belong to the requested account.
this is also necessary for multisite, where requests are forwarded to
the metadata master as the multisite system user instead of the original
requester

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---
 src/rgw/rgw_rest_s3control.cc | 17 ++++++++++-------
 1 file changed, 10 insertions(+), 7 deletions(-)

diff --git a/src/rgw/rgw_rest_s3control.cc b/src/rgw/rgw_rest_s3control.cc
index 89b97a67fae9..01b928513947 100644
--- a/src/rgw/rgw_rest_s3control.cc
+++ b/src/rgw/rgw_rest_s3control.cc
@@ -52,13 +52,16 @@ static int get_account_id(req_state* s, rgw_account_id& account_id)
     return -EINVAL;
   }
 
-  const auto& account = s->auth.identity->get_account();
-  if (!account) {
-    return -ERR_METHOD_NOT_ALLOWED;
-  }
-  if (account_id != account->id) {
-    s->err.message = "x-amz-account-id must match the requester";
-    return -EINVAL;
+  if (!s->auth.identity->is_admin()) {
+    // verify that the requester belongs to the specified account
+    const auto& account = s->auth.identity->get_account();
+    if (!account) {
+      return -ERR_METHOD_NOT_ALLOWED;
+    }
+    if (account_id != account->id) {
+      s->err.message = "x-amz-account-id must match the requester";
+      return -EINVAL;
+    }
   }
   return 0;
 }
-- 
2.47.3