From 5234b084ee87255a49954caadc7a7617038434b8 Mon Sep 17 00:00:00 2001 From: Radoslaw Zarzynski Date: Sun, 17 Apr 2016 13:08:48 +0200 Subject: [PATCH] rgw: decouple system user from admin user. Signed-off-by: Radoslaw Zarzynski --- src/rgw/librgw.cc | 4 ++++ src/rgw/rgw_auth.cc | 2 ++ src/rgw/rgw_common.h | 2 ++ src/rgw/rgw_op.cc | 14 +++++++++----- src/rgw/rgw_process.cc | 2 ++ 5 files changed, 19 insertions(+), 5 deletions(-) diff --git a/src/rgw/librgw.cc b/src/rgw/librgw.cc index 572380b5c0f5d..ff60a1a8a8308 100644 --- a/src/rgw/librgw.cc +++ b/src/rgw/librgw.cc @@ -260,6 +260,8 @@ namespace rgw { if (ret < 0) { if (s->system_request) { dout(2) << "overriding permissions due to system operation" << dendl; + } else if (s->auth_identity->is_admin_of(s->user->user_id)) { + dout(2) << "overriding permissions due to admin operation" << dendl; } else { abort_req(s, op, ret); goto done; @@ -370,6 +372,8 @@ namespace rgw { if (ret < 0) { if (s->system_request) { dout(2) << "overriding permissions due to system operation" << dendl; + } else if (s->auth_identity->is_admin_of(s->user->user_id)) { + dout(2) << "overriding permissions due to admin operation" << dendl; } else { abort_req(s, op, ret); goto done; diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index 858d3267bd6f8..d3716a86792a8 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -64,5 +64,7 @@ rgw_auth_transform_old_authinfo(req_state * const s) new RGWDummyIdentityApplier(s->cct, s->user->user_id, s->perm_mask, + /* System user has admin permissions by default - it's supposed to pass + * through any security check. */ s->system_request)); } diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h index ab597ab18a17b..6d87f0b92a630 100644 --- a/src/rgw/rgw_common.h +++ b/src/rgw/rgw_common.h @@ -1270,6 +1270,8 @@ struct req_state { RGWAccessControlPolicy *bucket_acl; RGWAccessControlPolicy *object_acl; + /* Is the request made by an user marked as a system one? + * Being system user means we also have the admin status. */ bool system_request; /* aws4 auth support */ diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index 5cee66ff35d60..7a02047f1d7d0 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -277,8 +277,9 @@ static int read_policy(RGWRados *store, struct req_state *s, return ret; } - rgw_user& owner = bucket_policy.get_owner().get_id(); - if (!s->system_request && owner.compare(s->user->user_id) != 0 && + const rgw_user& bucket_owner = bucket_policy.get_owner().get_id(); + if (bucket_owner.compare(s->user->user_id) != 0 && + !s->auth_identity->is_admin_of(bucket_owner) && !bucket_policy.verify_permission(*s->auth_identity, s->perm_mask, RGW_PERM_READ)) { ret = -EACCES; @@ -3301,8 +3302,10 @@ int RGWCopyObj::verify_permission() return op_ret; } - if (!s->system_request && /* admin request overrides permission checks */ - !src_policy.verify_permission(*s->auth_identity, s->perm_mask, RGW_PERM_READ)) { + /* admin request overrides permission checks */ + if (!s->auth_identity->is_admin_of(src_policy.get_owner().get_id()) && + !src_policy.verify_permission(*s->auth_identity, s->perm_mask, + RGW_PERM_READ)) { return -EACCES; } } @@ -3339,7 +3342,8 @@ int RGWCopyObj::verify_permission() return op_ret; } - if (!s->system_request && /* system request overrides permission checks */ + /* admin request overrides permission checks */ + if (!s->auth_identity->is_admin_of(dest_policy.get_owner().get_id()) && !dest_bucket_policy.verify_permission(*s->auth_identity, s->perm_mask, RGW_PERM_WRITE)) { return -EACCES; diff --git a/src/rgw/rgw_process.cc b/src/rgw/rgw_process.cc index c5fa0fe4e87d0..a0d04c0a4b781 100644 --- a/src/rgw/rgw_process.cc +++ b/src/rgw/rgw_process.cc @@ -159,6 +159,8 @@ int process_request(RGWRados* store, RGWREST* rest, RGWRequest* req, if (ret < 0) { if (s->system_request) { dout(2) << "overriding permissions due to system operation" << dendl; + } else if (s->auth_identity->is_admin_of(s->user->user_id)) { + dout(2) << "overriding permissions due to admin operation" << dendl; } else { abort_early(s, op, ret, handler); goto done; -- 2.39.5