From 4fde9dddb8c2732ecf95fa1d508ee7c91fc53e74 Mon Sep 17 00:00:00 2001 From: Seena Fallah Date: Fri, 28 Feb 2025 16:51:07 +0100 Subject: [PATCH] rgw: replication require lock perm if enabled Signed-off-by: Seena Fallah --- src/rgw/rgw_op.cc | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index a0c66e7abdad8..908371c81fc7d 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -1107,6 +1107,24 @@ int RGWGetObj::verify_permission(optional_yield y) // non-impersonated or standard system requests will be handled in rgw_process_authenticated(). const bool is_replication_request = s->system_request; + if (s->bucket->get_info().obj_lock_enabled()) { + get_retention = verify_object_permission(this, s, rgw::IAM::s3GetObjectRetention); + if (is_replication_request && !get_retention) { + s->err.message = "missing s3:GetObjectRetention permission"; + ldpp_dout(this, 4) << "ERROR: fetching object for replication object=" << s->object << " reason=" << s->err.message << dendl; + + return -EACCES; + } + + get_legal_hold = verify_object_permission(this, s, rgw::IAM::s3GetObjectLegalHold); + if (is_replication_request && !get_legal_hold) { + s->err.message = "missing s3:GetObjectLegalHold permission"; + ldpp_dout(this, 4) << "ERROR: fetching object for replication object=" << s->object << " reason=" << s->err.message << dendl; + + return -EACCES; + } + } + if (is_replication_request) { // check for s3:GetObject(Version)Acl permission action = s->object->get_instance().empty() ? rgw::IAM::s3GetObjectAcl : rgw::IAM::s3GetObjectVersionAcl; @@ -1143,11 +1161,6 @@ int RGWGetObj::verify_permission(optional_yield y) return -EACCES; } - if (s->bucket->get_info().obj_lock_enabled()) { - get_retention = verify_object_permission(this, s, rgw::IAM::s3GetObjectRetention); - get_legal_hold = verify_object_permission(this, s, rgw::IAM::s3GetObjectLegalHold); - } - return 0; } -- 2.39.5