rgw/s3: reject PutBucket/ObjectAcl for BucketOwnerEnforced

Signed-off-by: Casey Bodley <[email protected]>

Author: cbodley

src/rgw/rgw_common.cc

@@ -144,6 +144,7 @@ rgw_http_errors rgw_http_s3_errors({
     { ECANCELED, {409, "ConcurrentModification"}},
     { EDQUOT, {507, "InsufficientCapacity"}},
     { ENOSPC, {507, "InsufficientCapacity"}},
+    { ERR_ACLS_NOT_SUPPORTED, {400, "AccessControlListNotSupported"}},
 });
 
 rgw_http_errors rgw_http_swift_errors({

src/rgw/rgw_common.h

@@ -352,6 +352,7 @@ inline constexpr const char* RGW_REST_STS_XMLNS =
 #define ERR_PRESIGNED_URL_DISABLED     2224
 #define ERR_AUTHORIZATION        2225 // SNS 403 AuthorizationError
 #define ERR_ILLEGAL_LOCATION_CONSTRAINT_EXCEPTION 2226
+#define ERR_ACLS_NOT_SUPPORTED   2227 // 400 AccessControlListNotSupported
 
 #define ERR_BUSY_RESHARDING      2300 // also in cls_rgw_types.h, don't change!
 #define ERR_NO_SUCH_ENTITY       2301

src/rgw/rgw_op.cc

@@ -6302,6 +6302,12 @@ void RGWDeleteLC::pre_exec()
 
 void RGWPutACLs::execute(optional_yield y)
 {
+  if (s->bucket_object_ownership == rgw::s3::ObjectOwnership::BucketOwnerEnforced) {
+    s->err.message = "Cannot set ACLs when ObjectOwnership is BucketOwnerEnforced.";
+    op_ret = -ERR_ACLS_NOT_SUPPORTED;
+    return;
+  }
+
   const RGWAccessControlPolicy& existing_policy = \
     (rgw::sal::Object::empty(s->object.get()) ? s->bucket_acl : s->object_acl);