From a2b41a27ebc2f14f3d2079fc4a2c2a682e871bcc Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Thu, 7 Dec 2023 18:00:37 -0500 Subject: [PATCH] rgw/acl: use ACLOwners for create_default() initialize RGWAccessControlPolicy with ACLOwners from the auth identity Signed-off-by: Casey Bodley --- src/rgw/rgw_acl_swift.cc | 10 ++++----- src/rgw/rgw_acl_swift.h | 7 +++--- src/rgw/rgw_op.cc | 45 +++++++++++++-------------------------- src/rgw/rgw_rest_swift.cc | 15 ++++++------- 4 files changed, 28 insertions(+), 49 deletions(-) diff --git a/src/rgw/rgw_acl_swift.cc b/src/rgw/rgw_acl_swift.cc index 260f4530d41f7..3f4191ab26a89 100644 --- a/src/rgw/rgw_acl_swift.cc +++ b/src/rgw/rgw_acl_swift.cc @@ -171,14 +171,13 @@ namespace rgw::swift { int create_container_policy(const DoutPrefixProvider *dpp, rgw::sal::Driver* driver, - const rgw_user& id, - const std::string& name, + const ACLOwner& owner, const char* read_list, const char* write_list, uint32_t& rw_mask, RGWAccessControlPolicy& policy) { - policy.create_default(id, name); + policy.create_default(owner.id, owner.display_name); auto& acl = policy.get_acl(); if (read_list) { @@ -279,12 +278,11 @@ void format_container_acls(const RGWAccessControlPolicy& policy, int create_account_policy(const DoutPrefixProvider* dpp, rgw::sal::Driver* driver, - const rgw_user& id, - const std::string& name, + const ACLOwner& owner, const std::string& acl_str, RGWAccessControlPolicy& policy) { - policy.create_default(id, name); + policy.create_default(owner.id, owner.display_name); auto& acl = policy.get_acl(); JSONParser parser; diff --git a/src/rgw/rgw_acl_swift.h b/src/rgw/rgw_acl_swift.h index a16bea894dbe5..fe7d9032becbc 100644 --- a/src/rgw/rgw_acl_swift.h +++ b/src/rgw/rgw_acl_swift.h @@ -7,6 +7,7 @@ #include "rgw_sal_fwd.h" #include "rgw_user_types.h" +struct ACLOwner; class DoutPrefixProvider; class RGWAccessControlPolicy; @@ -16,8 +17,7 @@ namespace rgw::swift { /// X-Container-Read/X-Container-Write. int create_container_policy(const DoutPrefixProvider *dpp, rgw::sal::Driver* driver, - const rgw_user& id, - const std::string& name, + const ACLOwner& owner, const char* read_list, const char* write_list, uint32_t& rw_mask, @@ -35,8 +35,7 @@ void format_container_acls(const RGWAccessControlPolicy& policy, /// Create a policy based on swift account acl header X-Account-Access-Control. int create_account_policy(const DoutPrefixProvider* dpp, rgw::sal::Driver* driver, - const rgw_user& id, - const std::string& name, + const ACLOwner& owner, const std::string& acl_str, RGWAccessControlPolicy& policy); diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index a2f4f4e459e1f..acfec133e836d 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -292,8 +292,7 @@ int rgw_op_get_bucket_policy_from_attr(const DoutPrefixProvider *dpp, static int get_obj_policy_from_attr(const DoutPrefixProvider *dpp, CephContext *cct, rgw::sal::Driver* driver, - RGWBucketInfo& bucket_info, - map& bucket_attrs, + const ACLOwner& bucket_owner, RGWAccessControlPolicy& policy, string *storage_class, rgw::sal::Object* obj, @@ -312,12 +311,8 @@ static int get_obj_policy_from_attr(const DoutPrefixProvider *dpp, } else if (ret == -ENODATA) { /* object exists, but policy is broken */ ldpp_dout(dpp, 0) << "WARNING: couldn't find acl header for object, generating default" << dendl; - std::unique_ptr user = driver->get_user(bucket_info.owner); - ret = user->load_user(dpp, y); - if (ret < 0) - return ret; - - policy.create_default(bucket_info.owner, user->get_display_name()); + policy.create_default(bucket_owner.id, bucket_owner.display_name); + ret = 0; } if (storage_class) { @@ -443,9 +438,8 @@ static int read_obj_policy(const DoutPrefixProvider *dpp, } policy = get_iam_policy_from_attr(s->cct, bucket_attrs, bucket->get_tenant()); - int ret = get_obj_policy_from_attr(dpp, s->cct, driver, bucket_info, - bucket_attrs, acl, storage_class, object, - s->yield); + int ret = get_obj_policy_from_attr(dpp, s->cct, driver, s->bucket_owner, + acl, storage_class, object, s->yield); if (ret == -ENOENT) { /* object does not exist checking the bucket's ACL to make sure that we send a proper error code */ @@ -524,13 +518,8 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d } } - struct { - rgw_user uid; - std::string display_name; - } acct_acl_user = { - s->user->get_id(), - s->user->get_display_name(), - }; + // ACLOwner for swift's s->user_acl. may be retargeted to s->bucket_owner + const ACLOwner* acct_acl_user = &s->owner; if (!s->bucket_name.empty()) { s->bucket_exists = true; @@ -560,12 +549,9 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d ret = read_bucket_policy(dpp, driver, s, s->bucket->get_info(), s->bucket->get_attrs(), s->bucket_acl, s->bucket->get_key(), y); - acct_acl_user = { - s->bucket->get_info().owner, - s->bucket_acl.get_owner().display_name, - }; s->bucket_owner = s->bucket_acl.get_owner(); + acct_acl_user = &s->bucket_owner; s->zonegroup_endpoint = rgw::get_zonegroup_endpoint(zonegroup); s->zonegroup_name = zonegroup.get_name(); @@ -602,7 +588,7 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d /* handle user ACL only for those APIs which support it */ if (s->dialect == "swift" && !s->user->get_id().empty()) { - std::unique_ptr acl_user = driver->get_user(acct_acl_user.uid); + std::unique_ptr acl_user = driver->get_user(acct_acl_user->id); ret = acl_user->read_attrs(dpp, y); if (!ret) { @@ -616,8 +602,8 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d * 1. if we try to reach an existing bucket, its owner is considered * as account owner. * 2. otherwise account owner is identity stored in s->user->user_id. */ - s->user_acl.create_default(acct_acl_user.uid, - acct_acl_user.display_name); + s->user_acl.create_default(acct_acl_user->id, + acct_acl_user->display_name); ret = 0; } else if (ret < 0) { ldpp_dout(dpp, 0) << "NOTICE: couldn't get user attrs for handling ACL " @@ -3517,9 +3503,8 @@ void RGWCreateBucket::execute(optional_yield y) } } - s->bucket_owner.id = s->user->get_id(); - s->bucket_owner.display_name = s->user->get_display_name(); - createparams.owner = s->user->get_id(); + s->bucket_owner = policy.get_owner(); + createparams.owner = s->bucket_owner.id; buffer::list aclbl; policy.encode(aclbl); @@ -7706,7 +7691,7 @@ int RGWBulkUploadOp::handle_dir(const std::string_view path, optional_yield y) { // create a default acl RGWAccessControlPolicy policy; - policy.create_default(s->user->get_id(), s->user->get_display_name()); + policy.create_default(s->owner.id, s->owner.display_name); ceph::bufferlist aclbl; policy.encode(aclbl); createparams.attrs[RGW_ATTR_ACL] = std::move(aclbl); @@ -7941,7 +7926,7 @@ int RGWBulkUploadOp::handle_file(const std::string_view path, /* Create metadata: ACLs. */ RGWAccessControlPolicy policy; - policy.create_default(s->user->get_id(), s->user->get_display_name()); + policy.create_default(s->owner.id, s->owner.display_name); ceph::bufferlist aclbl; policy.encode(aclbl); attrs.emplace(RGW_ATTR_ACL, std::move(aclbl)); diff --git a/src/rgw/rgw_rest_swift.cc b/src/rgw/rgw_rest_swift.cc index fb4e771ddda1d..f6bb52e2d1a04 100644 --- a/src/rgw/rgw_rest_swift.cc +++ b/src/rgw/rgw_rest_swift.cc @@ -709,8 +709,7 @@ static int get_swift_container_settings(req_state * const s, if (read_list || write_list) { int r = rgw::swift::create_container_policy(s, driver, - s->user->get_id(), - s->user->get_display_name(), + s->owner, read_list, write_list, *rw_mask, @@ -823,7 +822,7 @@ int RGWCreateBucket_ObjStore_SWIFT::get_params(optional_yield y) } if (!has_policy) { - policy.create_default(s->user->get_id(), s->user->get_display_name()); + policy.create_default(s->owner.id, s->owner.display_name); } location_constraint = driver->get_zone()->get_zonegroup().get_api_name(); @@ -1048,7 +1047,7 @@ int RGWPutObj_ObjStore_SWIFT::get_params(optional_yield y) } } - policy.create_default(s->user->get_id(), s->user->get_display_name()); + policy.create_default(s->owner.id, s->owner.display_name); int r = get_delete_at_param(s, delete_at); if (r < 0) { @@ -1167,9 +1166,7 @@ static int get_swift_account_settings(req_state * const s, const char * const acl_attr = s->info.env->get("HTTP_X_ACCOUNT_ACCESS_CONTROL"); if (acl_attr) { - int r = rgw::swift::create_account_policy(s, driver, - s->user->get_id(), - s->user->get_display_name(), + int r = rgw::swift::create_account_policy(s, driver, s->owner, acl_attr, policy); if (r < 0) { return r; @@ -1477,7 +1474,7 @@ static void dump_object_metadata(const DoutPrefixProvider* dpp, req_state * cons int RGWCopyObj_ObjStore_SWIFT::init_dest_policy() { - dest_policy.create_default(s->user->get_id(), s->user->get_display_name()); + dest_policy.create_default(s->owner.id, s->owner.display_name); return 0; } @@ -2249,7 +2246,7 @@ int RGWFormPost::get_params(optional_yield y) return ret; } - policy.create_default(s->user->get_id(), s->user->get_display_name()); + policy.create_default(s->owner.id, s->owner.display_name); /* Let's start parsing the HTTP body by parsing each form part step- * by-step till encountering the first part with file data. */ -- 2.39.5