Merge pull request #60685 from clwluvw/data-sync-perm

rgw: respect policies in data sync in user mode Reviewed-by: Adam Emerson <aemerson@redhat.com>
author: J. Eric Ivancich <ivancich@redhat.com> 2025-01-03 18:16:39 +0100
committer: GitHub <noreply@github.com> 2025-01-03 18:16:39 +0100
commit: 49a44ce2d94632fb698d7700c5d1775f371f8890 (patch)
tree: d3f75b2423a03b933b451605e2dd11b3034b34f5 /src/rgw/rgw_common.h
parent: Merge pull request #61217 from gbregman/main (diff)
parent: rgw: evaluate policies for dest object in data sync (diff)
download: ceph-49a44ce2d94632fb698d7700c5d1775f371f8890.tar.xz
ceph-49a44ce2d94632fb698d7700c5d1775f371f8890.zip
1 files changed, 15 insertions, 12 deletions
diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
index 8dafe147509..f0bd41494c3 100644
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@@ -1747,24 +1747,22 @@ rgw::IAM::Effect evaluate_iam_policies(
 
 bool verify_user_permission(const DoutPrefixProvider* dpp,
                             req_state * const s,
-                            const RGWAccessControlPolicy& user_acl,
-                            const std::vector<rgw::IAM::Policy>& user_policies,
-                            const std::vector<rgw::IAM::Policy>& session_policies,
-                            const rgw::ARN& res,
-                            const uint64_t op,
-                            bool mandatory_policy=true);
-bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
-                                      req_state * const s,
-                                      const RGWAccessControlPolicy& user_acl,
-                                      const int perm);
-bool verify_user_permission(const DoutPrefixProvider* dpp,
-                            req_state * const s,
                             const rgw::ARN& res,
                             const uint64_t op,
                             bool mandatory_policy=true);
 bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
                                       req_state * const s,
                                       int perm);
+bool verify_bucket_permission(const DoutPrefixProvider* dpp,
+                              struct perm_state_base * const s,
+                              const rgw::ARN& arn,
+                              bool account_root,
+                              const RGWAccessControlPolicy& user_acl,
+                              const RGWAccessControlPolicy& bucket_acl,
+			      const boost::optional<rgw::IAM::Policy>& bucket_policy,
+                              const std::vector<rgw::IAM::Policy>& identity_policies,
+                              const std::vector<rgw::IAM::Policy>& session_policies,
+                              const uint64_t op);
 bool verify_bucket_permission(
   const DoutPrefixProvider* dpp,
   req_state * const s,
@@ -2012,3 +2010,8 @@ struct AioCompletionDeleter {
   void operator()(librados::AioCompletion* c) { c->release(); }
 };
 using aio_completion_ptr = std::unique_ptr<librados::AioCompletion, AioCompletionDeleter>;
+
+extern boost::optional<rgw::IAM::Policy>
+get_iam_policy_from_attr(CephContext* cct,
+                         const std::map<std::string, bufferlist>& attrs,
+                         const std::string& tenant);
author	J. Eric Ivancich <ivancich@redhat.com>	2025-01-03 18:16:39 +0100
committer	GitHub <noreply@github.com>	2025-01-03 18:16:39 +0100
commit	49a44ce2d94632fb698d7700c5d1775f371f8890 (patch)
tree	d3f75b2423a03b933b451605e2dd11b3034b34f5 /src/rgw/rgw_common.h
parent	Merge pull request #61217 from gbregman/main (diff)
parent	rgw: evaluate policies for dest object in data sync (diff)
download	ceph-49a44ce2d94632fb698d7700c5d1775f371f8890.tar.xz ceph-49a44ce2d94632fb698d7700c5d1775f371f8890.zip