RepoMirrors/ceph
1
0
Fork 0
mirror of https://github.com/ceph/ceph synced 2025-03-25 11:48:05 +00:00
Code Issues Packages Projects Releases Wiki Activity

rgw/acl: req_state stores ACLs by value instead of unique_ptr

Browse Source 
we no longer rely on polymorphism for the s3/swift variants of
`RGWAccessControlPolicy`, so `req_state` can store `bucket_acl`,
`object_acl` and `user_acl` by value

most functions now take these acls by const- or mutable reference
instead of pointers since they won't be nullptr

some code paths won't initialize some of these bucket/object/user acl
variables, and we rely on `RGWAccessControlPolicy::verify_permissions()`
to return false for those because we won't match an empty owner or
array of grants

in only one case, `verify_user_permissions()` has to return true when
`user_acl` is uninitialized, because S3 doesn't have user acls so
uninitialized user acls should not deny access

Signed-off-by: Casey Bodley <cbodley@redhat.com>
This commit is contained in:
Casey Bodley 2023-11-18 10:22:20 -05:00
parent d28c05cb77
commit ac4253b403
10 changed files with 174 additions and 219 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
src/rgw/driver/rados/rgw_data_sync.cc
View File

@ -2725,8 +2725,8 @@ bool RGWUserPermHandler::Bucket::verify_bucket_permission(int perm)
{
return verify_bucket_permission_no_policy(sync_env->dpp,
&(*ps),
&info->user_acl,
&bucket_acl,
info->user_acl,
bucket_acl,
perm);
}
@ -2742,8 +2742,8 @@ bool RGWUserPermHandler::Bucket::verify_object_permission(const map<string, buff
return verify_bucket_permission_no_policy(sync_env->dpp,
&(*ps),
&bucket_acl,
&obj_acl,
bucket_acl,
obj_acl,
perm);
}

8
src/rgw/rgw_acl.cc
View File

@ -120,7 +120,7 @@ void RGWAccessControlList::remove_canon_user_grant(rgw_user& user_id)
uint32_t RGWAccessControlList::get_perm(const DoutPrefixProvider* dpp,
const rgw::auth::Identity& auth_identity,
const uint32_t perm_mask)
const uint32_t perm_mask) const
{
ldpp_dout(dpp, 5) << "Searching permissions for identity=" << auth_identity
<< " mask=" << perm_mask << dendl;
@ -147,7 +147,7 @@ uint32_t RGWAccessControlList::get_group_perm(const DoutPrefixProvider *dpp,
uint32_t RGWAccessControlList::get_referer_perm(const DoutPrefixProvider *dpp,
const uint32_t current_perm,
const std::string http_referer,
const uint32_t perm_mask)
const uint32_t perm_mask) const
{
ldpp_dout(dpp, 5) << "Searching permissions for referer=" << http_referer
<< " mask=" << perm_mask << dendl;
@ -171,7 +171,7 @@ uint32_t RGWAccessControlPolicy::get_perm(const DoutPrefixProvider* dpp,
const rgw::auth::Identity& auth_identity,
const uint32_t perm_mask,
const char * const http_referer,
bool ignore_public_acls)
bool ignore_public_acls) const
{
ldpp_dout(dpp, 20) << "-- Getting permissions begin with perm_mask=" << perm_mask
<< dendl;
@ -213,7 +213,7 @@ bool RGWAccessControlPolicy::verify_permission(const DoutPrefixProvider* dpp,
const uint32_t user_perm_mask,
const uint32_t perm,
const char * const http_referer,
bool ignore_public_acls)
bool ignore_public_acls) const
{
uint32_t test_perm = perm | RGW_PERM_READ_OBJS | RGW_PERM_WRITE_OBJS;

9
src/rgw/rgw_acl.h
View File

@ -31,7 +31,6 @@ protected:
public:
ACLGrant() : group(ACL_GROUP_NONE) {}
virtual ~ACLGrant() {}
/* there's an assumption here that email/uri/id encodings are
different and there can't be any overlap */
@ -230,11 +229,11 @@ protected:
public:
uint32_t get_perm(const DoutPrefixProvider* dpp,
const rgw::auth::Identity& auth_identity,
uint32_t perm_mask);
uint32_t perm_mask) const;
uint32_t get_group_perm(const DoutPrefixProvider *dpp, ACLGroupTypeEnum group, uint32_t perm_mask) const;
uint32_t get_referer_perm(const DoutPrefixProvider *dpp, uint32_t current_perm,
std::string http_referer,
uint32_t perm_mask);
uint32_t perm_mask) const;
void encode(bufferlist& bl) const {
ENCODE_START(4, 3, bl);
bool maps_initialized = true;
@ -327,13 +326,13 @@ public:
const rgw::auth::Identity& auth_identity,
uint32_t perm_mask,
const char * http_referer,
bool ignore_public_acls=false);
bool ignore_public_acls=false) const;
bool verify_permission(const DoutPrefixProvider* dpp,
const rgw::auth::Identity& auth_identity,
uint32_t user_perm_mask,
uint32_t perm,
const char * http_referer = nullptr,
bool ignore_public_acls=false);
bool ignore_public_acls=false) const;
void encode(bufferlist& bl) const {
ENCODE_START(2, 2, bl);

134
src/rgw/rgw_common.cc
View File

@ -1135,7 +1135,7 @@ Effect eval_identity_or_session_policies(const DoutPrefixProvider* dpp,
bool verify_user_permission(const DoutPrefixProvider* dpp,
perm_state_base * const s,
RGWAccessControlPolicy * const user_acl,
const RGWAccessControlPolicy& user_acl,
const vector<rgw::IAM::Policy>& user_policies,
const vector<rgw::IAM::Policy>& session_policies,
const rgw::ARN& res,
@ -1176,20 +1176,20 @@ bool verify_user_permission(const DoutPrefixProvider* dpp,
bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
struct perm_state_base * const s,
RGWAccessControlPolicy * const user_acl,
const RGWAccessControlPolicy& user_acl,
const int perm)
{
if (s->identity->get_identity_type() == TYPE_ROLE)
return false;
/* S3 doesn't support account ACLs. */
if (!user_acl)
/* S3 doesn't support account ACLs, so user_acl will be uninitialized. */
if (user_acl.get_owner().id.empty())
return true;
if ((perm & (int)s->perm_mask) != perm)
return false;
return user_acl->verify_permission(dpp, *s->identity, perm, perm);
return user_acl.verify_permission(dpp, *s->identity, perm, perm);
}
bool verify_user_permission(const DoutPrefixProvider* dpp,
@ -1199,7 +1199,7 @@ bool verify_user_permission(const DoutPrefixProvider* dpp,
bool mandatory_policy)
{
perm_state_from_req_state ps(s);
return verify_user_permission(dpp, &ps, s->user_acl.get(), s->iam_user_policies, s->session_policies, res, op, mandatory_policy);
return verify_user_permission(dpp, &ps, s->user_acl, s->iam_user_policies, s->session_policies, res, op, mandatory_policy);
}
bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
@ -1207,7 +1207,7 @@ bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
const int perm)
{
perm_state_from_req_state ps(s);
return verify_user_permission_no_policy(dpp, &ps, s->user_acl.get(), perm);
return verify_user_permission_no_policy(dpp, &ps, s->user_acl, perm);
}
bool verify_requester_payer_permission(struct perm_state_base *s)
@ -1233,8 +1233,8 @@ bool verify_requester_payer_permission(struct perm_state_base *s)
bool verify_bucket_permission(const DoutPrefixProvider* dpp,
struct perm_state_base * const s,
const rgw_bucket& bucket,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
const RGWAccessControlPolicy& user_acl,
const RGWAccessControlPolicy& bucket_acl,
const boost::optional<Policy>& bucket_policy,
const vector<Policy>& identity_policies,
const vector<Policy>& session_policies,
@ -1292,8 +1292,8 @@ bool verify_bucket_permission(const DoutPrefixProvider* dpp,
bool verify_bucket_permission(const DoutPrefixProvider* dpp,
req_state * const s,
const rgw_bucket& bucket,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
const RGWAccessControlPolicy& user_acl,
const RGWAccessControlPolicy& bucket_acl,
const boost::optional<Policy>& bucket_policy,
const vector<Policy>& user_policies,
const vector<Policy>& session_policies,
@ -1307,31 +1307,25 @@ bool verify_bucket_permission(const DoutPrefixProvider* dpp,
}
bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp, struct perm_state_base * const s,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
const RGWAccessControlPolicy& user_acl,
const RGWAccessControlPolicy& bucket_acl,
const int perm)
{
if (!bucket_acl)
return false;
if ((perm & (int)s->perm_mask) != perm)
return false;
if (bucket_acl->verify_permission(dpp, *s->identity, perm, perm,
s->get_referer(),
s->bucket_access_conf &&
s->bucket_access_conf->ignore_public_acls()))
if (bucket_acl.verify_permission(dpp, *s->identity, perm, perm,
s->get_referer(),
s->bucket_access_conf &&
s->bucket_access_conf->ignore_public_acls()))
return true;
if (!user_acl)
return false;
return user_acl->verify_permission(dpp, *s->identity, perm, perm);
return user_acl.verify_permission(dpp, *s->identity, perm, perm);
}
bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp, req_state * const s,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
const RGWAccessControlPolicy& user_acl,
const RGWAccessControlPolicy& bucket_acl,
const int perm)
{
perm_state_from_req_state ps(s);
@ -1351,8 +1345,8 @@ bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp, req_state
return verify_bucket_permission_no_policy(dpp,
&ps,
s->user_acl.get(),
s->bucket_acl.get(),
s->user_acl,
s->bucket_acl,
perm);
}
@ -1368,8 +1362,8 @@ bool verify_bucket_permission(const DoutPrefixProvider* dpp, req_state * const s
return verify_bucket_permission(dpp,
&ps,
s->bucket->get_key(),
s->user_acl.get(),
s->bucket_acl.get(),
s->user_acl,
s->bucket_acl,
s->iam_policy,
s->iam_user_policies,
s->session_policies,
@ -1432,8 +1426,8 @@ int verify_bucket_owner_or_policy(req_state* const s,
static inline bool check_deferred_bucket_perms(const DoutPrefixProvider* dpp,
struct perm_state_base * const s,
const rgw_bucket& bucket,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
const RGWAccessControlPolicy& user_acl,
const RGWAccessControlPolicy& bucket_acl,
const boost::optional<Policy>& bucket_policy,
const vector<Policy>& identity_policies,
const vector<Policy>& session_policies,
@ -1446,8 +1440,8 @@ static inline bool check_deferred_bucket_perms(const DoutPrefixProvider* dpp,
static inline bool check_deferred_bucket_only_acl(const DoutPrefixProvider* dpp,
struct perm_state_base * const s,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
const RGWAccessControlPolicy& user_acl,
const RGWAccessControlPolicy& bucket_acl,
const uint8_t deferred_check,
const int perm)
{
@ -1457,9 +1451,9 @@ static inline bool check_deferred_bucket_only_acl(const DoutPrefixProvider* dpp,
bool verify_object_permission(const DoutPrefixProvider* dpp, struct perm_state_base * const s,
const rgw_obj& obj,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
RGWAccessControlPolicy * const object_acl,
const RGWAccessControlPolicy& user_acl,
const RGWAccessControlPolicy& bucket_acl,
const RGWAccessControlPolicy& object_acl,
const boost::optional<Policy>& bucket_policy,
const vector<Policy>& identity_policies,
const vector<Policy>& session_policies,
@ -1512,14 +1506,10 @@ bool verify_object_permission(const DoutPrefixProvider* dpp, struct perm_state_b
return true;
}
if (!object_acl) {
return false;
}
bool ret = object_acl->verify_permission(dpp, *s->identity, s->perm_mask, perm,
nullptr, /* http_referrer */
s->bucket_access_conf &&
s->bucket_access_conf->ignore_public_acls());
bool ret = object_acl.verify_permission(dpp, *s->identity, s->perm_mask, perm,
nullptr, /* http_referrer */
s->bucket_access_conf &&
s->bucket_access_conf->ignore_public_acls());
if (ret) {
return true;
}
@ -1541,21 +1531,18 @@ bool verify_object_permission(const DoutPrefixProvider* dpp, struct perm_state_b
/* we already verified the user mask above, so we pass swift_perm as the mask here,
otherwise the mask might not cover the swift permissions bits */
if (bucket_acl->verify_permission(dpp, *s->identity, swift_perm, swift_perm,
s->get_referer()))
if (bucket_acl.verify_permission(dpp, *s->identity, swift_perm, swift_perm,
s->get_referer()))
return true;
if (!user_acl)
return false;
return user_acl->verify_permission(dpp, *s->identity, swift_perm, swift_perm);
return user_acl.verify_permission(dpp, *s->identity, swift_perm, swift_perm);
}
bool verify_object_permission(const DoutPrefixProvider* dpp, req_state * const s,
const rgw_obj& obj,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
RGWAccessControlPolicy * const object_acl,
const RGWAccessControlPolicy& user_acl,
const RGWAccessControlPolicy& bucket_acl,
const RGWAccessControlPolicy& object_acl,
const boost::optional<Policy>& bucket_policy,
const vector<Policy>& identity_policies,
const vector<Policy>& session_policies,
@ -1570,9 +1557,9 @@ bool verify_object_permission(const DoutPrefixProvider* dpp, req_state * const s
bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp,
struct perm_state_base * const s,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
RGWAccessControlPolicy * const object_acl,
const RGWAccessControlPolicy& user_acl,
const RGWAccessControlPolicy& bucket_acl,
const RGWAccessControlPolicy& object_acl,
const int perm)
{
if (check_deferred_bucket_only_acl(dpp, s, user_acl, bucket_acl, RGW_DEFER_TO_BUCKET_ACLS_RECURSE, perm) ||
@ -1580,14 +1567,10 @@ bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp,
return true;
}
if (!object_acl) {
return false;
}
bool ret = object_acl->verify_permission(dpp, *s->identity, s->perm_mask, perm,
nullptr, /* http referrer */
s->bucket_access_conf &&
s->bucket_access_conf->ignore_public_acls());
bool ret = object_acl.verify_permission(dpp, *s->identity, s->perm_mask, perm,
nullptr, /* http referrer */
s->bucket_access_conf &&
s->bucket_access_conf->ignore_public_acls());
if (ret) {
return true;
}
@ -1609,14 +1592,11 @@ bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp,
/* we already verified the user mask above, so we pass swift_perm as the mask here,
otherwise the mask might not cover the swift permissions bits */
if (bucket_acl->verify_permission(dpp, *s->identity, swift_perm, swift_perm,
s->get_referer()))
if (bucket_acl.verify_permission(dpp, *s->identity, swift_perm, swift_perm,
s->get_referer()))
return true;
if (!user_acl)
return false;
return user_acl->verify_permission(dpp, *s->identity, swift_perm, swift_perm);
return user_acl.verify_permission(dpp, *s->identity, swift_perm, swift_perm);
}
bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, req_state *s, int perm)
@ -1628,9 +1608,9 @@ bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, req_state
return verify_object_permission_no_policy(dpp,
&ps,
s->user_acl.get(),
s->bucket_acl.get(),
s->object_acl.get(),
s->user_acl,
s->bucket_acl,
s->object_acl,
perm);
}
@ -1641,9 +1621,9 @@ bool verify_object_permission(const DoutPrefixProvider* dpp, req_state *s, uint6
return verify_object_permission(dpp,
&ps,
rgw_obj(s->bucket->get_key(), s->object->get_key()),
s->user_acl.get(),
s->bucket_acl.get(),
s->object_acl.get(),
s->user_acl,
s->bucket_acl,
s->object_acl,
s->iam_policy,
s->iam_user_policies,
s->session_policies,

42
src/rgw/rgw_common.h
View File

@ -1180,9 +1180,9 @@ struct req_state : DoutPrefixProvider {
} s3_postobj_creds;
} auth;
std::unique_ptr<RGWAccessControlPolicy> user_acl;
std::unique_ptr<RGWAccessControlPolicy> bucket_acl;
std::unique_ptr<RGWAccessControlPolicy> object_acl;
RGWAccessControlPolicy user_acl;
RGWAccessControlPolicy bucket_acl;
RGWAccessControlPolicy object_acl;
rgw::IAM::Environment env;
boost::optional<rgw::IAM::Policy> iam_policy;
@ -1584,20 +1584,20 @@ struct perm_state : public perm_state_base {
bool verify_bucket_permission_no_policy(
const DoutPrefixProvider* dpp,
struct perm_state_base * const s,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
const RGWAccessControlPolicy& user_acl,
const RGWAccessControlPolicy& bucket_acl,
const int perm);
bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
struct perm_state_base * const s,
RGWAccessControlPolicy * const user_acl,
const RGWAccessControlPolicy& user_acl,
const int perm);
bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp,
struct perm_state_base * const s,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
RGWAccessControlPolicy * const object_acl,
const RGWAccessControlPolicy& user_acl,
const RGWAccessControlPolicy& bucket_acl,
const RGWAccessControlPolicy& object_acl,
const int perm);
/** Check if the req_state's user has the necessary permissions
@ -1609,7 +1609,7 @@ rgw::IAM::Effect eval_identity_or_session_policies(const DoutPrefixProvider* dpp
const rgw::ARN& arn);
bool verify_user_permission(const DoutPrefixProvider* dpp,
req_state * const s,
RGWAccessControlPolicy * const user_acl,
const RGWAccessControlPolicy& user_acl,
const std::vector<rgw::IAM::Policy>& user_policies,
const std::vector<rgw::IAM::Policy>& session_policies,
const rgw::ARN& res,
@ -1617,7 +1617,7 @@ bool verify_user_permission(const DoutPrefixProvider* dpp,
bool mandatory_policy=true);
bool verify_user_permission_no_policy(const DoutPrefixProvider* dpp,
req_state * const s,
RGWAccessControlPolicy * const user_acl,
const RGWAccessControlPolicy& user_acl,
const int perm);
bool verify_user_permission(const DoutPrefixProvider* dpp,
req_state * const s,
@ -1631,8 +1631,8 @@ bool verify_bucket_permission(
const DoutPrefixProvider* dpp,
req_state * const s,
const rgw_bucket& bucket,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
const RGWAccessControlPolicy& user_acl,
const RGWAccessControlPolicy& bucket_acl,
const boost::optional<rgw::IAM::Policy>& bucket_policy,
const std::vector<rgw::IAM::Policy>& identity_policies,
const std::vector<rgw::IAM::Policy>& session_policies,
@ -1641,8 +1641,8 @@ bool verify_bucket_permission(const DoutPrefixProvider* dpp, req_state * const s
bool verify_bucket_permission_no_policy(
const DoutPrefixProvider* dpp,
req_state * const s,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
const RGWAccessControlPolicy& user_acl,
const RGWAccessControlPolicy& bucket_acl,
const int perm);
bool verify_bucket_permission_no_policy(const DoutPrefixProvider* dpp,
req_state * const s,
@ -1653,9 +1653,9 @@ extern bool verify_object_permission(
const DoutPrefixProvider* dpp,
req_state * const s,
const rgw_obj& obj,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
RGWAccessControlPolicy * const object_acl,
const RGWAccessControlPolicy& user_acl,
const RGWAccessControlPolicy& bucket_acl,
const RGWAccessControlPolicy& object_acl,
const boost::optional<rgw::IAM::Policy>& bucket_policy,
const std::vector<rgw::IAM::Policy>& identity_policies,
const std::vector<rgw::IAM::Policy>& session_policies,
@ -1664,9 +1664,9 @@ extern bool verify_object_permission(const DoutPrefixProvider* dpp, req_state *s
extern bool verify_object_permission_no_policy(
const DoutPrefixProvider* dpp,
req_state * const s,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
RGWAccessControlPolicy * const object_acl,
const RGWAccessControlPolicy& user_acl,
const RGWAccessControlPolicy& bucket_acl,
const RGWAccessControlPolicy& object_acl,
int perm);
extern bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp, req_state *s,
int perm);

3
src/rgw/rgw_log.cc
View File

@ -647,8 +647,7 @@ int rgw_log_op(RGWREST* const rest, req_state *s, const RGWOp* op, OpsLogSink *o
}
entry.user = s->user->get_id().to_str();
if (s->object_acl)
entry.object_owner = s->object_acl->get_owner().id;
entry.object_owner = s->object_acl.get_owner().id;
entry.bucket_owner = s->bucket_owner.id;
uint64_t bytes_sent = ACCOUNTING_IO(s)->get_bytes_sent();

6
src/rgw/rgw_lua_request.cc
View File

@ -711,11 +711,11 @@ struct RequestMetaTable : public EmptyMetaTable {
} else if (strcasecmp(index, "ZoneGroup") == 0) {
create_metatable<ZoneGroupMetaTable>(L, name, index, false, s);
} else if (strcasecmp(index, "UserACL") == 0) {
create_metatable<ACLMetaTable>(L, name, index, false, s->user_acl);
create_metatable<ACLMetaTable>(L, name, index, false, &s->user_acl);
} else if (strcasecmp(index, "BucketACL") == 0) {
create_metatable<ACLMetaTable>(L, name, index, false, s->bucket_acl);
create_metatable<ACLMetaTable>(L, name, index, false, &s->bucket_acl);
} else if (strcasecmp(index, "ObjectACL") == 0) {
create_metatable<ACLMetaTable>(L, name, index, false, s->object_acl);
create_metatable<ACLMetaTable>(L, name, index, false, &s->object_acl);
} else if (strcasecmp(index, "Environment") == 0) {
create_metatable<StringMapMetaTable<rgw::IAM::Environment>>(L, name, index, false, &(s->env));
} else if (strcasecmp(index, "Policy") == 0) {

157
src/rgw/rgw_op.cc
View File

@ -219,18 +219,18 @@ done:
static int decode_policy(const DoutPrefixProvider *dpp,
CephContext *cct,
bufferlist& bl,
RGWAccessControlPolicy *policy)
RGWAccessControlPolicy& policy)
{
auto iter = bl.cbegin();
try {
policy->decode(iter);
policy.decode(iter);
} catch (buffer::error& err) {
ldpp_dout(dpp, 0) << "ERROR: could not decode policy, caught buffer::error" << dendl;
return -EIO;
}
if (cct->_conf->subsys.should_gather<ceph_subsys_rgw, 15>()) {
ldpp_dout(dpp, 15) << __func__ << " Read AccessControlPolicy";
rgw::s3::write_policy_xml(*policy, *_dout);
rgw::s3::write_policy_xml(policy, *_dout);
*_dout << dendl;
}
return 0;
@ -242,17 +242,11 @@ static int get_user_policy_from_attr(const DoutPrefixProvider *dpp,
map<string, bufferlist>& attrs,
RGWAccessControlPolicy& policy /* out */)
{
auto aiter = attrs.find(RGW_ATTR_ACL);
if (aiter != attrs.end()) {
int ret = decode_policy(dpp, cct, aiter->second, &policy);
if (ret < 0) {
return ret;
}
} else {
auto i = attrs.find(RGW_ATTR_ACL);
if (i == attrs.end()) {
return -ENOENT;
}
return 0;
return decode_policy(dpp, cct, i->second, policy);
}
/**
@ -267,7 +261,7 @@ int rgw_op_get_bucket_policy_from_attr(const DoutPrefixProvider *dpp,
rgw::sal::Driver* driver,
const rgw_user& bucket_owner,
map<string, bufferlist>& bucket_attrs,
RGWAccessControlPolicy *policy,
RGWAccessControlPolicy& policy,
optional_yield y)
{
map<string, bufferlist>::iterator aiter = bucket_attrs.find(RGW_ATTR_ACL);
@ -284,7 +278,7 @@ int rgw_op_get_bucket_policy_from_attr(const DoutPrefixProvider *dpp,
if (r < 0)
return r;
policy->create_default(user->get_id(), user->get_display_name());
policy.create_default(user->get_id(), user->get_display_name());
}
return 0;
}
@ -294,7 +288,7 @@ static int get_obj_policy_from_attr(const DoutPrefixProvider *dpp,
rgw::sal::Driver* driver,
RGWBucketInfo& bucket_info,
map<string, bufferlist>& bucket_attrs,
RGWAccessControlPolicy *policy,
RGWAccessControlPolicy& policy,
string *storage_class,
rgw::sal::Object* obj,
optional_yield y)
@ -317,7 +311,7 @@ static int get_obj_policy_from_attr(const DoutPrefixProvider *dpp,
if (ret < 0)
return ret;
policy->create_default(bucket_info.owner, user->get_display_name());
policy.create_default(bucket_info.owner, user->get_display_name());
}
if (storage_class) {
@ -384,7 +378,7 @@ static int read_bucket_policy(const DoutPrefixProvider *dpp,
req_state *s,
RGWBucketInfo& bucket_info,
map<string, bufferlist>& bucket_attrs,
RGWAccessControlPolicy *policy,
RGWAccessControlPolicy& policy,
rgw_bucket& bucket,
optional_yield y)
{
@ -401,7 +395,7 @@ static int read_bucket_policy(const DoutPrefixProvider *dpp,
int ret = rgw_op_get_bucket_policy_from_attr(dpp, s->cct, driver, bucket_info.owner,
bucket_attrs, policy, y);
if (ret == -ENOENT) {
ret = -ERR_NO_SUCH_BUCKET;
ret = -ERR_NO_SUCH_BUCKET;
}
return ret;
@ -412,7 +406,7 @@ static int read_obj_policy(const DoutPrefixProvider *dpp,
req_state *s,
RGWBucketInfo& bucket_info,
map<string, bufferlist>& bucket_attrs,
RGWAccessControlPolicy* acl,
RGWAccessControlPolicy& acl,
string *storage_class,
boost::optional<Policy>& policy,
rgw::sal::Bucket* bucket,
@ -451,7 +445,7 @@ static int read_obj_policy(const DoutPrefixProvider *dpp,
that we send a proper error code */
RGWAccessControlPolicy bucket_policy;
ret = rgw_op_get_bucket_policy_from_attr(dpp, s->cct, driver, bucket_info.owner,
bucket_attrs, &bucket_policy, y);
bucket_attrs, bucket_policy, y);
if (ret < 0) {
return ret;
}
@ -511,20 +505,6 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d
}
}
if(s->dialect.compare("s3") == 0) {
s->bucket_acl = std::make_unique<RGWAccessControlPolicy>();
} else if(s->dialect.compare("swift") == 0) {
/* We aren't allocating the account policy for those operations using
* the Swift's infrastructure that don't really need req_state::user.
* Typical example here is the implementation of /info. */
if (!s->user->get_id().empty()) {
s->user_acl = std::make_unique<RGWAccessControlPolicy>();
}
s->bucket_acl = std::make_unique<RGWAccessControlPolicy>();
} else {
s->bucket_acl = std::make_unique<RGWAccessControlPolicy>();
}
const RGWZoneGroup& zonegroup = s->penv.site->get_zonegroup();
/* check if copy source is within the current domain */
@ -573,13 +553,13 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d
s->bucket_attrs = s->bucket->get_attrs();
ret = read_bucket_policy(dpp, driver, s, s->bucket->get_info(),
s->bucket->get_attrs(),
s->bucket_acl.get(), s->bucket->get_key(), y);
s->bucket_acl, s->bucket->get_key(), y);
acct_acl_user = {
s->bucket->get_info().owner,
s->bucket_acl->get_owner().display_name,
s->bucket_acl.get_owner().display_name,
};
s->bucket_owner = s->bucket_acl->get_owner();
s->bucket_owner = s->bucket_acl.get_owner();
s->zonegroup_endpoint = rgw::get_zonegroup_endpoint(zonegroup);
s->zonegroup_name = zonegroup.get_name();
@ -615,12 +595,12 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d
}
/* handle user ACL only for those APIs which support it */
if (s->user_acl) {
if (s->dialect == "swift" && !s->user->get_id().empty()) {
std::unique_ptr<rgw::sal::User> acl_user = driver->get_user(acct_acl_user.uid);
ret = acl_user->read_attrs(dpp, y);
if (!ret) {
ret = get_user_policy_from_attr(dpp, s->cct, acl_user->get_attrs(), *s->user_acl);
ret = get_user_policy_from_attr(dpp, s->cct, acl_user->get_attrs(), s->user_acl);
}
if (-ENOENT == ret) {
/* In already existing clusters users won't have ACL. In such case
@ -630,8 +610,8 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d
* 1. if we try to reach an existing bucket, its owner is considered
* as account owner.
* 2. otherwise account owner is identity stored in s->user->user_id. */
s->user_acl->create_default(acct_acl_user.uid,
acct_acl_user.display_name);
s->user_acl.create_default(acct_acl_user.uid,
acct_acl_user.display_name);
ret = 0;
} else if (ret < 0) {
ldpp_dout(dpp, 0) << "NOTICE: couldn't get user attrs for handling ACL "
@ -689,24 +669,21 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d
int rgw_build_object_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* driver,
req_state *s, bool prefetch_data, optional_yield y)
{
int ret = 0;
if (!rgw::sal::Object::empty(s->object.get())) {
if (!s->bucket_exists) {
return -ERR_NO_SUCH_BUCKET;
}
s->object_acl = std::make_unique<RGWAccessControlPolicy>();
s->object->set_atomic();
if (prefetch_data) {
s->object->set_prefetch_data();
}
ret = read_obj_policy(dpp, driver, s, s->bucket->get_info(), s->bucket_attrs,
s->object_acl.get(), nullptr, s->iam_policy, s->bucket.get(),
s->object.get(), y);
if (rgw::sal::Object::empty(s->object)) {
return 0;
}
if (!s->bucket_exists) {
return -ERR_NO_SUCH_BUCKET;
}
return ret;
s->object->set_atomic();
if (prefetch_data) {
s->object->set_prefetch_data();
}
return read_obj_policy(dpp, driver, s, s->bucket->get_info(), s->bucket_attrs,
s->object_acl, nullptr, s->iam_policy, s->bucket.get(),
s->object.get(), y);
}
static int rgw_iam_remove_objtags(const DoutPrefixProvider *dpp, req_state* s, rgw::sal::Object* object, bool has_existing_obj_tag, bool has_resource_tag) {
@ -1648,7 +1625,7 @@ int rgw_policy_from_attrset(const DoutPrefixProvider *dpp, CephContext *cct, map
int RGWGetObj::read_user_manifest_part(rgw::sal::Bucket* bucket,
const rgw_bucket_dir_entry& ent,
RGWAccessControlPolicy * const bucket_acl,
const RGWAccessControlPolicy& bucket_acl,
const boost::optional<Policy>& bucket_policy,
const off_t start_ofs,
const off_t end_ofs,
@ -1724,8 +1701,8 @@ int RGWGetObj::read_user_manifest_part(rgw::sal::Bucket* bucket,
ldpp_dout(this, 2) << "overriding permissions due to system operation" << dendl;
} else if (s->auth.identity->is_admin_of(s->user->get_id())) {
ldpp_dout(this, 2) << "overriding permissions due to admin operation" << dendl;
} else if (!verify_object_permission(this, s, part->get_obj(), s->user_acl.get(),
bucket_acl, &obj_policy, bucket_policy,
} else if (!verify_object_permission(this, s, part->get_obj(), s->user_acl,
bucket_acl, obj_policy, bucket_policy,
s->iam_user_policies, s->session_policies, action)) {
return -EPERM;
}
@ -1749,14 +1726,14 @@ static int iterate_user_manifest_parts(const DoutPrefixProvider *dpp,
const off_t end,
rgw::sal::Bucket* bucket,
const string& obj_prefix,
RGWAccessControlPolicy * const bucket_acl,
const RGWAccessControlPolicy& bucket_acl,
const boost::optional<Policy>& bucket_policy,
uint64_t * const ptotal_len,
uint64_t * const pobj_size,
string * const pobj_sum,
int (*cb)(rgw::sal::Bucket* bucket,
const rgw_bucket_dir_entry& ent,
RGWAccessControlPolicy * const bucket_acl,
const RGWAccessControlPolicy& bucket_acl,
const boost::optional<Policy>& bucket_policy,
off_t start_ofs,
off_t end_ofs,
@ -1858,7 +1835,7 @@ static int iterate_slo_parts(const DoutPrefixProvider *dpp,
map<uint64_t, rgw_slo_part>& slo_parts,
int (*cb)(rgw::sal::Bucket* bucket,
const rgw_bucket_dir_entry& ent,
RGWAccessControlPolicy *bucket_acl,
const RGWAccessControlPolicy& bucket_acl,
const boost::optional<Policy>& bucket_policy,
off_t start_ofs,
off_t end_ofs,
@ -1917,7 +1894,7 @@ static int iterate_slo_parts(const DoutPrefixProvider *dpp,
<< dendl;
// SLO is a Swift thing, and Swift has no knowledge of S3 Policies.
int r = cb(part.bucket, ent, part.bucket_acl,
int r = cb(part.bucket, ent, *part.bucket_acl,
(part.bucket_policy ?
boost::optional<Policy>(*part.bucket_policy) : none),
start_ofs, end_ofs, cb_param, true /* swift_slo */);
@ -1934,7 +1911,7 @@ static int iterate_slo_parts(const DoutPrefixProvider *dpp,
static int get_obj_user_manifest_iterate_cb(rgw::sal::Bucket* bucket,
const rgw_bucket_dir_entry& ent,
RGWAccessControlPolicy * const bucket_acl,
const RGWAccessControlPolicy& bucket_acl,
const boost::optional<Policy>& bucket_policy,
const off_t start_ofs,
const off_t end_ofs,
@ -1979,7 +1956,7 @@ int RGWGetObj::handle_user_manifest(const char *prefix, optional_yield y)
return r;
}
bucket_acl = &_bucket_acl;
r = read_bucket_policy(this, driver, s, ubucket->get_info(), bucket_attrs, bucket_acl, ubucket->get_key(), y);
r = read_bucket_policy(this, driver, s, ubucket->get_info(), bucket_attrs, *bucket_acl, ubucket->get_key(), y);
if (r < 0) {
ldpp_dout(this, 0) << "failed to read bucket policy" << dendl;
return r;
@ -1989,7 +1966,7 @@ int RGWGetObj::handle_user_manifest(const char *prefix, optional_yield y)
pbucket = ubucket.get();
} else {
pbucket = s->bucket.get();
bucket_acl = s->bucket_acl.get();
bucket_acl = &s->bucket_acl;
bucket_policy = &s->iam_policy;
}
@ -1998,7 +1975,7 @@ int RGWGetObj::handle_user_manifest(const char *prefix, optional_yield y)
* - overall DLO's content size,
* - md5 sum of overall DLO's content (for etag of Swift API). */
r = iterate_user_manifest_parts(this, s->cct, driver, ofs, end,
pbucket, obj_prefix, bucket_acl, *bucket_policy,
pbucket, obj_prefix, *bucket_acl, *bucket_policy,
nullptr, &s->obj_size, &lo_etag,
nullptr /* cb */, nullptr /* cb arg */, y);
if (r < 0) {
@ -2012,7 +1989,7 @@ int RGWGetObj::handle_user_manifest(const char *prefix, optional_yield y)
}
r = iterate_user_manifest_parts(this, s->cct, driver, ofs, end,
pbucket, obj_prefix, bucket_acl, *bucket_policy,
pbucket, obj_prefix, *bucket_acl, *bucket_policy,
&total_len, nullptr, nullptr,
nullptr, nullptr, y);
if (r < 0) {
@ -2026,7 +2003,7 @@ int RGWGetObj::handle_user_manifest(const char *prefix, optional_yield y)
}
r = iterate_user_manifest_parts(this, s->cct, driver, ofs, end,
pbucket, obj_prefix, bucket_acl, *bucket_policy,
pbucket, obj_prefix, *bucket_acl, *bucket_policy,
nullptr, nullptr, nullptr,
get_obj_user_manifest_iterate_cb, (void *)this, y);
if (r < 0) {
@ -2111,7 +2088,7 @@ int RGWGetObj::handle_slo_manifest(bufferlist& bl, optional_yield y)
}
bucket = tmp_bucket.get();
bucket_acl = &_bucket_acl;
r = read_bucket_policy(this, driver, s, tmp_bucket->get_info(), tmp_bucket->get_attrs(), bucket_acl,
r = read_bucket_policy(this, driver, s, tmp_bucket->get_info(), tmp_bucket->get_attrs(), *bucket_acl,
tmp_bucket->get_key(), y);
if (r < 0) {
ldpp_dout(this, 0) << "failed to read bucket ACL for bucket "
@ -2126,7 +2103,7 @@ int RGWGetObj::handle_slo_manifest(bufferlist& bl, optional_yield y)
}
} else {
bucket = s->bucket.get();
bucket_acl = s->bucket_acl.get();
bucket_acl = &s->bucket_acl;
bucket_policy = s->iam_policy.get_ptr();
}
@ -3516,7 +3493,7 @@ void RGWCreateBucket::execute(optional_yield y)
RGWAccessControlPolicy old_policy;
int r = rgw_op_get_bucket_policy_from_attr(this, s->cct, driver, info.owner,
s->bucket->get_attrs(),
&old_policy, y);
old_policy, y);
if (r >= 0 && old_policy != policy) {
s->err.message = "Cannot modify existing access control policy";
op_ret = -EEXIST;
@ -3850,7 +3827,7 @@ int RGWPutObj::verify_permission(optional_yield y)
cs_object->set_prefetch_data();
/* check source object permissions */
int ret = read_obj_policy(this, driver, s, copy_source_bucket_info, cs_attrs, &cs_acl, nullptr,
int ret = read_obj_policy(this, driver, s, copy_source_bucket_info, cs_attrs, cs_acl, nullptr,
policy, cs_bucket.get(), cs_object.get(), y, true);
if (ret < 0) {
return ret;
@ -4986,7 +4963,7 @@ void RGWPutMetadataBucket::execute(optional_yield y)
* contain such keys yet. */
if (has_policy) {
if (s->dialect.compare("swift") == 0) {
rgw::swift::merge_policy(policy_rw_mask, *s->bucket_acl, policy);
rgw::swift::merge_policy(policy_rw_mask, s->bucket_acl, policy);
}
buffer::list bl;
policy.encode(bl);
@ -5488,7 +5465,7 @@ int RGWCopyObj::verify_permission(optional_yield y)
rgw_placement_rule src_placement;
/* check source object permissions */
op_ret = read_obj_policy(this, driver, s, src_bucket->get_info(), src_bucket->get_attrs(), &src_acl, &src_placement.storage_class,
op_ret = read_obj_policy(this, driver, s, src_bucket->get_info(), src_bucket->get_attrs(), src_acl, &src_placement.storage_class,
src_policy, src_bucket.get(), s->src_object.get(), y);
if (op_ret < 0) {
return op_ret;
@ -5583,7 +5560,7 @@ int RGWCopyObj::verify_permission(optional_yield y)
/* check dest bucket permissions */
op_ret = read_bucket_policy(this, driver, s, s->bucket->get_info(),
s->bucket->get_attrs(),
&dest_bucket_policy, s->bucket->get_key(), y);
dest_bucket_policy, s->bucket->get_key(), y);
if (op_ret < 0) {
return op_ret;
}
@ -5888,9 +5865,9 @@ void RGWGetACLs::execute(optional_yield y)
{
stringstream ss;
if (rgw::sal::Object::empty(s->object.get())) {
rgw::s3::write_policy_xml(*s->bucket_acl, ss);
rgw::s3::write_policy_xml(s->bucket_acl, ss);
} else {
rgw::s3::write_policy_xml(*s->object_acl, ss);
rgw::s3::write_policy_xml(s->object_acl, ss);
}
acls = ss.str();
}
@ -5982,10 +5959,10 @@ void RGWDeleteLC::pre_exec()
void RGWPutACLs::execute(optional_yield y)
{
RGWAccessControlPolicy* const existing_policy = \
(rgw::sal::Object::empty(s->object.get()) ? s->bucket_acl.get() : s->object_acl.get());
const RGWAccessControlPolicy& existing_policy = \
(rgw::sal::Object::empty(s->object.get()) ? s->bucket_acl : s->object_acl);
const ACLOwner& existing_owner = existing_policy->get_owner();
const ACLOwner& existing_owner = existing_policy.get_owner();
op_ret = get_params(y);
if (op_ret < 0) {
@ -6056,7 +6033,7 @@ void RGWPutACLs::execute(optional_yield y)
if (s->cct->_conf->subsys.should_gather<ceph_subsys_rgw, 15>()) {
ldpp_dout(this, 15) << "Old AccessControlPolicy";
rgw::s3::write_policy_xml(*existing_policy, *_dout);
rgw::s3::write_policy_xml(existing_policy, *_dout);
*_dout << dendl;
ldpp_dout(this, 15) << "New AccessControlPolicy:";
@ -7376,7 +7353,7 @@ bool RGWBulkDelete::Deleter::verify_permission(RGWBucketInfo& binfo,
optional_yield y)
{
RGWAccessControlPolicy bacl;
int ret = read_bucket_policy(dpp, driver, s, binfo, battrs, &bacl, binfo.bucket, y);
int ret = read_bucket_policy(dpp, driver, s, binfo, battrs, bacl, binfo.bucket, y);
if (ret < 0) {
return false;
}
@ -7387,8 +7364,8 @@ bool RGWBulkDelete::Deleter::verify_permission(RGWBucketInfo& binfo,
/* We can use global user_acl because each BulkDelete request is allowed
* to work on entities from a single account only. */
return verify_bucket_permission(dpp, s, binfo.bucket, s->user_acl.get(),
&bacl, policy, s->iam_user_policies, s->session_policies, rgw::IAM::s3DeleteBucket);
return verify_bucket_permission(dpp, s, binfo.bucket, s->user_acl,
bacl, policy, s->iam_user_policies, s->session_policies, rgw::IAM::s3DeleteBucket);
}
bool RGWBulkDelete::Deleter::delete_single(const acct_path_t& path, optional_yield y)
@ -7715,7 +7692,7 @@ bool RGWBulkUploadOp::handle_file_verify_permission(RGWBucketInfo& binfo,
optional_yield y)
{
RGWAccessControlPolicy bacl;
op_ret = read_bucket_policy(this, driver, s, binfo, battrs, &bacl, binfo.bucket, y);
op_ret = read_bucket_policy(this, driver, s, binfo, battrs, bacl, binfo.bucket, y);
if (op_ret < 0) {
ldpp_dout(this, 20) << "cannot read_policy() for bucket" << dendl;
return false;
@ -7768,8 +7745,8 @@ bool RGWBulkUploadOp::handle_file_verify_permission(RGWBucketInfo& binfo,
}
}
return verify_bucket_permission_no_policy(this, s, s->user_acl.get(),
&bacl, RGW_PERM_WRITE);
return verify_bucket_permission_no_policy(this, s, s->user_acl,
bacl, RGW_PERM_WRITE);
}
int RGWBulkUploadOp::handle_file(const std::string_view path,
@ -8880,7 +8857,7 @@ int RGWGetBucketPolicyStatus::verify_permission(optional_yield y)
void RGWGetBucketPolicyStatus::execute(optional_yield y)
{
isPublic = (s->iam_policy && rgw::IAM::is_public(*s->iam_policy)) || s->bucket_acl->is_public(this);
isPublic = (s->iam_policy && rgw::IAM::is_public(*s->iam_policy)) || s->bucket_acl.is_public(this);
}
int RGWPutBucketPublicAccessBlock::verify_permission(optional_yield y)

4
src/rgw/rgw_op.h
View File

@ -79,7 +79,7 @@ int rgw_op_get_bucket_policy_from_attr(const DoutPrefixProvider *dpp,
rgw::sal::Driver* driver,
const rgw_user& bucket_owner,
std::map<std::string, bufferlist>& bucket_attrs,
RGWAccessControlPolicy *policy,
RGWAccessControlPolicy& policy,
optional_yield y);
class RGWHandler {
@ -420,7 +420,7 @@ public:
int read_user_manifest_part(
rgw::sal::Bucket* bucket,
const rgw_bucket_dir_entry& ent,
RGWAccessControlPolicy * const bucket_acl,
const RGWAccessControlPolicy& bucket_acl,
const boost::optional<rgw::IAM::Policy>& bucket_policy,
const off_t start_ofs,
const off_t end_ofs,

22
src/rgw/rgw_rest_swift.cc
View File

@ -188,7 +188,7 @@ void RGWListBuckets_ObjStore_SWIFT::send_response_begin(bool has_buckets)
s->user->get_attrs(),
s->user->get_info().quota.user_quota,
s->user->get_max_buckets(),
*s->user_acl);
s->user_acl);
dump_errno(s);
dump_header(s, "Accept-Ranges", "bytes");
end_header(s, NULL, NULL, NO_CONTENT_LENGTH, true);
@ -287,7 +287,7 @@ void RGWListBuckets_ObjStore_SWIFT::send_response_end()
s->user->get_attrs(),
s->user->get_info().quota.user_quota,
s->user->get_max_buckets(),
*s->user_acl);
s->user_acl);
dump_errno(s);
end_header(s, nullptr, nullptr, s->formatter->get_len(), true);
}
@ -471,7 +471,7 @@ static void dump_container_metadata(req_state *s,
if (rgw::sal::Object::empty(s->object.get())) {
std::string read_acl, write_acl;
rgw::swift::format_container_acls(*s->bucket_acl, read_acl, write_acl);
rgw::swift::format_container_acls(s->bucket_acl, read_acl, write_acl);
if (read_acl.size()) {
dump_header(s, "X-Container-Read", read_acl);
@ -565,7 +565,7 @@ void RGWStatAccount_ObjStore_SWIFT::send_response()
attrs,
s->user->get_info().quota.user_quota,
s->user->get_max_buckets(),
*s->user_acl);
s->user_acl);
}
set_req_state_err(s, op_ret);
@ -593,7 +593,7 @@ void RGWStatBucket_ObjStore_SWIFT::send_response()
static int get_swift_container_settings(req_state * const s,
rgw::sal::Driver* const driver,
RGWAccessControlPolicy * const policy,
RGWAccessControlPolicy& policy,
bool * const has_policy,
uint32_t * rw_mask,
RGWCORSConfiguration * const cors_config,
@ -611,7 +611,7 @@ static int get_swift_container_settings(req_state * const s,
read_list,
write_list,
*rw_mask,
*policy);
policy);
if (r < 0) {
return r;
}
@ -713,7 +713,7 @@ int RGWCreateBucket_ObjStore_SWIFT::get_params(optional_yield y)
bool has_policy;
uint32_t policy_rw_mask = 0;
int r = get_swift_container_settings(s, driver, &policy, &has_policy,
int r = get_swift_container_settings(s, driver, policy, &has_policy,
&policy_rw_mask, &cors_config, &has_cors);
if (r < 0) {
return r;
@ -1057,7 +1057,7 @@ void RGWPutObj_ObjStore_SWIFT::send_response()
static int get_swift_account_settings(req_state * const s,
rgw::sal::Driver* const driver,
RGWAccessControlPolicy* const policy,
RGWAccessControlPolicy& policy,
bool * const has_policy)
{
*has_policy = false;
@ -1067,7 +1067,7 @@ static int get_swift_account_settings(req_state * const s,
int r = rgw::swift::create_account_policy(s, driver,
s->user->get_id(),
s->user->get_display_name(),
acl_attr, *policy);
acl_attr, policy);
if (r < 0) {
return r;
}
@ -1084,7 +1084,7 @@ int RGWPutMetadataAccount_ObjStore_SWIFT::get_params(optional_yield y)
return -EINVAL;
}
int ret = get_swift_account_settings(s, driver, &policy, &has_policy);
int ret = get_swift_account_settings(s, driver, policy, &has_policy);
if (ret < 0) {
return ret;
}
@ -1117,7 +1117,7 @@ int RGWPutMetadataBucket_ObjStore_SWIFT::get_params(optional_yield y)
return -EINVAL;
}
int r = get_swift_container_settings(s, driver, &policy, &has_policy,
int r = get_swift_container_settings(s, driver, policy, &has_policy,
&policy_rw_mask, &cors_config, &has_cors);
if (r < 0) {
return r;