From ac4253b403cbcbcb4590fee6d6bd41794b45e763 Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Sat, 18 Nov 2023 10:22:20 -0500 Subject: [PATCH] rgw/acl: req_state stores ACLs by value instead of unique_ptr we no longer rely on polymorphism for the s3/swift variants of `RGWAccessControlPolicy`, so `req_state` can store `bucket_acl`, `object_acl` and `user_acl` by value most functions now take these acls by const- or mutable reference instead of pointers since they won't be nullptr some code paths won't initialize some of these bucket/object/user acl variables, and we rely on `RGWAccessControlPolicy::verify_permissions()` to return false for those because we won't match an empty owner or array of grants in only one case, `verify_user_permissions()` has to return true when `user_acl` is uninitialized, because S3 doesn't have user acls so uninitialized user acls should not deny access Signed-off-by: Casey Bodley --- src/rgw/driver/rados/rgw_data_sync.cc | 8 +- src/rgw/rgw_acl.cc | 8 +- src/rgw/rgw_acl.h | 9 +- src/rgw/rgw_common.cc | 134 ++++++++++------------ src/rgw/rgw_common.h | 42 +++---- src/rgw/rgw_log.cc | 3 +- src/rgw/rgw_lua_request.cc | 6 +- src/rgw/rgw_op.cc | 155 +++++++++++--------------- src/rgw/rgw_op.h | 4 +- src/rgw/rgw_rest_swift.cc | 22 ++-- 10 files changed, 173 insertions(+), 218 deletions(-) diff --git a/src/rgw/driver/rados/rgw_data_sync.cc b/src/rgw/driver/rados/rgw_data_sync.cc index c754e606452..0c74f80603a 100644 --- a/src/rgw/driver/rados/rgw_data_sync.cc +++ b/src/rgw/driver/rados/rgw_data_sync.cc @@ -2725,8 +2725,8 @@ bool RGWUserPermHandler::Bucket::verify_bucket_permission(int perm) { return verify_bucket_permission_no_policy(sync_env->dpp, &(*ps), - &info->user_acl, - &bucket_acl, + info->user_acl, + bucket_acl, perm); } @@ -2742,8 +2742,8 @@ bool RGWUserPermHandler::Bucket::verify_object_permission(const mapdpp, &(*ps), - &bucket_acl, - &obj_acl, + bucket_acl, + obj_acl, perm); } diff --git a/src/rgw/rgw_acl.cc b/src/rgw/rgw_acl.cc index 316af76ecf0..15b2067f2ef 100644 --- a/src/rgw/rgw_acl.cc +++ b/src/rgw/rgw_acl.cc @@ -120,7 +120,7 @@ void RGWAccessControlList::remove_canon_user_grant(rgw_user& user_id) uint32_t RGWAccessControlList::get_perm(const DoutPrefixProvider* dpp, const rgw::auth::Identity& auth_identity, - const uint32_t perm_mask) + const uint32_t perm_mask) const { ldpp_dout(dpp, 5) << "Searching permissions for identity=" << auth_identity << " mask=" << perm_mask << dendl; @@ -147,7 +147,7 @@ uint32_t RGWAccessControlList::get_group_perm(const DoutPrefixProvider *dpp, uint32_t RGWAccessControlList::get_referer_perm(const DoutPrefixProvider *dpp, const uint32_t current_perm, const std::string http_referer, - const uint32_t perm_mask) + const uint32_t perm_mask) const { ldpp_dout(dpp, 5) << "Searching permissions for referer=" << http_referer << " mask=" << perm_mask << dendl; @@ -171,7 +171,7 @@ uint32_t RGWAccessControlPolicy::get_perm(const DoutPrefixProvider* dpp, const rgw::auth::Identity& auth_identity, const uint32_t perm_mask, const char * const http_referer, - bool ignore_public_acls) + bool ignore_public_acls) const { ldpp_dout(dpp, 20) << "-- Getting permissions begin with perm_mask=" << perm_mask << dendl; @@ -213,7 +213,7 @@ bool RGWAccessControlPolicy::verify_permission(const DoutPrefixProvider* dpp, const uint32_t user_perm_mask, const uint32_t perm, const char * const http_referer, - bool ignore_public_acls) + bool ignore_public_acls) const { uint32_t test_perm = perm | RGW_PERM_READ_OBJS | RGW_PERM_WRITE_OBJS; diff --git a/src/rgw/rgw_acl.h b/src/rgw/rgw_acl.h index afa63d8cdfb..52dfa0b66fd 100644 --- a/src/rgw/rgw_acl.h +++ b/src/rgw/rgw_acl.h @@ -31,7 +31,6 @@ protected: public: ACLGrant() : group(ACL_GROUP_NONE) {} - virtual ~ACLGrant() {} /* there's an assumption here that email/uri/id encodings are different and there can't be any overlap */ @@ -230,11 +229,11 @@ protected: public: uint32_t get_perm(const DoutPrefixProvider* dpp, const rgw::auth::Identity& auth_identity, - uint32_t perm_mask); + uint32_t perm_mask) const; uint32_t get_group_perm(const DoutPrefixProvider *dpp, ACLGroupTypeEnum group, uint32_t perm_mask) const; uint32_t get_referer_perm(const DoutPrefixProvider *dpp, uint32_t current_perm, std::string http_referer, - uint32_t perm_mask); + uint32_t perm_mask) const; void encode(bufferlist& bl) const { ENCODE_START(4, 3, bl); bool maps_initialized = true; @@ -327,13 +326,13 @@ public: const rgw::auth::Identity& auth_identity, uint32_t perm_mask, const char * http_referer, - bool ignore_public_acls=false); + bool ignore_public_acls=false) const; bool verify_permission(const DoutPrefixProvider* dpp, const rgw::auth::Identity& auth_identity, uint32_t user_perm_mask, uint32_t perm, const char * http_referer = nullptr, - bool ignore_public_acls=false); + bool ignore_public_acls=false) const; void encode(bufferlist& bl) const { ENCODE_START(2, 2, bl); diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc index 3ab882d35bb..b16d9d97fa8 100644 --- a/src/rgw/rgw_common.cc +++ b/src/rgw/rgw_common.cc @@ -1135,7 +1135,7 @@ Effect eval_identity_or_session_policies(const DoutPrefixProvider* dpp, bool verify_user_permission(const DoutPrefixProvider* dpp, perm_state_base * const s, - RGWAccessControlPolicy * const user_acl, + const RGWAccessControlPolicy& user_acl, const vector& user_policies, const vector& session_policies, const rgw::ARN& res, @@ -1176,20 +1176,20 @@ bool verify_user_permission(const DoutPrefixProvider* dpp, bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp, struct perm_state_base * const s, - RGWAccessControlPolicy * const user_acl, + const RGWAccessControlPolicy& user_acl, const int perm) { if (s->identity->get_identity_type() == TYPE_ROLE) return false; - /* S3 doesn't support account ACLs. */ - if (!user_acl) + /* S3 doesn't support account ACLs, so user_acl will be uninitialized. */ + if (user_acl.get_owner().id.empty()) return true; if ((perm & (int)s->perm_mask) != perm) return false; - return user_acl->verify_permission(dpp, *s->identity, perm, perm); + return user_acl.verify_permission(dpp, *s->identity, perm, perm); } bool verify_user_permission(const DoutPrefixProvider* dpp, @@ -1199,7 +1199,7 @@ bool verify_user_permission(const DoutPrefixProvider* dpp, bool mandatory_policy) { perm_state_from_req_state ps(s); - return verify_user_permission(dpp, &ps, s->user_acl.get(), s->iam_user_policies, s->session_policies, res, op, mandatory_policy); + return verify_user_permission(dpp, &ps, s->user_acl, s->iam_user_policies, s->session_policies, res, op, mandatory_policy); } bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp, @@ -1207,7 +1207,7 @@ bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp, const int perm) { perm_state_from_req_state ps(s); - return verify_user_permission_no_policy(dpp, &ps, s->user_acl.get(), perm); + return verify_user_permission_no_policy(dpp, &ps, s->user_acl, perm); } bool verify_requester_payer_permission(struct perm_state_base *s) @@ -1233,8 +1233,8 @@ bool verify_requester_payer_permission(struct perm_state_base *s) bool verify_bucket_permission(const DoutPrefixProvider* dpp, struct perm_state_base * const s, const rgw_bucket& bucket, - RGWAccessControlPolicy * const user_acl, - RGWAccessControlPolicy * const bucket_acl, + const RGWAccessControlPolicy& user_acl, + const RGWAccessControlPolicy& bucket_acl, const boost::optional& bucket_policy, const vector& identity_policies, const vector& session_policies, @@ -1292,8 +1292,8 @@ bool verify_bucket_permission(const DoutPrefixProvider* dpp, bool verify_bucket_permission(const DoutPrefixProvider* dpp, req_state * const s, const rgw_bucket& bucket, - RGWAccessControlPolicy * const user_acl, - RGWAccessControlPolicy * const bucket_acl, + const RGWAccessControlPolicy& user_acl, + const RGWAccessControlPolicy& bucket_acl, const boost::optional& bucket_policy, const vector& user_policies, const vector& session_policies, @@ -1307,31 +1307,25 @@ bool verify_bucket_permission(const DoutPrefixProvider* dpp, } bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp, struct perm_state_base * const s, - RGWAccessControlPolicy * const user_acl, - RGWAccessControlPolicy * const bucket_acl, + const RGWAccessControlPolicy& user_acl, + const RGWAccessControlPolicy& bucket_acl, const int perm) { - if (!bucket_acl) - return false; - if ((perm & (int)s->perm_mask) != perm) return false; - if (bucket_acl->verify_permission(dpp, *s->identity, perm, perm, - s->get_referer(), - s->bucket_access_conf && - s->bucket_access_conf->ignore_public_acls())) + if (bucket_acl.verify_permission(dpp, *s->identity, perm, perm, + s->get_referer(), + s->bucket_access_conf && + s->bucket_access_conf->ignore_public_acls())) return true; - if (!user_acl) - return false; - - return user_acl->verify_permission(dpp, *s->identity, perm, perm); + return user_acl.verify_permission(dpp, *s->identity, perm, perm); } bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp, req_state * const s, - RGWAccessControlPolicy * const user_acl, - RGWAccessControlPolicy * const bucket_acl, + const RGWAccessControlPolicy& user_acl, + const RGWAccessControlPolicy& bucket_acl, const int perm) { perm_state_from_req_state ps(s); @@ -1351,8 +1345,8 @@ bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp, req_state return verify_bucket_permission_no_policy(dpp, &ps, - s->user_acl.get(), - s->bucket_acl.get(), + s->user_acl, + s->bucket_acl, perm); } @@ -1368,8 +1362,8 @@ bool verify_bucket_permission(const DoutPrefixProvider* dpp, req_state * const s return verify_bucket_permission(dpp, &ps, s->bucket->get_key(), - s->user_acl.get(), - s->bucket_acl.get(), + s->user_acl, + s->bucket_acl, s->iam_policy, s->iam_user_policies, s->session_policies, @@ -1432,8 +1426,8 @@ int verify_bucket_owner_or_policy(req_state* const s, static inline bool check_deferred_bucket_perms(const DoutPrefixProvider* dpp, struct perm_state_base * const s, const rgw_bucket& bucket, - RGWAccessControlPolicy * const user_acl, - RGWAccessControlPolicy * const bucket_acl, + const RGWAccessControlPolicy& user_acl, + const RGWAccessControlPolicy& bucket_acl, const boost::optional& bucket_policy, const vector& identity_policies, const vector& session_policies, @@ -1446,8 +1440,8 @@ static inline bool check_deferred_bucket_perms(const DoutPrefixProvider* dpp, static inline bool check_deferred_bucket_only_acl(const DoutPrefixProvider* dpp, struct perm_state_base * const s, - RGWAccessControlPolicy * const user_acl, - RGWAccessControlPolicy * const bucket_acl, + const RGWAccessControlPolicy& user_acl, + const RGWAccessControlPolicy& bucket_acl, const uint8_t deferred_check, const int perm) { @@ -1457,9 +1451,9 @@ static inline bool check_deferred_bucket_only_acl(const DoutPrefixProvider* dpp, bool verify_object_permission(const DoutPrefixProvider* dpp, struct perm_state_base * const s, const rgw_obj& obj, - RGWAccessControlPolicy * const user_acl, - RGWAccessControlPolicy * const bucket_acl, - RGWAccessControlPolicy * const object_acl, + const RGWAccessControlPolicy& user_acl, + const RGWAccessControlPolicy& bucket_acl, + const RGWAccessControlPolicy& object_acl, const boost::optional& bucket_policy, const vector& identity_policies, const vector& session_policies, @@ -1512,14 +1506,10 @@ bool verify_object_permission(const DoutPrefixProvider* dpp, struct perm_state_b return true; } - if (!object_acl) { - return false; - } - - bool ret = object_acl->verify_permission(dpp, *s->identity, s->perm_mask, perm, - nullptr, /* http_referrer */ - s->bucket_access_conf && - s->bucket_access_conf->ignore_public_acls()); + bool ret = object_acl.verify_permission(dpp, *s->identity, s->perm_mask, perm, + nullptr, /* http_referrer */ + s->bucket_access_conf && + s->bucket_access_conf->ignore_public_acls()); if (ret) { return true; } @@ -1541,21 +1531,18 @@ bool verify_object_permission(const DoutPrefixProvider* dpp, struct perm_state_b /* we already verified the user mask above, so we pass swift_perm as the mask here, otherwise the mask might not cover the swift permissions bits */ - if (bucket_acl->verify_permission(dpp, *s->identity, swift_perm, swift_perm, - s->get_referer())) + if (bucket_acl.verify_permission(dpp, *s->identity, swift_perm, swift_perm, + s->get_referer())) return true; - if (!user_acl) - return false; - - return user_acl->verify_permission(dpp, *s->identity, swift_perm, swift_perm); + return user_acl.verify_permission(dpp, *s->identity, swift_perm, swift_perm); } bool verify_object_permission(const DoutPrefixProvider* dpp, req_state * const s, const rgw_obj& obj, - RGWAccessControlPolicy * const user_acl, - RGWAccessControlPolicy * const bucket_acl, - RGWAccessControlPolicy * const object_acl, + const RGWAccessControlPolicy& user_acl, + const RGWAccessControlPolicy& bucket_acl, + const RGWAccessControlPolicy& object_acl, const boost::optional& bucket_policy, const vector& identity_policies, const vector& session_policies, @@ -1570,9 +1557,9 @@ bool verify_object_permission(const DoutPrefixProvider* dpp, req_state * const s bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, struct perm_state_base * const s, - RGWAccessControlPolicy * const user_acl, - RGWAccessControlPolicy * const bucket_acl, - RGWAccessControlPolicy * const object_acl, + const RGWAccessControlPolicy& user_acl, + const RGWAccessControlPolicy& bucket_acl, + const RGWAccessControlPolicy& object_acl, const int perm) { if (check_deferred_bucket_only_acl(dpp, s, user_acl, bucket_acl, RGW_DEFER_TO_BUCKET_ACLS_RECURSE, perm) || @@ -1580,14 +1567,10 @@ bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, return true; } - if (!object_acl) { - return false; - } - - bool ret = object_acl->verify_permission(dpp, *s->identity, s->perm_mask, perm, - nullptr, /* http referrer */ - s->bucket_access_conf && - s->bucket_access_conf->ignore_public_acls()); + bool ret = object_acl.verify_permission(dpp, *s->identity, s->perm_mask, perm, + nullptr, /* http referrer */ + s->bucket_access_conf && + s->bucket_access_conf->ignore_public_acls()); if (ret) { return true; } @@ -1609,14 +1592,11 @@ bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, /* we already verified the user mask above, so we pass swift_perm as the mask here, otherwise the mask might not cover the swift permissions bits */ - if (bucket_acl->verify_permission(dpp, *s->identity, swift_perm, swift_perm, - s->get_referer())) + if (bucket_acl.verify_permission(dpp, *s->identity, swift_perm, swift_perm, + s->get_referer())) return true; - if (!user_acl) - return false; - - return user_acl->verify_permission(dpp, *s->identity, swift_perm, swift_perm); + return user_acl.verify_permission(dpp, *s->identity, swift_perm, swift_perm); } bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, req_state *s, int perm) @@ -1628,9 +1608,9 @@ bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, req_state return verify_object_permission_no_policy(dpp, &ps, - s->user_acl.get(), - s->bucket_acl.get(), - s->object_acl.get(), + s->user_acl, + s->bucket_acl, + s->object_acl, perm); } @@ -1641,9 +1621,9 @@ bool verify_object_permission(const DoutPrefixProvider* dpp, req_state *s, uint6 return verify_object_permission(dpp, &ps, rgw_obj(s->bucket->get_key(), s->object->get_key()), - s->user_acl.get(), - s->bucket_acl.get(), - s->object_acl.get(), + s->user_acl, + s->bucket_acl, + s->object_acl, s->iam_policy, s->iam_user_policies, s->session_policies, diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h index 15d2e800fde..e6973766929 100644 --- a/src/rgw/rgw_common.h +++ b/src/rgw/rgw_common.h @@ -1180,9 +1180,9 @@ struct req_state : DoutPrefixProvider { } s3_postobj_creds; } auth; - std::unique_ptr user_acl; - std::unique_ptr bucket_acl; - std::unique_ptr object_acl; + RGWAccessControlPolicy user_acl; + RGWAccessControlPolicy bucket_acl; + RGWAccessControlPolicy object_acl; rgw::IAM::Environment env; boost::optional iam_policy; @@ -1584,20 +1584,20 @@ struct perm_state : public perm_state_base { bool verify_bucket_permission_no_policy( const DoutPrefixProvider* dpp, struct perm_state_base * const s, - RGWAccessControlPolicy * const user_acl, - RGWAccessControlPolicy * const bucket_acl, + const RGWAccessControlPolicy& user_acl, + const RGWAccessControlPolicy& bucket_acl, const int perm); bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp, struct perm_state_base * const s, - RGWAccessControlPolicy * const user_acl, + const RGWAccessControlPolicy& user_acl, const int perm); bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, struct perm_state_base * const s, - RGWAccessControlPolicy * const user_acl, - RGWAccessControlPolicy * const bucket_acl, - RGWAccessControlPolicy * const object_acl, + const RGWAccessControlPolicy& user_acl, + const RGWAccessControlPolicy& bucket_acl, + const RGWAccessControlPolicy& object_acl, const int perm); /** Check if the req_state's user has the necessary permissions @@ -1609,7 +1609,7 @@ rgw::IAM::Effect eval_identity_or_session_policies(const DoutPrefixProvider* dpp const rgw::ARN& arn); bool verify_user_permission(const DoutPrefixProvider* dpp, req_state * const s, - RGWAccessControlPolicy * const user_acl, + const RGWAccessControlPolicy& user_acl, const std::vector& user_policies, const std::vector& session_policies, const rgw::ARN& res, @@ -1617,7 +1617,7 @@ bool verify_user_permission(const DoutPrefixProvider* dpp, bool mandatory_policy=true); bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp, req_state * const s, - RGWAccessControlPolicy * const user_acl, + const RGWAccessControlPolicy& user_acl, const int perm); bool verify_user_permission(const DoutPrefixProvider* dpp, req_state * const s, @@ -1631,8 +1631,8 @@ bool verify_bucket_permission( const DoutPrefixProvider* dpp, req_state * const s, const rgw_bucket& bucket, - RGWAccessControlPolicy * const user_acl, - RGWAccessControlPolicy * const bucket_acl, + const RGWAccessControlPolicy& user_acl, + const RGWAccessControlPolicy& bucket_acl, const boost::optional& bucket_policy, const std::vector& identity_policies, const std::vector& session_policies, @@ -1641,8 +1641,8 @@ bool verify_bucket_permission(const DoutPrefixProvider* dpp, req_state * const s bool verify_bucket_permission_no_policy( const DoutPrefixProvider* dpp, req_state * const s, - RGWAccessControlPolicy * const user_acl, - RGWAccessControlPolicy * const bucket_acl, + const RGWAccessControlPolicy& user_acl, + const RGWAccessControlPolicy& bucket_acl, const int perm); bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp, req_state * const s, @@ -1653,9 +1653,9 @@ extern bool verify_object_permission( const DoutPrefixProvider* dpp, req_state * const s, const rgw_obj& obj, - RGWAccessControlPolicy * const user_acl, - RGWAccessControlPolicy * const bucket_acl, - RGWAccessControlPolicy * const object_acl, + const RGWAccessControlPolicy& user_acl, + const RGWAccessControlPolicy& bucket_acl, + const RGWAccessControlPolicy& object_acl, const boost::optional& bucket_policy, const std::vector& identity_policies, const std::vector& session_policies, @@ -1664,9 +1664,9 @@ extern bool verify_object_permission(const DoutPrefixProvider* dpp, req_state *s extern bool verify_object_permission_no_policy( const DoutPrefixProvider* dpp, req_state * const s, - RGWAccessControlPolicy * const user_acl, - RGWAccessControlPolicy * const bucket_acl, - RGWAccessControlPolicy * const object_acl, + const RGWAccessControlPolicy& user_acl, + const RGWAccessControlPolicy& bucket_acl, + const RGWAccessControlPolicy& object_acl, int perm); extern bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, req_state *s, int perm); diff --git a/src/rgw/rgw_log.cc b/src/rgw/rgw_log.cc index 8b8f85ef07b..cc7e085ab72 100644 --- a/src/rgw/rgw_log.cc +++ b/src/rgw/rgw_log.cc @@ -647,8 +647,7 @@ int rgw_log_op(RGWREST* const rest, req_state *s, const RGWOp* op, OpsLogSink *o } entry.user = s->user->get_id().to_str(); - if (s->object_acl) - entry.object_owner = s->object_acl->get_owner().id; + entry.object_owner = s->object_acl.get_owner().id; entry.bucket_owner = s->bucket_owner.id; uint64_t bytes_sent = ACCOUNTING_IO(s)->get_bytes_sent(); diff --git a/src/rgw/rgw_lua_request.cc b/src/rgw/rgw_lua_request.cc index afef18be47b..1fa44a0329e 100644 --- a/src/rgw/rgw_lua_request.cc +++ b/src/rgw/rgw_lua_request.cc @@ -711,11 +711,11 @@ struct RequestMetaTable : public EmptyMetaTable { } else if (strcasecmp(index, "ZoneGroup") == 0) { create_metatable(L, name, index, false, s); } else if (strcasecmp(index, "UserACL") == 0) { - create_metatable(L, name, index, false, s->user_acl); + create_metatable(L, name, index, false, &s->user_acl); } else if (strcasecmp(index, "BucketACL") == 0) { - create_metatable(L, name, index, false, s->bucket_acl); + create_metatable(L, name, index, false, &s->bucket_acl); } else if (strcasecmp(index, "ObjectACL") == 0) { - create_metatable(L, name, index, false, s->object_acl); + create_metatable(L, name, index, false, &s->object_acl); } else if (strcasecmp(index, "Environment") == 0) { create_metatable>(L, name, index, false, &(s->env)); } else if (strcasecmp(index, "Policy") == 0) { diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index 8a0d19526ad..39767f53989 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -219,18 +219,18 @@ done: static int decode_policy(const DoutPrefixProvider *dpp, CephContext *cct, bufferlist& bl, - RGWAccessControlPolicy *policy) + RGWAccessControlPolicy& policy) { auto iter = bl.cbegin(); try { - policy->decode(iter); + policy.decode(iter); } catch (buffer::error& err) { ldpp_dout(dpp, 0) << "ERROR: could not decode policy, caught buffer::error" << dendl; return -EIO; } if (cct->_conf->subsys.should_gather()) { ldpp_dout(dpp, 15) << __func__ << " Read AccessControlPolicy"; - rgw::s3::write_policy_xml(*policy, *_dout); + rgw::s3::write_policy_xml(policy, *_dout); *_dout << dendl; } return 0; @@ -242,17 +242,11 @@ static int get_user_policy_from_attr(const DoutPrefixProvider *dpp, map& attrs, RGWAccessControlPolicy& policy /* out */) { - auto aiter = attrs.find(RGW_ATTR_ACL); - if (aiter != attrs.end()) { - int ret = decode_policy(dpp, cct, aiter->second, &policy); - if (ret < 0) { - return ret; - } - } else { + auto i = attrs.find(RGW_ATTR_ACL); + if (i == attrs.end()) { return -ENOENT; } - - return 0; + return decode_policy(dpp, cct, i->second, policy); } /** @@ -267,7 +261,7 @@ int rgw_op_get_bucket_policy_from_attr(const DoutPrefixProvider *dpp, rgw::sal::Driver* driver, const rgw_user& bucket_owner, map& bucket_attrs, - RGWAccessControlPolicy *policy, + RGWAccessControlPolicy& policy, optional_yield y) { map::iterator aiter = bucket_attrs.find(RGW_ATTR_ACL); @@ -284,7 +278,7 @@ int rgw_op_get_bucket_policy_from_attr(const DoutPrefixProvider *dpp, if (r < 0) return r; - policy->create_default(user->get_id(), user->get_display_name()); + policy.create_default(user->get_id(), user->get_display_name()); } return 0; } @@ -294,7 +288,7 @@ static int get_obj_policy_from_attr(const DoutPrefixProvider *dpp, rgw::sal::Driver* driver, RGWBucketInfo& bucket_info, map& bucket_attrs, - RGWAccessControlPolicy *policy, + RGWAccessControlPolicy& policy, string *storage_class, rgw::sal::Object* obj, optional_yield y) @@ -317,7 +311,7 @@ static int get_obj_policy_from_attr(const DoutPrefixProvider *dpp, if (ret < 0) return ret; - policy->create_default(bucket_info.owner, user->get_display_name()); + policy.create_default(bucket_info.owner, user->get_display_name()); } if (storage_class) { @@ -384,7 +378,7 @@ static int read_bucket_policy(const DoutPrefixProvider *dpp, req_state *s, RGWBucketInfo& bucket_info, map& bucket_attrs, - RGWAccessControlPolicy *policy, + RGWAccessControlPolicy& policy, rgw_bucket& bucket, optional_yield y) { @@ -401,7 +395,7 @@ static int read_bucket_policy(const DoutPrefixProvider *dpp, int ret = rgw_op_get_bucket_policy_from_attr(dpp, s->cct, driver, bucket_info.owner, bucket_attrs, policy, y); if (ret == -ENOENT) { - ret = -ERR_NO_SUCH_BUCKET; + ret = -ERR_NO_SUCH_BUCKET; } return ret; @@ -412,7 +406,7 @@ static int read_obj_policy(const DoutPrefixProvider *dpp, req_state *s, RGWBucketInfo& bucket_info, map& bucket_attrs, - RGWAccessControlPolicy* acl, + RGWAccessControlPolicy& acl, string *storage_class, boost::optional& policy, rgw::sal::Bucket* bucket, @@ -451,7 +445,7 @@ static int read_obj_policy(const DoutPrefixProvider *dpp, that we send a proper error code */ RGWAccessControlPolicy bucket_policy; ret = rgw_op_get_bucket_policy_from_attr(dpp, s->cct, driver, bucket_info.owner, - bucket_attrs, &bucket_policy, y); + bucket_attrs, bucket_policy, y); if (ret < 0) { return ret; } @@ -511,20 +505,6 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d } } - if(s->dialect.compare("s3") == 0) { - s->bucket_acl = std::make_unique(); - } else if(s->dialect.compare("swift") == 0) { - /* We aren't allocating the account policy for those operations using - * the Swift's infrastructure that don't really need req_state::user. - * Typical example here is the implementation of /info. */ - if (!s->user->get_id().empty()) { - s->user_acl = std::make_unique(); - } - s->bucket_acl = std::make_unique(); - } else { - s->bucket_acl = std::make_unique(); - } - const RGWZoneGroup& zonegroup = s->penv.site->get_zonegroup(); /* check if copy source is within the current domain */ @@ -573,13 +553,13 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d s->bucket_attrs = s->bucket->get_attrs(); ret = read_bucket_policy(dpp, driver, s, s->bucket->get_info(), s->bucket->get_attrs(), - s->bucket_acl.get(), s->bucket->get_key(), y); + s->bucket_acl, s->bucket->get_key(), y); acct_acl_user = { s->bucket->get_info().owner, - s->bucket_acl->get_owner().display_name, + s->bucket_acl.get_owner().display_name, }; - s->bucket_owner = s->bucket_acl->get_owner(); + s->bucket_owner = s->bucket_acl.get_owner(); s->zonegroup_endpoint = rgw::get_zonegroup_endpoint(zonegroup); s->zonegroup_name = zonegroup.get_name(); @@ -615,12 +595,12 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d } /* handle user ACL only for those APIs which support it */ - if (s->user_acl) { + if (s->dialect == "swift" && !s->user->get_id().empty()) { std::unique_ptr acl_user = driver->get_user(acct_acl_user.uid); ret = acl_user->read_attrs(dpp, y); if (!ret) { - ret = get_user_policy_from_attr(dpp, s->cct, acl_user->get_attrs(), *s->user_acl); + ret = get_user_policy_from_attr(dpp, s->cct, acl_user->get_attrs(), s->user_acl); } if (-ENOENT == ret) { /* In already existing clusters users won't have ACL. In such case @@ -630,8 +610,8 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d * 1. if we try to reach an existing bucket, its owner is considered * as account owner. * 2. otherwise account owner is identity stored in s->user->user_id. */ - s->user_acl->create_default(acct_acl_user.uid, - acct_acl_user.display_name); + s->user_acl.create_default(acct_acl_user.uid, + acct_acl_user.display_name); ret = 0; } else if (ret < 0) { ldpp_dout(dpp, 0) << "NOTICE: couldn't get user attrs for handling ACL " @@ -689,24 +669,21 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d int rgw_build_object_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* driver, req_state *s, bool prefetch_data, optional_yield y) { - int ret = 0; - - if (!rgw::sal::Object::empty(s->object.get())) { - if (!s->bucket_exists) { - return -ERR_NO_SUCH_BUCKET; - } - s->object_acl = std::make_unique(); + if (rgw::sal::Object::empty(s->object)) { + return 0; + } + if (!s->bucket_exists) { + return -ERR_NO_SUCH_BUCKET; + } - s->object->set_atomic(); - if (prefetch_data) { - s->object->set_prefetch_data(); - } - ret = read_obj_policy(dpp, driver, s, s->bucket->get_info(), s->bucket_attrs, - s->object_acl.get(), nullptr, s->iam_policy, s->bucket.get(), - s->object.get(), y); + s->object->set_atomic(); + if (prefetch_data) { + s->object->set_prefetch_data(); } - return ret; + return read_obj_policy(dpp, driver, s, s->bucket->get_info(), s->bucket_attrs, + s->object_acl, nullptr, s->iam_policy, s->bucket.get(), + s->object.get(), y); } static int rgw_iam_remove_objtags(const DoutPrefixProvider *dpp, req_state* s, rgw::sal::Object* object, bool has_existing_obj_tag, bool has_resource_tag) { @@ -1648,7 +1625,7 @@ int rgw_policy_from_attrset(const DoutPrefixProvider *dpp, CephContext *cct, map int RGWGetObj::read_user_manifest_part(rgw::sal::Bucket* bucket, const rgw_bucket_dir_entry& ent, - RGWAccessControlPolicy * const bucket_acl, + const RGWAccessControlPolicy& bucket_acl, const boost::optional& bucket_policy, const off_t start_ofs, const off_t end_ofs, @@ -1724,8 +1701,8 @@ int RGWGetObj::read_user_manifest_part(rgw::sal::Bucket* bucket, ldpp_dout(this, 2) << "overriding permissions due to system operation" << dendl; } else if (s->auth.identity->is_admin_of(s->user->get_id())) { ldpp_dout(this, 2) << "overriding permissions due to admin operation" << dendl; - } else if (!verify_object_permission(this, s, part->get_obj(), s->user_acl.get(), - bucket_acl, &obj_policy, bucket_policy, + } else if (!verify_object_permission(this, s, part->get_obj(), s->user_acl, + bucket_acl, obj_policy, bucket_policy, s->iam_user_policies, s->session_policies, action)) { return -EPERM; } @@ -1749,14 +1726,14 @@ static int iterate_user_manifest_parts(const DoutPrefixProvider *dpp, const off_t end, rgw::sal::Bucket* bucket, const string& obj_prefix, - RGWAccessControlPolicy * const bucket_acl, + const RGWAccessControlPolicy& bucket_acl, const boost::optional& bucket_policy, uint64_t * const ptotal_len, uint64_t * const pobj_size, string * const pobj_sum, int (*cb)(rgw::sal::Bucket* bucket, const rgw_bucket_dir_entry& ent, - RGWAccessControlPolicy * const bucket_acl, + const RGWAccessControlPolicy& bucket_acl, const boost::optional& bucket_policy, off_t start_ofs, off_t end_ofs, @@ -1858,7 +1835,7 @@ static int iterate_slo_parts(const DoutPrefixProvider *dpp, map& slo_parts, int (*cb)(rgw::sal::Bucket* bucket, const rgw_bucket_dir_entry& ent, - RGWAccessControlPolicy *bucket_acl, + const RGWAccessControlPolicy& bucket_acl, const boost::optional& bucket_policy, off_t start_ofs, off_t end_ofs, @@ -1917,7 +1894,7 @@ static int iterate_slo_parts(const DoutPrefixProvider *dpp, << dendl; // SLO is a Swift thing, and Swift has no knowledge of S3 Policies. - int r = cb(part.bucket, ent, part.bucket_acl, + int r = cb(part.bucket, ent, *part.bucket_acl, (part.bucket_policy ? boost::optional(*part.bucket_policy) : none), start_ofs, end_ofs, cb_param, true /* swift_slo */); @@ -1934,7 +1911,7 @@ static int iterate_slo_parts(const DoutPrefixProvider *dpp, static int get_obj_user_manifest_iterate_cb(rgw::sal::Bucket* bucket, const rgw_bucket_dir_entry& ent, - RGWAccessControlPolicy * const bucket_acl, + const RGWAccessControlPolicy& bucket_acl, const boost::optional& bucket_policy, const off_t start_ofs, const off_t end_ofs, @@ -1979,7 +1956,7 @@ int RGWGetObj::handle_user_manifest(const char *prefix, optional_yield y) return r; } bucket_acl = &_bucket_acl; - r = read_bucket_policy(this, driver, s, ubucket->get_info(), bucket_attrs, bucket_acl, ubucket->get_key(), y); + r = read_bucket_policy(this, driver, s, ubucket->get_info(), bucket_attrs, *bucket_acl, ubucket->get_key(), y); if (r < 0) { ldpp_dout(this, 0) << "failed to read bucket policy" << dendl; return r; @@ -1989,7 +1966,7 @@ int RGWGetObj::handle_user_manifest(const char *prefix, optional_yield y) pbucket = ubucket.get(); } else { pbucket = s->bucket.get(); - bucket_acl = s->bucket_acl.get(); + bucket_acl = &s->bucket_acl; bucket_policy = &s->iam_policy; } @@ -1998,7 +1975,7 @@ int RGWGetObj::handle_user_manifest(const char *prefix, optional_yield y) * - overall DLO's content size, * - md5 sum of overall DLO's content (for etag of Swift API). */ r = iterate_user_manifest_parts(this, s->cct, driver, ofs, end, - pbucket, obj_prefix, bucket_acl, *bucket_policy, + pbucket, obj_prefix, *bucket_acl, *bucket_policy, nullptr, &s->obj_size, &lo_etag, nullptr /* cb */, nullptr /* cb arg */, y); if (r < 0) { @@ -2012,7 +1989,7 @@ int RGWGetObj::handle_user_manifest(const char *prefix, optional_yield y) } r = iterate_user_manifest_parts(this, s->cct, driver, ofs, end, - pbucket, obj_prefix, bucket_acl, *bucket_policy, + pbucket, obj_prefix, *bucket_acl, *bucket_policy, &total_len, nullptr, nullptr, nullptr, nullptr, y); if (r < 0) { @@ -2026,7 +2003,7 @@ int RGWGetObj::handle_user_manifest(const char *prefix, optional_yield y) } r = iterate_user_manifest_parts(this, s->cct, driver, ofs, end, - pbucket, obj_prefix, bucket_acl, *bucket_policy, + pbucket, obj_prefix, *bucket_acl, *bucket_policy, nullptr, nullptr, nullptr, get_obj_user_manifest_iterate_cb, (void *)this, y); if (r < 0) { @@ -2111,7 +2088,7 @@ int RGWGetObj::handle_slo_manifest(bufferlist& bl, optional_yield y) } bucket = tmp_bucket.get(); bucket_acl = &_bucket_acl; - r = read_bucket_policy(this, driver, s, tmp_bucket->get_info(), tmp_bucket->get_attrs(), bucket_acl, + r = read_bucket_policy(this, driver, s, tmp_bucket->get_info(), tmp_bucket->get_attrs(), *bucket_acl, tmp_bucket->get_key(), y); if (r < 0) { ldpp_dout(this, 0) << "failed to read bucket ACL for bucket " @@ -2126,7 +2103,7 @@ int RGWGetObj::handle_slo_manifest(bufferlist& bl, optional_yield y) } } else { bucket = s->bucket.get(); - bucket_acl = s->bucket_acl.get(); + bucket_acl = &s->bucket_acl; bucket_policy = s->iam_policy.get_ptr(); } @@ -3516,7 +3493,7 @@ void RGWCreateBucket::execute(optional_yield y) RGWAccessControlPolicy old_policy; int r = rgw_op_get_bucket_policy_from_attr(this, s->cct, driver, info.owner, s->bucket->get_attrs(), - &old_policy, y); + old_policy, y); if (r >= 0 && old_policy != policy) { s->err.message = "Cannot modify existing access control policy"; op_ret = -EEXIST; @@ -3850,7 +3827,7 @@ int RGWPutObj::verify_permission(optional_yield y) cs_object->set_prefetch_data(); /* check source object permissions */ - int ret = read_obj_policy(this, driver, s, copy_source_bucket_info, cs_attrs, &cs_acl, nullptr, + int ret = read_obj_policy(this, driver, s, copy_source_bucket_info, cs_attrs, cs_acl, nullptr, policy, cs_bucket.get(), cs_object.get(), y, true); if (ret < 0) { return ret; @@ -4986,7 +4963,7 @@ void RGWPutMetadataBucket::execute(optional_yield y) * contain such keys yet. */ if (has_policy) { if (s->dialect.compare("swift") == 0) { - rgw::swift::merge_policy(policy_rw_mask, *s->bucket_acl, policy); + rgw::swift::merge_policy(policy_rw_mask, s->bucket_acl, policy); } buffer::list bl; policy.encode(bl); @@ -5488,7 +5465,7 @@ int RGWCopyObj::verify_permission(optional_yield y) rgw_placement_rule src_placement; /* check source object permissions */ - op_ret = read_obj_policy(this, driver, s, src_bucket->get_info(), src_bucket->get_attrs(), &src_acl, &src_placement.storage_class, + op_ret = read_obj_policy(this, driver, s, src_bucket->get_info(), src_bucket->get_attrs(), src_acl, &src_placement.storage_class, src_policy, src_bucket.get(), s->src_object.get(), y); if (op_ret < 0) { return op_ret; @@ -5583,7 +5560,7 @@ int RGWCopyObj::verify_permission(optional_yield y) /* check dest bucket permissions */ op_ret = read_bucket_policy(this, driver, s, s->bucket->get_info(), s->bucket->get_attrs(), - &dest_bucket_policy, s->bucket->get_key(), y); + dest_bucket_policy, s->bucket->get_key(), y); if (op_ret < 0) { return op_ret; } @@ -5888,9 +5865,9 @@ void RGWGetACLs::execute(optional_yield y) { stringstream ss; if (rgw::sal::Object::empty(s->object.get())) { - rgw::s3::write_policy_xml(*s->bucket_acl, ss); + rgw::s3::write_policy_xml(s->bucket_acl, ss); } else { - rgw::s3::write_policy_xml(*s->object_acl, ss); + rgw::s3::write_policy_xml(s->object_acl, ss); } acls = ss.str(); } @@ -5982,10 +5959,10 @@ void RGWDeleteLC::pre_exec() void RGWPutACLs::execute(optional_yield y) { - RGWAccessControlPolicy* const existing_policy = \ - (rgw::sal::Object::empty(s->object.get()) ? s->bucket_acl.get() : s->object_acl.get()); + const RGWAccessControlPolicy& existing_policy = \ + (rgw::sal::Object::empty(s->object.get()) ? s->bucket_acl : s->object_acl); - const ACLOwner& existing_owner = existing_policy->get_owner(); + const ACLOwner& existing_owner = existing_policy.get_owner(); op_ret = get_params(y); if (op_ret < 0) { @@ -6056,7 +6033,7 @@ void RGWPutACLs::execute(optional_yield y) if (s->cct->_conf->subsys.should_gather()) { ldpp_dout(this, 15) << "Old AccessControlPolicy"; - rgw::s3::write_policy_xml(*existing_policy, *_dout); + rgw::s3::write_policy_xml(existing_policy, *_dout); *_dout << dendl; ldpp_dout(this, 15) << "New AccessControlPolicy:"; @@ -7376,7 +7353,7 @@ bool RGWBulkDelete::Deleter::verify_permission(RGWBucketInfo& binfo, optional_yield y) { RGWAccessControlPolicy bacl; - int ret = read_bucket_policy(dpp, driver, s, binfo, battrs, &bacl, binfo.bucket, y); + int ret = read_bucket_policy(dpp, driver, s, binfo, battrs, bacl, binfo.bucket, y); if (ret < 0) { return false; } @@ -7387,8 +7364,8 @@ bool RGWBulkDelete::Deleter::verify_permission(RGWBucketInfo& binfo, /* We can use global user_acl because each BulkDelete request is allowed * to work on entities from a single account only. */ - return verify_bucket_permission(dpp, s, binfo.bucket, s->user_acl.get(), - &bacl, policy, s->iam_user_policies, s->session_policies, rgw::IAM::s3DeleteBucket); + return verify_bucket_permission(dpp, s, binfo.bucket, s->user_acl, + bacl, policy, s->iam_user_policies, s->session_policies, rgw::IAM::s3DeleteBucket); } bool RGWBulkDelete::Deleter::delete_single(const acct_path_t& path, optional_yield y) @@ -7715,7 +7692,7 @@ bool RGWBulkUploadOp::handle_file_verify_permission(RGWBucketInfo& binfo, optional_yield y) { RGWAccessControlPolicy bacl; - op_ret = read_bucket_policy(this, driver, s, binfo, battrs, &bacl, binfo.bucket, y); + op_ret = read_bucket_policy(this, driver, s, binfo, battrs, bacl, binfo.bucket, y); if (op_ret < 0) { ldpp_dout(this, 20) << "cannot read_policy() for bucket" << dendl; return false; @@ -7768,8 +7745,8 @@ bool RGWBulkUploadOp::handle_file_verify_permission(RGWBucketInfo& binfo, } } - return verify_bucket_permission_no_policy(this, s, s->user_acl.get(), - &bacl, RGW_PERM_WRITE); + return verify_bucket_permission_no_policy(this, s, s->user_acl, + bacl, RGW_PERM_WRITE); } int RGWBulkUploadOp::handle_file(const std::string_view path, @@ -8880,7 +8857,7 @@ int RGWGetBucketPolicyStatus::verify_permission(optional_yield y) void RGWGetBucketPolicyStatus::execute(optional_yield y) { - isPublic = (s->iam_policy && rgw::IAM::is_public(*s->iam_policy)) || s->bucket_acl->is_public(this); + isPublic = (s->iam_policy && rgw::IAM::is_public(*s->iam_policy)) || s->bucket_acl.is_public(this); } int RGWPutBucketPublicAccessBlock::verify_permission(optional_yield y) diff --git a/src/rgw/rgw_op.h b/src/rgw/rgw_op.h index 948b68f54d8..9314d454c79 100644 --- a/src/rgw/rgw_op.h +++ b/src/rgw/rgw_op.h @@ -79,7 +79,7 @@ int rgw_op_get_bucket_policy_from_attr(const DoutPrefixProvider *dpp, rgw::sal::Driver* driver, const rgw_user& bucket_owner, std::map& bucket_attrs, - RGWAccessControlPolicy *policy, + RGWAccessControlPolicy& policy, optional_yield y); class RGWHandler { @@ -420,7 +420,7 @@ public: int read_user_manifest_part( rgw::sal::Bucket* bucket, const rgw_bucket_dir_entry& ent, - RGWAccessControlPolicy * const bucket_acl, + const RGWAccessControlPolicy& bucket_acl, const boost::optional& bucket_policy, const off_t start_ofs, const off_t end_ofs, diff --git a/src/rgw/rgw_rest_swift.cc b/src/rgw/rgw_rest_swift.cc index 55ebac5137c..46f02805cd1 100644 --- a/src/rgw/rgw_rest_swift.cc +++ b/src/rgw/rgw_rest_swift.cc @@ -188,7 +188,7 @@ void RGWListBuckets_ObjStore_SWIFT::send_response_begin(bool has_buckets) s->user->get_attrs(), s->user->get_info().quota.user_quota, s->user->get_max_buckets(), - *s->user_acl); + s->user_acl); dump_errno(s); dump_header(s, "Accept-Ranges", "bytes"); end_header(s, NULL, NULL, NO_CONTENT_LENGTH, true); @@ -287,7 +287,7 @@ void RGWListBuckets_ObjStore_SWIFT::send_response_end() s->user->get_attrs(), s->user->get_info().quota.user_quota, s->user->get_max_buckets(), - *s->user_acl); + s->user_acl); dump_errno(s); end_header(s, nullptr, nullptr, s->formatter->get_len(), true); } @@ -471,7 +471,7 @@ static void dump_container_metadata(req_state *s, if (rgw::sal::Object::empty(s->object.get())) { std::string read_acl, write_acl; - rgw::swift::format_container_acls(*s->bucket_acl, read_acl, write_acl); + rgw::swift::format_container_acls(s->bucket_acl, read_acl, write_acl); if (read_acl.size()) { dump_header(s, "X-Container-Read", read_acl); @@ -565,7 +565,7 @@ void RGWStatAccount_ObjStore_SWIFT::send_response() attrs, s->user->get_info().quota.user_quota, s->user->get_max_buckets(), - *s->user_acl); + s->user_acl); } set_req_state_err(s, op_ret); @@ -593,7 +593,7 @@ void RGWStatBucket_ObjStore_SWIFT::send_response() static int get_swift_container_settings(req_state * const s, rgw::sal::Driver* const driver, - RGWAccessControlPolicy * const policy, + RGWAccessControlPolicy& policy, bool * const has_policy, uint32_t * rw_mask, RGWCORSConfiguration * const cors_config, @@ -611,7 +611,7 @@ static int get_swift_container_settings(req_state * const s, read_list, write_list, *rw_mask, - *policy); + policy); if (r < 0) { return r; } @@ -713,7 +713,7 @@ int RGWCreateBucket_ObjStore_SWIFT::get_params(optional_yield y) bool has_policy; uint32_t policy_rw_mask = 0; - int r = get_swift_container_settings(s, driver, &policy, &has_policy, + int r = get_swift_container_settings(s, driver, policy, &has_policy, &policy_rw_mask, &cors_config, &has_cors); if (r < 0) { return r; @@ -1057,7 +1057,7 @@ void RGWPutObj_ObjStore_SWIFT::send_response() static int get_swift_account_settings(req_state * const s, rgw::sal::Driver* const driver, - RGWAccessControlPolicy* const policy, + RGWAccessControlPolicy& policy, bool * const has_policy) { *has_policy = false; @@ -1067,7 +1067,7 @@ static int get_swift_account_settings(req_state * const s, int r = rgw::swift::create_account_policy(s, driver, s->user->get_id(), s->user->get_display_name(), - acl_attr, *policy); + acl_attr, policy); if (r < 0) { return r; } @@ -1084,7 +1084,7 @@ int RGWPutMetadataAccount_ObjStore_SWIFT::get_params(optional_yield y) return -EINVAL; } - int ret = get_swift_account_settings(s, driver, &policy, &has_policy); + int ret = get_swift_account_settings(s, driver, policy, &has_policy); if (ret < 0) { return ret; } @@ -1117,7 +1117,7 @@ int RGWPutMetadataBucket_ObjStore_SWIFT::get_params(optional_yield y) return -EINVAL; } - int r = get_swift_container_settings(s, driver, &policy, &has_policy, + int r = get_swift_container_settings(s, driver, policy, &has_policy, &policy_rw_mask, &cors_config, &has_cors); if (r < 0) { return r; -- 2.47.3