RepoMirrors/ceph
1
0
Fork 0
mirror of https://github.com/ceph/ceph synced 2025-04-01 23:02:17 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request from cbodley/wip-58594

Browse Source 
rgw: add crypt attrs for iam policy to PostObj and Init/CompleteMultipart

Reviewed-by: Daniel Gryniewicz <dang@redhat.com>
This commit is contained in:
Casey Bodley 2023-05-02 16:55:27 -04:00 committed by GitHub
commit 98f0c711a6
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 27 additions and 13 deletions

40
src/rgw/rgw_op.cc
View File

@ -782,6 +782,22 @@ static int rgw_iam_add_buckettags(const DoutPrefixProvider *dpp, req_state* s) {
return rgw_iam_add_buckettags(dpp, s, s->bucket.get());
}
static void rgw_iam_add_crypt_attrs(rgw::IAM::Environment& e,
const meta_map_t& attrs)
{
constexpr auto encrypt_attr = "x-amz-server-side-encryption";
constexpr auto s3_encrypt_attr = "s3:x-amz-server-side-encryption";
if (auto h = attrs.find(encrypt_attr); h != attrs.end()) {
rgw_add_to_iam_environment(e, s3_encrypt_attr, h->second);
}
constexpr auto kms_attr = "x-amz-server-side-encryption-aws-kms-key-id";
constexpr auto s3_kms_attr = "s3:x-amz-server-side-encryption-aws-kms-key-id";
if (auto h = attrs.find(kms_attr); h != attrs.end()) {
rgw_add_to_iam_environment(e, s3_kms_attr, h->second);
}
}
static std::tuple<bool, bool> rgw_check_policy_condition(const DoutPrefixProvider *dpp,
boost::optional<rgw::IAM::Policy> iam_policy,
boost::optional<vector<rgw::IAM::Policy>> identity_policies,
@ -3703,19 +3719,8 @@ int RGWPutObj::verify_permission(optional_yield y)
}
}
constexpr auto encrypt_attr = "x-amz-server-side-encryption";
constexpr auto s3_encrypt_attr = "s3:x-amz-server-side-encryption";
auto enc_header = s->info.crypt_attribute_map.find(encrypt_attr);
if (enc_header != s->info.crypt_attribute_map.end()){
rgw_add_to_iam_environment(s->env, s3_encrypt_attr, enc_header->second);
}
constexpr auto kms_attr = "x-amz-server-side-encryption-aws-kms-key-id";
constexpr auto s3_kms_attr = "s3:x-amz-server-side-encryption-aws-kms-key-id";
auto kms_header = s->info.crypt_attribute_map.find(kms_attr);
if (kms_header != s->info.crypt_attribute_map.end()){
rgw_add_to_iam_environment(s->env, s3_kms_attr, kms_header->second);
}
// add server-side encryption headers
rgw_iam_add_crypt_attrs(s->env, s->info.crypt_attribute_map);
// Add bucket tags for authorization
auto [has_s3_existing_tag, has_s3_resource_tag] = rgw_check_policy_condition(this, s, false);
@ -4361,6 +4366,9 @@ void RGWPostObj::execute(optional_yield y)
return;
}
// add server-side encryption headers
rgw_iam_add_crypt_attrs(s->env, s->info.crypt_attribute_map);
if (s->iam_policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
rgw::IAM::s3PutObject,
@ -6206,6 +6214,9 @@ int RGWInitMultipart::verify_permission(optional_yield y)
if (has_s3_existing_tag || has_s3_resource_tag)
rgw_iam_add_objtags(this, s, has_s3_existing_tag, has_s3_resource_tag);
// add server-side encryption headers
rgw_iam_add_crypt_attrs(s->env, s->info.crypt_attribute_map);
if (s->iam_policy || ! s->iam_user_policies.empty() || !s->session_policies.empty()) {
auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
rgw::IAM::s3PutObject,
@ -6322,6 +6333,9 @@ int RGWCompleteMultipart::verify_permission(optional_yield y)
if (has_s3_existing_tag || has_s3_resource_tag)
rgw_iam_add_objtags(this, s, has_s3_existing_tag, has_s3_resource_tag);
// add server-side encryption headers
rgw_iam_add_crypt_attrs(s->env, s->info.crypt_attribute_map);
if (s->iam_policy || ! s->iam_user_policies.empty() || ! s->session_policies.empty()) {
auto identity_policy_res = eval_identity_or_session_policies(this, s->iam_user_policies, s->env,
rgw::IAM::s3PutObject,