From 3cc27f0676c7ba2677f92969339b18b665c53c02 Mon Sep 17 00:00:00 2001
From: Shreyansh Sancheti <ssanchet@redhat.com>
Date: Tue, 20 Feb 2024 01:27:32 -0500
Subject: [PATCH] RGW: a subuser with no permission can still list buckets and
 create buckets

A S3 subuser having no permissions was able to do a normal user ops,
from aws docs there's no functionality for a s3 subuser as we do have
with swift. The fix here is to check the "subuser perm mask" before going
forward with "no_acl" check.

Fixes: https://tracker.ceph.com/issues/63791
Signed-off-by: Shreyansh Sancheti <ssanchet@redhat.com>
---
 src/rgw/rgw_common.cc | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
index 3ee98fa18ca..c0cbb7f86ef 100644
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@@ -1182,13 +1182,14 @@ bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
   if (s->identity->get_identity_type() == TYPE_ROLE)
     return false;
 
-  /* S3 doesn't support account ACLs, so user_acl will be uninitialized. */
-  if (user_acl.get_owner().id.empty())
-    return true;
-
+  /* S3 doesn't have a subuser, it takes user permissions  */
   if ((perm & (int)s->perm_mask) != perm)
     return false;
 
+  /* S3 doesn't support account ACLs, so user_acl will be uninitialized. */
+  if (user_acl.get_owner().id.empty())
+    return true;
+  
   return user_acl.verify_permission(dpp, *s->identity, perm, perm);
 }
 
-- 
2.47.3