From b824bed2a89c31898fbcf772bcbfd326937f7dab Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Wed, 21 Feb 2024 15:55:09 -0500 Subject: [PATCH] rgw/auth: RoleApplier matches account principals account principals of the form ``arn:aws:iam::123456789012:root`` or ``123456789012`` delegate authority to the account, which means that it applies to all of the account's users and roles Signed-off-by: Casey Bodley --- src/rgw/rgw_auth.cc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/rgw/rgw_auth.cc b/src/rgw/rgw_auth.cc index f8673a771c86b..dd9337818c79e 100644 --- a/src/rgw/rgw_auth.cc +++ b/src/rgw/rgw_auth.cc @@ -976,6 +976,9 @@ void rgw::auth::RoleApplier::to_str(std::ostream& out) const { bool rgw::auth::RoleApplier::is_identity(const Principal& p) const { if (p.is_wildcard()) { return true; + } else if (p.is_account()) { + return match_account_or_tenant(role.account_id, role.tenant, + p.get_account()); } else if (p.is_role()) { return p.get_id() == role.name // TODO: match path/name && p.get_account() == role.tenant; -- 2.39.5