From e8c683221fc2ef9154c8c87a10ca3cc34717faeb Mon Sep 17 00:00:00 2001 From: "cao.leilc" Date: Sat, 22 Aug 2020 09:50:06 +0800 Subject: [PATCH] rgw : add check for ACL when create existing bucket Fixes: https://tracker.ceph.com/issues/47028 Signed-off-by: caolei Signed-off-by: Casey Bodley --- src/rgw/rgw_op.cc | 4 ++-- src/rgw/rgw_sal.h | 1 + src/rgw/rgw_sal_rados.cc | 14 +++++++------- src/rgw/rgw_sal_rados.h | 1 + 4 files changed, 11 insertions(+), 9 deletions(-) diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc index 05bfa419df243..fd04060ca2ff5 100644 --- a/src/rgw/rgw_op.cc +++ b/src/rgw/rgw_op.cc @@ -3161,7 +3161,7 @@ void RGWCreateBucket::execute() op_ret = store->create_bucket(*s->user, tmp_bucket, zonegroup_id, placement_rule, info.swift_ver_location, - pquota_info, attrs, info, ep_objv, + pquota_info, policy, attrs, info, ep_objv, true, obj_lock_enabled, &s->bucket_exists, s->info, &s->bucket); @@ -6892,7 +6892,7 @@ int RGWBulkUploadOp::handle_dir(const std::string_view path) op_ret = store->create_bucket(*s->user, new_bucket, store->get_zonegroup().get_id(), placement_rule, swift_ver_location, - pquota_info, attrs, + pquota_info, policy, attrs, out_info, ep_objv, true, false, &bucket_exists, info, &bucket); diff --git a/src/rgw/rgw_sal.h b/src/rgw/rgw_sal.h index 7f5e371af70cc..fc7dd911fe980 100644 --- a/src/rgw/rgw_sal.h +++ b/src/rgw/rgw_sal.h @@ -61,6 +61,7 @@ class RGWStore : public DoutPrefixProvider { rgw_placement_rule& placement_rule, std::string& swift_ver_location, const RGWQuotaInfo * pquota_info, + const RGWAccessControlPolicy& policy, RGWAttrs& attrs, RGWBucketInfo& info, obj_version& ep_objv, diff --git a/src/rgw/rgw_sal_rados.cc b/src/rgw/rgw_sal_rados.cc index 4902e72a84c53..ae779ba96ff62 100644 --- a/src/rgw/rgw_sal_rados.cc +++ b/src/rgw/rgw_sal_rados.cc @@ -829,6 +829,7 @@ int RGWRadosStore::create_bucket(RGWUser& u, const rgw_bucket& b, rgw_placement_rule& placement_rule, string& swift_ver_location, const RGWQuotaInfo * pquota_info, + const RGWAccessControlPolicy& policy, RGWAttrs& attrs, RGWBucketInfo& info, obj_version& ep_objv, @@ -844,7 +845,6 @@ int RGWRadosStore::create_bucket(RGWUser& u, const rgw_bucket& b, rgw_bucket *pmaster_bucket; uint32_t *pmaster_num_shards; real_time creation_time; - RGWAccessControlPolicy old_policy(ctx()); std::unique_ptr bucket; obj_version objv, *pobjv = NULL; @@ -854,19 +854,19 @@ int RGWRadosStore::create_bucket(RGWUser& u, const rgw_bucket& b, return ret; if (ret != -ENOENT) { + RGWAccessControlPolicy old_policy(ctx()); *existed = true; if (swift_ver_location.empty()) { swift_ver_location = bucket->get_info().swift_ver_location; } placement_rule.inherit_from(bucket->get_info().placement_rule); + + // don't allow changes to the acl policy int r = rgw_op_get_bucket_policy_from_attr(this, u, bucket->get_attrs(), &old_policy); - if (r >= 0) { - if (old_policy.get_owner().get_id().compare(u.get_id()) != 0) { - bucket_out->swap(bucket); - ret = -EEXIST; - return ret; - } + if (r >= 0 && old_policy != policy) { + bucket_out->swap(bucket); + return -EEXIST; } } else { bucket = std::unique_ptr(new RGWRadosBucket(this, b, &u)); diff --git a/src/rgw/rgw_sal_rados.h b/src/rgw/rgw_sal_rados.h index 439d74abfd58a..4c1ad186c08d2 100644 --- a/src/rgw/rgw_sal_rados.h +++ b/src/rgw/rgw_sal_rados.h @@ -239,6 +239,7 @@ class RGWRadosStore : public RGWStore { rgw_placement_rule& placement_rule, std::string& swift_ver_location, const RGWQuotaInfo * pquota_info, + const RGWAccessControlPolicy& policy, RGWAttrs& attrs, RGWBucketInfo& info, obj_version& ep_objv, -- 2.39.5