From d7a479c4cc3fd3e4e3961b834da97c241fe93db4 Mon Sep 17 00:00:00 2001 From: Radoslaw Zarzynski Date: Sat, 19 Nov 2016 19:06:39 +0100 Subject: [PATCH] rgw: TempURL properly handles accounts created with the implicit tenant. This is because in Jewel in the TempURL implementation we aren't trying to rgw_get_user_info_by_uid() on rgw_user with the tenant field filled like in the Keystone auth case. The bug isn't present in master as we have there a new auth infrastructure. Fixes: http://tracker.ceph.com/issues/17961 Signed-off-by: Radoslaw Zarzynski --- src/rgw/rgw_swift.cc | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/src/rgw/rgw_swift.cc b/src/rgw/rgw_swift.cc index 0fdb310f30e61..42f5c07883036 100644 --- a/src/rgw/rgw_swift.cc +++ b/src/rgw/rgw_swift.cc @@ -617,10 +617,28 @@ int authenticate_temp_url(RGWRados * const store, req_state * const s) * about account is neccessary to obtain its bucket tenant. Without that, * the access would be limited to accounts with empty tenant. */ string bucket_tenant; - if (!s->account_name.empty()) { + if (! s->account_name.empty()) { RGWUserInfo uinfo; - - if (rgw_get_user_info_by_uid(store, s->account_name, uinfo) < 0) { + const rgw_user acct_user(s->account_name); + + ldout(s->cct, 20) << "temp url: loading RGWUserInfo for rgw_user=" + << acct_user << dendl; + + if (acct_user.tenant.empty()) { + rgw_user tenanted_acct_user(acct_user); + tenanted_acct_user.tenant = acct_user.id; + + /* The account name specified in the URL doesn't have the tenant part. + * This means we have to handle the special case for Keystone-created + * accounts when the "rgw_keystone_implicit_tenants" was turned on. + * For more details about this mechanism please refer to the comment + * in RGWSwift::update_user_info(). */ + if (rgw_get_user_info_by_uid(store, tenanted_acct_user, uinfo) < 0) { + if (rgw_get_user_info_by_uid(store, acct_user, uinfo) < 0) { + return -EPERM; + } + } + } else if (rgw_get_user_info_by_uid(store, acct_user, uinfo) < 0) { return -EPERM; } -- 2.47.3