Permalink
Browse files

rgw: Check payment operations in policy

Add code to check s3:GetBucketRequestPayment and
s3:PutBucketRequestPayment operations against bucket policy.

Fixes: http://tracker.ceph.com/issues/21389
Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1490278

Signed-off-by: Adam C. Emerson <aemerson@redhat.com>
  • Loading branch information...
adamemerson committed Sep 14, 2017
1 parent 2237624 commit f9d1ae1d153319e870c3ccaf7afdc92786cdaa3b
Showing with 15 additions and 4 deletions.
  1. +15 −4 src/rgw/rgw_op.cc
@@ -5084,6 +5084,12 @@ void RGWOptionsCORS::execute()
int RGWGetRequestPayment::verify_permission()
{
if (s->iam_policy &&
s->iam_policy->eval(s->env, *s->auth.identity,
rgw::IAM::s3GetBucketRequestPayment,
ARN(s->bucket)) != Effect::Allow) {
return -EACCES;
}
return 0;
}
@@ -5099,11 +5105,16 @@ void RGWGetRequestPayment::execute()
int RGWSetRequestPayment::verify_permission()
{
if (false == s->auth.identity->is_owner_of(s->bucket_owner.get_id())) {
return -EACCES;
if (s->iam_policy) {
if (s->iam_policy->eval(s->env, *s->auth.identity,
rgw::IAM::s3PutBucketRequestPayment,
ARN(s->bucket)) == Effect::Allow) {
return 0;
}
} else if (s->auth.identity->is_owner_of(s->bucket_owner.get_id())) {
return 0;
}
return 0;
return -EACCES;
}
void RGWSetRequestPayment::pre_exec()

0 comments on commit f9d1ae1

Please sign in to comment.