rgw: belong the anonymous object to the bucket owner #34462
Conversation
src/rgw/rgw_acl_s3.cc
Outdated
| @@ -366,6 +366,11 @@ int RGWAccessControlList_S3::create_canned(ACLOwner& owner, ACLOwner& bucket_own | |||
| rgw_user bid = bucket_owner.get_id(); | |||
| string bname = bucket_owner.get_display_name(); | |||
|
|
|||
| if (owner.get_id() == rgw_user(RGW_USER_ANON_ID)) { | |||
| owner.set_id(bid); | |||
| owner.set_name(bname); | |||
There was a problem hiding this comment.
for PUT Object requests, create_canned() is getting a reference to s->owner in ACLOwner& owner, and we shouldn't mutate that here. this should either operate on a local copy, or we should change create_canned() to take owner by value instead
There was a problem hiding this comment.
the owner_grant.set_canon do not change the input. So I think we can just make a if branch between owner_grant.set_canon(bid, bname, RGW_PERM_FULL_CONTROL); and owner_grant.set_canon(owner.get_id(), owner.get_display_name(), RGW_PERM_FULL_CONTROL);
src/rgw/rgw_acl_s3.cc
Outdated
| owner_grant.set_canon(bid, bname, RGW_PERM_FULL_CONTROL); | ||
| } else { | ||
| owner_grant.set_canon(owner.get_id(), owner.get_display_name(), RGW_PERM_FULL_CONTROL); | ||
| } |
There was a problem hiding this comment.
this is better, yeah. but for the 'bucket-owner-read' and 'bucket-owner-full-control' cases below, we're still making comparisons against the original owner, so we would end up with two separate grants for the bucket owner
maybe it is better for create_canned() to take ACLOwner owner by value and overwrite it, so those 'bucket-owner-' comparisons don't have to change
There was a problem hiding this comment.
Sorry for less test for last modification. Today when I test for the acl owner, I found out that if we do not change the owner with reference int 'RGWAccessControlList_S3::create_canned', it will make the the acl still belong to that anonymous owner in 'RGWAccessControlPolicy_S3::create_canned'. I think We should not only belong the grant_map to the bucket owner but also should belong the acl to the owner.
So should we check the anonymous in the RGWAccessControlPolicy_S3::create_canned? We can make a local copy with ACLOwner bucket_owner for the input of RGWAccessControlPolicy_S3::create_canned and deeper pass it in RGWAccessControlList_S3::create_canned or we can just pass the bucket_owner as the input value of ACLOwner& owner of RGWAccessControlPolicy_S3::create_canned. Which one do you think is better? Thanks.
Signed-off-by: wangyunqing <wangyunqing@inspur.com>
|
This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days. |
|
This pull request has been automatically marked as stale because it has not had any activity for 60 days. It will be closed if no further activity occurs for another 30 days. |
|
Teuthology runs: |
|
@inspur-wyq @cbodley @theanalyst The tracker does not list any backports. Please modify the tracker if backports appropriate. Thanks! |
fixbug: https://tracker.ceph.com/issues/44987
After set one bucket full_control to anyone, we can put a object without signature.
However, after putting a object without signature, I can not set the acl of it using s3cmd with the 403 error.Comparing with the s3 public write bucket, I found out that the anonymous object belong to the bucket owner in s3,while it belong to anonymous user in rgw, which made the 403 error.
Signed-off-by: wangyunqing wangyunqing@inspur.com