From 4dfec574efe4b253d5fddac4b71f945c128dbc07 Mon Sep 17 00:00:00 2001 From: Yehuda Sadeh Date: Thu, 23 Feb 2012 17:22:53 -0800 Subject: [PATCH] rgw: enforce swift acls doesn't work yet, but almost. Signed-off-by: Yehuda Sadeh --- src/common/config_opts.h | 1 + src/rgw/rgw_common.cc | 21 ++++++++++++++++++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/src/common/config_opts.h b/src/common/config_opts.h index ac6d0e567da1e..afe1f191287e5 100644 --- a/src/common/config_opts.h +++ b/src/common/config_opts.h @@ -354,6 +354,7 @@ OPTION(rgw_socket_path, OPT_STR, "") // path to unix domain socket, if not spe OPTION(rgw_dns_name, OPT_STR, "") OPTION(rgw_swift_url, OPT_STR, "") // OPTION(rgw_swift_url_prefix, OPT_STR, "swift") // +OPTION(rgw_enforce_swift_acls, OPT_BOOL, true) OPTION(rgw_print_continue, OPT_BOOL, true) // enable if 100-Continue works OPTION(rgw_remote_addr_param, OPT_STR, "REMOTE_ADDR") // e.g. X-Forwarded-For, if you have a reverse proxy OPTION(rgw_op_thread_timeout, OPT_INT, 10*60) diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index 1bc70a00e5263..1cac44c755a77 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -355,7 +355,26 @@ bool verify_object_permission(struct req_state *s, int perm) if (!s->object_acl) return false; - return s->object_acl->verify_permission(s->user.user_id, s->perm_mask, perm); + bool ret = s->object_acl->verify_permission(s->user.user_id, s->perm_mask, perm); + if (ret) + return true; + + if (!g_conf->rgw_enforce_swift_acls) + return ret; + + if ((perm & (int)s->perm_mask) != perm) + return false; + + int swift_perm = 0; + if (perm & (RGW_PERM_READ || RGW_PERM_READ_ACP)) + swift_perm |= RGW_PERM_READ_OBJS; + if (perm & (RGW_PERM_WRITE || RGW_PERM_WRITE_ACP)) + swift_perm |= RGW_PERM_WRITE_OBJS; + + if (!swift_perm) + return false; + + return s->bucket_acl->verify_permission(s->user.user_id, s->perm_mask, swift_perm); } static char hex_to_num(char c) -- 2.39.5