From 8e24a611db7a951c2523503e922c9fda4fb68f2e Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Tue, 2 Jan 2024 18:28:12 -0500 Subject: [PATCH] rgw/auth: Identity matches account user principals when a user belongs to an account, they match Principal ARNs by account id instead of tenant name, and by user name instead user id Signed-off-by: Casey Bodley --- src/rgw/rgw_auth.cc | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index 5899b65b736..187ea2c71f0 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -146,8 +146,13 @@ transform_old_authinfo(CephContext* const cct, return p.get_account() == id.tenant; } else if (p.is_user()) { std::string_view no_subuser; - return p.get_account() == id.tenant - && match_principal(path, id.id, no_subuser, p.get_id()); + // account users can match both account- and tenant-based arns + if (!account_id.empty() && p.get_account() == account_id) { + return match_principal(path, display_name, no_subuser, p.get_id()); + } else { + return p.get_account() == id.tenant + && match_principal(path, id.id, no_subuser, p.get_id()); + } } return false; } @@ -867,9 +872,16 @@ bool rgw::auth::LocalApplier::is_identity(const Principal& p) const { } else if (p.is_account()) { return p.get_account() == user_info.user_id.tenant; } else if (p.is_user()) { - return p.get_account() == user_info.user_id.tenant - && match_principal(user_info.path, user_info.user_id.id, - subuser, p.get_id()); + // account users can match both account- and tenant-based arns + if (!user_info.account_id.empty() && + p.get_account() == user_info.account_id) { + return match_principal(user_info.path, user_info.display_name, + subuser, p.get_id()); + } else { + return p.get_account() == user_info.user_id.tenant + && match_principal(user_info.path, user_info.user_id.id, + subuser, p.get_id()); + } } return false; } -- 2.39.5