From 7d402ba85cad6d082b439af1856fb44b279a8ca6 Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Tue, 20 Feb 2024 17:46:06 -0500 Subject: [PATCH] rgw/auth: AssumeRole uses role account as owner Signed-off-by: Casey Bodley (cherry picked from commit aeecbe14d00cb0da974ff1f5e5505ca220fecd3d) --- src/rgw/rgw_auth.cc | 11 ++++++++++- src/rgw/rgw_auth.h | 7 ++----- src/rgw/rgw_rest_s3.cc | 1 + 3 files changed, 13 insertions(+), 6 deletions(-) diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index 1f84fcb2da4..dc662c7b905 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -943,11 +943,20 @@ void rgw::auth::LocalApplier::write_ops_log_entry(rgw_log_entry& entry) const ACLOwner rgw::auth::RoleApplier::get_aclowner() const { ACLOwner owner; - owner.id = token_attrs.user_id; + if (!role.account_id.empty()) { + owner.id = role.account_id; + } else { + owner.id = token_attrs.user_id; + } owner.display_name = role.name; return owner; } +bool rgw::auth::RoleApplier::is_owner_of(const rgw_owner& o) const +{ + return match_owner(o, token_attrs.user_id, role.account_id); +} + void rgw::auth::RoleApplier::to_str(std::ostream& out) const { out << "rgw::auth::RoleApplier(role name =" << role.name; for (auto& policy: role.inline_policies) { diff --git a/src/rgw/rgw_auth.h b/src/rgw/rgw_auth.h index 3c3dd5ebe7c..e2249e5fdf0 100644 --- a/src/rgw/rgw_auth.h +++ b/src/rgw/rgw_auth.h @@ -727,6 +727,7 @@ public: std::string id; std::string name; std::string tenant; + rgw_account_id account_id; std::vector inline_policies; std::vector managed_policies; }; @@ -757,11 +758,7 @@ public: bool is_admin_of(const rgw_owner& o) const override { return false; } - bool is_owner_of(const rgw_owner& o) const override { - auto* uid = std::get_if(&o); - // TODO: handle account roles - return uid && *uid == token_attrs.user_id; - } + bool is_owner_of(const rgw_owner& o) const override; bool is_identity(const Principal& p) const override; uint32_t get_perm_mask() const override { return RGW_PERM_NONE; diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc index 37cabde9e6b..b854c70a48f 100644 --- a/src/rgw/rgw_rest_s3.cc +++ b/src/rgw/rgw_rest_s3.cc @@ -6457,6 +6457,7 @@ rgw::auth::s3::STSEngine::authenticate( r.id = token.roleId; r.name = role->get_name(); r.tenant = role->get_tenant(); + r.account_id = role->get_account_id(); for (auto& [name, policy] : role->get_info().perm_policy_map) { r.inline_policies.push_back(std::move(policy)); -- 2.39.5