From 731bdbc150967bf77a6649d084f0e9a74e6df65b Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Wed, 21 Feb 2024 17:48:20 -0500 Subject: [PATCH] rgw/auth: RoleApplier matches paths in role arns Signed-off-by: Casey Bodley --- src/rgw/rgw_auth.cc | 6 ++++-- src/rgw/rgw_auth.h | 1 + src/rgw/rgw_rest_s3.cc | 1 + 3 files changed, 6 insertions(+), 2 deletions(-) diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index dd9337818c79e..b5227aecf47cd 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -980,8 +980,10 @@ bool rgw::auth::RoleApplier::is_identity(const Principal& p) const { return match_account_or_tenant(role.account_id, role.tenant, p.get_account()); } else if (p.is_role()) { - return p.get_id() == role.name // TODO: match path/name - && p.get_account() == role.tenant; + std::string_view no_subuser; + // account roles can match both account- and tenant-based arns + return match_account_or_tenant(role.account_id, role.tenant, p.get_account()) + && match_principal(role.path, role.name, no_subuser, p.get_id()); } else if (p.is_assumed_role()) { string role_session = role.name + "/" + token_attrs.role_session_name; //role/role-session return p.get_account() == role.tenant diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index e2249e5fdf00e..64e55d532f061 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -726,6 +726,7 @@ public: struct Role { std::string id; std::string name; + std::string path; std::string tenant; rgw_account_id account_id; std::vector inline_policies; diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index 37cd303cfa2bd..b27ddafdcf0c4 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -6467,6 +6467,7 @@ rgw::auth::s3::STSEngine::authenticate( } r.id = token.roleId; r.name = role->get_name(); + r.path = role->get_path(); r.tenant = role->get_tenant(); r.account_id = role->get_account_id(); -- 2.39.5