Merge pull request #16291 from ZVampirEM77/wip-acl-grants-num-limit

rgw: acl grants num limit Reviewed-by: Casey Bodley <cbodley@redhat.com>
2025-01-18 17:12:29 +00:00 · 2017-07-18 07:38:34 -07:00 · 2017-07-18 07:38:34 -07:00 · 5f5647afc2
commit 5f5647afc2
parent 280041337c a1b05dd2f6
4 changed files with 25 additions and 0 deletions
--- a/src/common/config_opts.h
+++ b/src/common/config_opts.h
@ -1797,3 +1797,5 @@ OPTION(rgw_reshard_bucket_lock_duration, OPT_INT, 120) // duration of lock on bu
 OPTION(rgw_dynamic_resharding, OPT_BOOL, true)
 OPTION(rgw_max_objs_per_shard, OPT_INT, 100000)
 OPTION(rgw_reshard_thread_interval, OPT_U32, 60 * 10) // maximum time between rounds of reshard thread processing
+
+OPTION(rgw_acl_grants_max_num, OPT_INT, 100) // According to AWS S3(http://docs.aws.amazon.com/AmazonS3/latest/dev/acl-overview.html), An ACL can have up to 100 grants.
--- a/src/rgw/rgw_common.cc
+++ b/src/rgw/rgw_common.cc
@ -74,6 +74,7 @@ rgw_http_errors rgw_http_s3_errors({
    { ERR_MALFORMED_XML, {400, "MalformedXML" }},
    { ERR_AMZ_CONTENT_SHA256_MISMATCH, {400, "XAmzContentSHA256Mismatch" }},
    { ERR_INVALID_TAG, {400, "InvalidTag"}},
+    { ERR_MALFORMED_ACL_ERROR, {400, "MalformedACLError" }},
    { ERR_LENGTH_REQUIRED, {411, "MissingContentLength" }},
    { EACCES, {403, "AccessDenied" }},
    { EPERM, {403, "AccessDenied" }},
--- a/src/rgw/rgw_common.h
+++ b/src/rgw/rgw_common.h
@ -213,6 +213,7 @@ using ceph::crypto::MD5;
 #define ERR_TAG_CONFLICT         2209
 #define ERR_INVALID_TAG          2210
 #define ERR_ZERO_IN_URL          2211
+#define ERR_MALFORMED_ACL_ERROR  2212

 #define ERR_BUSY_RESHARDING      2300

--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@ -4619,6 +4619,27 @@ void RGWPutACLs::execute()
    return;
  }

+  const RGWAccessControlList& req_acl = policy->get_acl();
+  const multimap<string, ACLGrant>& req_grant_map = req_acl.get_grant_map();
+#define ACL_GRANTS_MAX_NUM      100
+  int max_num = s->cct->_conf->rgw_acl_grants_max_num;
+  if (max_num < 0) {
+    max_num = ACL_GRANTS_MAX_NUM;
+  }
+
+  int grants_num = req_grant_map.size();
+  if (grants_num > max_num) {
+    ldout(s->cct, 4) << "An acl can have up to "
+                     << max_num
+                     << " grants, request acl grants num: "
+                     << grants_num << dendl;
+    op_ret = -ERR_MALFORMED_ACL_ERROR;
+    s->err.message = "The request is rejected, because the acl grants number you requested is larger than the maximum "
+                     + std::to_string(max_num)
+                     + " grants allowed in an acl.";
+    return;
+  }
+
  // forward bucket acl requests to meta master zone
  if (s->object.empty() && !store->is_meta_master()) {
    bufferlist in_data;