Skip to content

Commit

Permalink
rgw: Bucket policies are evaluated against the remote ip address.
Browse files Browse the repository at this point in the history 
Previously bucket policy ip address restrictions were being evaluated
against the HTTP_HOST header. That is typically a host/port pair of the
server running rgw.

Signed-off-by: John Gibson <jgibson@mitre.org>
  • Loading branch information
@jgibson
jgibson committed Sep 19, 2017
1 parent df9e51a commit a830360
Show file tree
Hide file tree
Showing 2 changed files with 4 additions and 1 deletion.
3 changes: 3 additions & 0 deletions src/rgw/rgw_civetweb.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,9 @@ void RGWCivetWeb::init_env(CephContext *cct)
if (info->remote_user) {
env.set("REMOTE_USER", info->remote_user);
}
if (info->remote_addr) {
env.set("REMOTE_ADDR", info->remote_addr);
}

if (port <= 0)
lderr(cct) << "init_env: bug: invalid port number" << dendl;
Expand Down
2 changes: 1 addition & 1 deletion src/rgw/rgw_op.cc
View file
Original file line number Diff line number Diff line change
Expand Up @@ -614,7 +614,7 @@ rgw::IAM::Environment rgw_build_iam_environment(RGWRados* store,
std::forward_as_tuple("true"));
}

i = m.find("HTTP_HOST");
i = m.find("REMOTE_ADDR");
if (i != m.end()) {
e.emplace(std::piecewise_construct,
std::forward_as_tuple("aws:SourceIp"),
Expand Down

0 comments on commit a830360

Please sign in to comment.