rgw/s3: authorization ignores object acls for BucketOwnerEnforced

cbodley · cbodley · commit 0b05b3423087 · 2025-07-30T15:31:06.000-04:00
Signed-off-by: Casey Bodley &lt;cbodley@redhat.com&gt;
diff --git a/src/rgw/driver/rados/rgw_data_sync.cc b/src/rgw/driver/rados/rgw_data_sync.cc
@@ -2693,6 +2693,7 @@ int RGWUserPermHandler::Bucket::init(RGWUserPermHandler *handler,
              info->env,
              info->identity.get(),
              bucket_info,
+             rgw::s3::ObjectOwnership::ObjectWriter,
              info->identity->get_perm_mask(),
              false, /* defer to bucket acls */
              nullptr, /* referer */
diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
@@ -1117,6 +1117,7 @@ struct perm_state_from_req_state : public perm_state_base {
 		      _s->env,
 		      _s->auth.identity.get(),
 		      _s->bucket.get() ? _s->bucket->get_info() : RGWBucketInfo(),
+		      _s->bucket_object_ownership,
 		      _s->perm_mask,
 		      _s->defer_to_bucket_acls,
 		      _s->bucket_access_conf),
@@ -1624,11 +1625,12 @@ bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp,
     return true;
   }
 
-  bool ret = object_acl.verify_permission(dpp, *ps->identity, ps->perm_mask, perm,
-					  nullptr, /* http referrer */
-					  ps->bucket_access_conf &&
-					  ps->bucket_access_conf->ignore_public_acls());
-  if (ret) {
+  // object ACLs don't apply for BucketOwnerEnforced
+  if (ps->bucket_object_ownership != rgw::s3::ObjectOwnership::BucketOwnerEnforced &&
+      object_acl.verify_permission(dpp, *ps->identity, ps->perm_mask, perm,
+                                   nullptr, /* http referrer */
+                                   ps->bucket_access_conf &&
+                                   ps->bucket_access_conf->ignore_public_acls())) {
     ldpp_dout(dpp, 10) << __func__ << ": granted by object acl" << dendl;
     if (granted_by_acl) {
       *granted_by_acl = true;
@@ -1637,7 +1639,7 @@ bool verify_object_permission_no_policy(const DoutPrefixProvider* dpp,
   }
 
   if (!ps->cct->_conf->rgw_enforce_swift_acls)
-    return ret;
+    return false;
 
   if ((perm & (int)ps->perm_mask) != perm)
     return false;
diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
@@ -43,6 +43,7 @@
 #include "common/async/yield_context.h"
 #include "rgw_website.h"
 #include "rgw_object_lock.h"
+#include "rgw_object_ownership.h"
 #include "rgw_tag.h"
 #include "rgw_op_type.h"
 #include "rgw_sync_policy.h"
@@ -1383,6 +1384,7 @@ struct req_state : DoutPrefixProvider {
   rgw::IAM::Environment env;
   boost::optional<rgw::IAM::Policy> iam_policy;
   boost::optional<PublicAccessBlockConfiguration> bucket_access_conf;
+  rgw::s3::ObjectOwnership bucket_object_ownership = rgw::s3::ObjectOwnership::ObjectWriter;
   std::vector<rgw::IAM::Policy> iam_identity_policies;
 
   /* Is the request made by an user marked as a system one?
@@ -1695,6 +1697,7 @@ struct perm_state_base {
   const rgw::IAM::Environment& env;
   rgw::auth::Identity *identity;
   const RGWBucketInfo bucket_info;
+  rgw::s3::ObjectOwnership bucket_object_ownership;
   int perm_mask;
   bool defer_to_bucket_acls;
   boost::optional<PublicAccessBlockConfiguration> bucket_access_conf;
@@ -1703,13 +1706,15 @@ struct perm_state_base {
                   const rgw::IAM::Environment& _env,
                   rgw::auth::Identity *_identity,
                   const RGWBucketInfo& _bucket_info,
+                  rgw::s3::ObjectOwnership bucket_object_ownership,
                   int _perm_mask,
                   bool _defer_to_bucket_acls,
                   boost::optional<PublicAccessBlockConfiguration> _bucket_access_conf = boost::none) :
                                                 cct(_cct),
                                                 env(_env),
                                                 identity(_identity),
                                                 bucket_info(_bucket_info),
+                                                bucket_object_ownership(bucket_object_ownership),
                                                 perm_mask(_perm_mask),
                                                 defer_to_bucket_acls(_defer_to_bucket_acls),
                                                 bucket_access_conf(_bucket_access_conf)
@@ -1732,13 +1737,15 @@ struct perm_state : public perm_state_base {
              const rgw::IAM::Environment& _env,
              rgw::auth::Identity *_identity,
              const RGWBucketInfo& _bucket_info,
+             rgw::s3::ObjectOwnership bucket_object_ownership,
              int _perm_mask,
              bool _defer_to_bucket_acls,
              const char *_referer,
              bool _request_payer) : perm_state_base(_cct,
                                                     _env,
                                                     _identity,
                                                     _bucket_info,
+                                                    bucket_object_ownership,
                                                     _perm_mask,
                                                     _defer_to_bucket_acls),
                                     referer(_referer),
diff --git a/src/rgw/rgw_object_ownership.cc b/src/rgw/rgw_object_ownership.cc
@@ -14,6 +14,7 @@
  */
 
 #include "rgw_object_ownership.h"
+#include "rgw_common.h"
 #include "rgw_xml.h"
 
 namespace rgw::s3 {
@@ -87,4 +88,22 @@ void decode(OwnershipControls& c, bufferlist::const_iterator& bl)
   DECODE_FINISH(bl);
 }
 
+ObjectOwnership get_object_ownership(const sal::Attrs& attrs)
+{
+  auto i = attrs.find(RGW_ATTR_OWNERSHIP_CONTROLS);
+  if (i == attrs.end()) {
+    // default to ObjectWriter for backward compat
+    return ObjectOwnership::ObjectWriter;
+  }
+
+  try {
+    OwnershipControls ownership;
+    auto p = i->second.cbegin();
+    decode(ownership, p);
+    return ownership.object_ownership;
+  } catch (const buffer::error&) {
+    return ObjectOwnership::ObjectWriter;
+  }
+}
+
 } // namespace rgw::s3
diff --git a/src/rgw/rgw_object_ownership.h b/src/rgw/rgw_object_ownership.h
@@ -19,6 +19,7 @@
 #include <optional>
 #include <string>
 #include "include/encoding.h"
+#include "rgw_sal_fwd.h"
 
 class XMLObj;
 namespace ceph { class Formatter; }
@@ -51,4 +52,8 @@ struct OwnershipControls {
 void encode(const OwnershipControls&, bufferlist&, uint64_t f=0);
 void decode(OwnershipControls&, bufferlist::const_iterator&);
 
+/// Return the ObjectOwnership from RGW_ATTR_OWNERSHIP_CONTROLS,
+/// or default to ObjectWriter.
+ObjectOwnership get_object_ownership(const sal::Attrs& attrs);
+
 } // namespace rgw::s3
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
@@ -615,7 +615,8 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d
       return -EINVAL;
     }
 
-    s->bucket_access_conf = get_public_access_conf_from_attr(s->bucket->get_attrs());
+    s->bucket_access_conf = get_public_access_conf_from_attr(s->bucket_attrs);
+    s->bucket_object_ownership = rgw::s3::get_object_ownership(s->bucket_attrs);
   }
 
   /* handle user ACL only for those APIs which support it */

Original file line number	Diff line number	Diff line change
`@@ -615,7 +615,8 @@ int rgw_build_bucket_policies(const DoutPrefixProvider dpp, rgw::sal::Driver d`
`615`	`615`	`return -EINVAL;`
`616`	`616`	`}`
`617`	`617`
`618`		`- s->bucket_access_conf = get_public_access_conf_from_attr(s->bucket->get_attrs());`
	`618`	`+ s->bucket_access_conf = get_public_access_conf_from_attr(s->bucket_attrs);`
	`619`	`+ s->bucket_object_ownership = rgw::s3::get_object_ownership(s->bucket_attrs);`
`619`	`620`	`}`
`620`	`621`
`621`	`622`	`/* handle user ACL only for those APIs which support it */`