From 5bb78abf8643ea58f753f45f356002e359a3d8cd Mon Sep 17 00:00:00 2001
From: Yuval Lifshitz <ylifshit@redhat.com>
Date: Thu, 8 Dec 2022 18:30:58 +0000
Subject: [PATCH] rgw/notifications: prevent anonymous topic operations

fixes: https://tracker.ceph.com/issues/58167

Signed-off-by: Yuval Lifshitz <ylifshit@redhat.com>
---
 src/rgw/driver/rados/rgw_rest_pubsub.cc | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

diff --git a/src/rgw/driver/rados/rgw_rest_pubsub.cc b/src/rgw/driver/rados/rgw_rest_pubsub.cc
index 86c18bf7439..6d37002c9f1 100644
--- a/src/rgw/driver/rados/rgw_rest_pubsub.cc
+++ b/src/rgw/driver/rados/rgw_rest_pubsub.cc
@@ -510,7 +510,15 @@ RGWOp *RGWHandler_REST_PSTopic_AWS::op_post()
 }
 
 int RGWHandler_REST_PSTopic_AWS::authorize(const DoutPrefixProvider* dpp, optional_yield y) {
-  return RGW_Auth_S3::authorize(dpp, driver, auth_registry, s, y);
+  const auto rc = RGW_Auth_S3::authorize(dpp, driver, auth_registry, s, y);
+  if (rc < 0) {
+    return rc;
+  }
+  if (s->auth.identity->is_anonymous()) {
+    ldpp_dout(dpp, 1) << "anonymous user not allowed in topic operations" << dendl;
+    return -ERR_INVALID_REQUEST;
+  }
+  return 0;
 }
 
 namespace {
-- 
2.47.3