From 26ea1ae5700b27f3c12f4b107e38470d0ed89e85 Mon Sep 17 00:00:00 2001
From: Casey Bodley <cbodley@redhat.com>
Date: Wed, 26 Feb 2025 16:42:43 -0500
Subject: [PATCH] rgw: use object ARN for InitMultipart permissions

from https://docs.aws.amazon.com/AmazonS3/latest/userguide/mpuoverview.html#mpuAndPermissions:
> You must be allowed to perform the s3:PutObject action on an object to create a multipart upload request.

but it was calling the verify_bucket_permission() overload which
defaulted to the bucket ARN. pass the object ARN instead, like we do for
RGWPutObj and RGWCompleteMultipart

Fixes: https://tracker.ceph.com/issues/70191

Signed-off-by: Casey Bodley <cbodley@redhat.com>
(cherry picked from commit 64ab3a3e49d0e7bc716ee5301e15a1ba61127bb4)
---
 src/rgw/rgw_op.cc | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index 414e1196691e..04ebe8837180 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -6204,7 +6204,8 @@ int RGWInitMultipart::verify_permission(optional_yield y)
   // add server-side encryption headers
   rgw_iam_add_crypt_attrs(s->env, s->info.crypt_attribute_map);
 
-  if (!verify_bucket_permission(this, s, rgw::IAM::s3PutObject)) {
+  if (!verify_bucket_permission(this, s, ARN(s->object->get_obj()),
+                                rgw::IAM::s3PutObject)) {
     return -EACCES;
   }
 
-- 
2.47.3