From 97ee3287fb3b062eda0d07f07a219eafb04a5a6a Mon Sep 17 00:00:00 2001 From: Seena Fallah Date: Fri, 21 Feb 2025 00:56:28 +0100 Subject: [PATCH] rgw: check for s3ReplicateObject perm on destination bucket for replication Instead of s3:PutObject rely on s3:s3ReplicateObject permission to check whether the user can replicate to the destination bucket. Signed-off-by: Seena Fallah --- src/rgw/driver/rados/rgw_data_sync.cc | 2 +- src/rgw/rgw_iam_policy.cc | 4 ++++ src/rgw/rgw_iam_policy.h | 2 ++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/src/rgw/driver/rados/rgw_data_sync.cc b/src/rgw/driver/rados/rgw_data_sync.cc index af7518c36c900..7523996d9a1cf 100644 --- a/src/rgw/driver/rados/rgw_data_sync.cc +++ b/src/rgw/driver/rados/rgw_data_sync.cc @@ -2986,7 +2986,7 @@ public: return set_cr_error(retcode); } - if (!dest_bucket_perms.verify_bucket_permission(dest_key.value_or(key), rgw::IAM::s3PutObject)) { + if (!dest_bucket_perms.verify_bucket_permission(dest_key.value_or(key), rgw::IAM::s3ReplicateObject)) { ldout(cct, 0) << "ERROR: " << __func__ << ": permission check failed: user not allowed to write into bucket (bucket=" << sync_pipe.info.dest_bucket.get_key() << ")" << dendl; return set_cr_error(-EPERM); } diff --git a/src/rgw/rgw_iam_policy.cc b/src/rgw/rgw_iam_policy.cc index ea85ab4961811..fda7d68a0dda4 100644 --- a/src/rgw/rgw_iam_policy.cc +++ b/src/rgw/rgw_iam_policy.cc @@ -139,6 +139,7 @@ static const actpair actpairs[] = { "s3:RestoreObject", s3RestoreObject }, { "s3:DescribeJob", s3DescribeJob }, { "s3:ReplicateDelete", s3ReplicateDelete }, + { "s3:ReplicateObject", s3ReplicateObject }, { "s3-object-lambda:GetObject", s3objectlambdaGetObject }, { "s3-object-lambda:ListBucket", s3objectlambdaListBucket }, { "iam:PutUserPolicy", iamPutUserPolicy }, @@ -1513,6 +1514,9 @@ const char* action_bit_string(uint64_t action) { case s3ReplicateDelete: return "s3:ReplicateDelete"; + case s3ReplicateObject: + return "s3:ReplicateObject"; + case s3objectlambdaGetObject: return "s3-object-lambda:GetObject"; diff --git a/src/rgw/rgw_iam_policy.h b/src/rgw/rgw_iam_policy.h index e51250041fd95..f7f9b38e5c3b2 100644 --- a/src/rgw/rgw_iam_policy.h +++ b/src/rgw/rgw_iam_policy.h @@ -118,6 +118,7 @@ enum { s3GetObjectAttributes, s3GetObjectVersionAttributes, s3ReplicateDelete, + s3ReplicateObject, s3All, s3objectlambdaGetObject, @@ -275,6 +276,7 @@ inline int op_to_perm(std::uint64_t op) { case s3PutObjectLegalHold: case s3BypassGovernanceRetention: case s3ReplicateDelete: + case s3ReplicateObject: return RGW_PERM_WRITE; case s3GetAccelerateConfiguration: -- 2.39.5