Merge pull request #49324 from BryceCao/wip-add-num-limit-for-user-policies

rgw : add num limit for IAM user policies Reviewed-by: Casey Bodley <cbodley@redhat.com>
2025-02-19 08:57:27 +00:00 · 2022-12-20 14:30:59 -05:00 · 2022-12-20 14:30:59 -05:00 · 1aa2e8ce05
commit 1aa2e8ce05
parent 72d7077b26 42ad8b6471
2 changed files with 24 additions and 0 deletions
--- a/src/common/options/rgw.yaml.in
+++ b/src/common/options/rgw.yaml.in
@ -12,6 +12,15 @@ options:
  services:
  - rgw
  with_legacy: true
+# An user can have up to 100 IAM user policies.
+- name: rgw_user_policies_max_num
+  type: int
+  level: advanced
+  desc: Max number of IAM user policies on a single user
+  default: 100
+  services:
+  - rgw
+  with_legacy: true
 # According to AWS S3(http://docs.aws.amazon.com/AmazonS3/latest/dev/cors.html),
 # An cors can have up to 100 rules.
 - name: rgw_cors_rules_max_num
--- a/src/rgw/rgw_rest_user_policy.cc
+++ b/src/rgw/rgw_rest_user_policy.cc
@ -151,6 +151,21 @@ void RGWPutUserPolicy::execute(optional_yield y)
    }
    bufferlist in_bl;
    policies[policy_name] = policy;
+#define USER_POLICIES_MAX_NUM 100
+    int max_num = s->cct->_conf->rgw_user_policies_max_num;
+    if (max_num < 0) {
+      max_num = USER_POLICIES_MAX_NUM;
+    }
+    if (policies.size() > max_num) {
+      ldpp_dout(this, 4) << "IAM user policies has reached the num config: "
+                         << max_num << ", cant add another" << dendl;
+      op_ret = -ERR_INVALID_REQUEST;
+      s->err.message =
+          "The number of IAM user policies should not exceed allowed limit "
+          "of " +
+          std::to_string(max_num) + " policies.";
+      return;
+    }
    encode(policies, in_bl);
    user->get_attrs()[RGW_ATTR_USER_POLICY] = in_bl;