From 64ab3a3e49d0e7bc716ee5301e15a1ba61127bb4 Mon Sep 17 00:00:00 2001
From: Casey Bodley <cbodley@redhat.com>
Date: Wed, 26 Feb 2025 16:42:43 -0500
Subject: [PATCH] rgw: use object ARN for InitMultipart permissions

from https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpuoverview.html#mpuAndPermissions:
> You must be allowed to perform the s3:PutObject action on an object to create a multipart upload request.

but it was calling the verify_bucket_permission() overload which
defaulted to the bucket ARN. pass the object ARN instead, like we do for
RGWPutObj and RGWCompleteMultipart

Fixes: https://tracker.ceph.com/issues/70191

Signed-off-by: Casey Bodley <cbodley@redhat.com>
---
 src/rgw/rgw_op.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 4fcb51b5472..9f81b929f7d 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -6618,7 +6618,8 @@ int RGWInitMultipart::verify_permission(optional_yield y)
   // add server-side encryption headers
   rgw_iam_add_crypt_attrs(s->env, s->info.crypt_attribute_map);
 
-  if (!verify_bucket_permission(this, s, rgw::IAM::s3PutObject)) {
+  if (!verify_bucket_permission(this, s, ARN(s->object->get_obj()),
+                                rgw::IAM::s3PutObject)) {
     return -EACCES;
   }
 
-- 
2.39.5