From e2a770818a88dd8627545635511363e3337cce92 Mon Sep 17 00:00:00 2001 From: Casey Bodley Date: Tue, 26 Jul 2022 14:52:25 -0400 Subject: [PATCH] rgw: move rgw_op_get_bucket_policy_from_attr() out of sal this was duplicated in rgw_op.cc and rgw_sal_rados.cc Signed-off-by: Casey Bodley --- src/rgw/driver/rados/rgw_sal_rados.cc | 54 --------------------------- src/rgw/rgw_op.cc | 23 +++++++++--- src/rgw/rgw_op.h | 6 +-- 3 files changed, 21 insertions(+), 62 deletions(-) diff --git a/src/rgw/driver/rados/rgw_sal_rados.cc b/src/rgw/driver/rados/rgw_sal_rados.cc index 1de9756fc0a15..4cc3ab5972bdf 100644 --- a/src/rgw/driver/rados/rgw_sal_rados.cc +++ b/src/rgw/driver/rados/rgw_sal_rados.cc @@ -77,51 +77,6 @@ namespace rgw::sal { static constexpr size_t listing_max_entries = 1000; static std::string pubsub_oid_prefix = "pubsub."; -static int decode_policy(CephContext* cct, - bufferlist& bl, - RGWAccessControlPolicy* policy) -{ - auto iter = bl.cbegin(); - try { - policy->decode(iter); - } catch (buffer::error& err) { - ldout(cct, 0) << "ERROR: could not decode policy, caught buffer::error" << dendl; - return -EIO; - } - if (cct->_conf->subsys.should_gather()) { - ldout(cct, 15) << __func__ << " Read AccessControlPolicy"; - RGWAccessControlPolicy_S3* s3policy = static_cast(policy); - s3policy->to_xml(*_dout); - *_dout << dendl; - } - return 0; -} - -static int rgw_op_get_bucket_policy_from_attr(const DoutPrefixProvider* dpp, - RadosStore* store, - User* user, - Attrs& bucket_attrs, - RGWAccessControlPolicy* policy, - optional_yield y) -{ - auto aiter = bucket_attrs.find(RGW_ATTR_ACL); - - if (aiter != bucket_attrs.end()) { - int ret = decode_policy(store->ctx(), aiter->second, policy); - if (ret < 0) - return ret; - } else { - ldout(store->ctx(), 0) << "WARNING: couldn't find acl header for bucket, generating default" << dendl; - /* object exists, but policy is broken */ - int r = user->load_user(dpp, y); - if (r < 0) - return r; - - policy->create_default(user->get_id(), user->get_display_name()); - } - return 0; -} - static int drain_aio(std::list& handles) { int ret = 0; @@ -196,20 +151,11 @@ int RadosUser::create_bucket(const DoutPrefixProvider* dpp, return ret; if (ret != -ENOENT) { - RGWAccessControlPolicy old_policy(store->ctx()); *existed = true; if (swift_ver_location.empty()) { swift_ver_location = bucket->get_info().swift_ver_location; } placement_rule.inherit_from(bucket->get_info().placement_rule); - - // don't allow changes to the acl policy - int r = rgw_op_get_bucket_policy_from_attr(dpp, store, this, bucket->get_attrs(), - &old_policy, y); - if (r >= 0 && old_policy != policy) { - bucket_out->swap(bucket); - return -EEXIST; - } } else { bucket = std::unique_ptr(new RadosBucket(store, b, this)); *existed = false; diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index a830ff726af8d..fec40c2507354 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -227,7 +227,7 @@ static int get_user_policy_from_attr(const DoutPrefixProvider *dpp, int rgw_op_get_bucket_policy_from_attr(const DoutPrefixProvider *dpp, CephContext *cct, rgw::sal::Driver* driver, - RGWBucketInfo& bucket_info, + const rgw_user& bucket_owner, map& bucket_attrs, RGWAccessControlPolicy *policy, optional_yield y) @@ -240,13 +240,13 @@ int rgw_op_get_bucket_policy_from_attr(const DoutPrefixProvider *dpp, return ret; } else { ldpp_dout(dpp, 0) << "WARNING: couldn't find acl header for bucket, generating default" << dendl; - std::unique_ptr user = driver->get_user(bucket_info.owner); + std::unique_ptr user = driver->get_user(bucket_owner); /* object exists, but policy is broken */ int r = user->load_user(dpp, y); if (r < 0) return r; - policy->create_default(bucket_info.owner, user->get_display_name()); + policy->create_default(user->get_id(), user->get_display_name()); } return 0; } @@ -360,7 +360,8 @@ static int read_bucket_policy(const DoutPrefixProvider *dpp, return 0; } - int ret = rgw_op_get_bucket_policy_from_attr(dpp, s->cct, driver, bucket_info, bucket_attrs, policy, y); + int ret = rgw_op_get_bucket_policy_from_attr(dpp, s->cct, driver, bucket_info.owner, + bucket_attrs, policy, y); if (ret == -ENOENT) { ret = -ERR_NO_SUCH_BUCKET; } @@ -411,7 +412,8 @@ static int read_obj_policy(const DoutPrefixProvider *dpp, /* object does not exist checking the bucket's ACL to make sure that we send a proper error code */ RGWAccessControlPolicy bucket_policy(s->cct); - ret = rgw_op_get_bucket_policy_from_attr(dpp, s->cct, driver, bucket_info, bucket_attrs, &bucket_policy, y); + ret = rgw_op_get_bucket_policy_from_attr(dpp, s->cct, driver, bucket_info.owner, + bucket_attrs, &bucket_policy, y); if (ret < 0) { return ret; } @@ -3385,6 +3387,17 @@ void RGWCreateBucket::execute(optional_yield y) } /* Initialize info from req_state */ info = tmp_bucket->get_info(); + + // don't allow changes to the acl policy + RGWAccessControlPolicy old_policy(get_cct()); + int r = rgw_op_get_bucket_policy_from_attr(this, s->cct, driver, info.owner, + tmp_bucket->get_attrs(), + &old_policy, y); + if (r >= 0 && old_policy != policy) { + s->err.message = "Cannot modify existing access control policy"; + op_ret = -EEXIST; + return; + } } } diff --git a/src/rgw/rgw_op.h b/src/rgw/rgw_op.h index ffc65836ce621..e1189cb236d40 100644 --- a/src/rgw/rgw_op.h +++ b/src/rgw/rgw_op.h @@ -79,11 +79,11 @@ class StrategyRegistry; int rgw_op_get_bucket_policy_from_attr(const DoutPrefixProvider *dpp, CephContext *cct, - rgw::sal::Driver* driver, - RGWBucketInfo& bucket_info, + rgw::sal::Driver* driver, + const rgw_user& bucket_owner, std::map& bucket_attrs, RGWAccessControlPolicy *policy, - optional_yield y); + optional_yield y); class RGWHandler { protected: -- 2.39.5