rgw/s3: ObjectOwnership interacts with canned acls

cbodley · cbodley · commit 5ed9b1f3aa5f · 2025-07-30T15:31:06.000-04:00
when object uploads specify a canned acl, they call create_canned_acl()
to build the corresponding RGWAccessControlPolicy

ObjectOwnership adds two special cases to this:
* BucketOwnerEnforced denies acls other than "bucket-owner-full-control"
* BucketOwnerPreferred overrides owner for "bucket-owner-full-control"

Signed-off-by: Casey Bodley &lt;cbodley@redhat.com&gt;
diff --git a/src/rgw/rgw_acl_s3.cc b/src/rgw/rgw_acl_s3.cc
@@ -677,14 +677,32 @@ void write_policy_xml(const RGWAccessControlPolicy& policy,
 
 int create_canned_acl(const ACLOwner& owner,
                       const ACLOwner& bucket_owner,
+                      ObjectOwnership object_ownership,
                       const std::string& canned_acl,
-                      RGWAccessControlPolicy& policy)
+                      RGWAccessControlPolicy& policy,
+                      std::string& error_message)
 {
   if (owner.id == parse_owner("anonymous")) {
     policy.set_owner(bucket_owner);
   } else {
     policy.set_owner(owner);
   }
+
+  // special handling for BucketOwnerEnforced/Preferred
+  if (object_ownership == ObjectOwnership::BucketOwnerEnforced) {
+    // only supports bucket-owner-full-control
+    if (canned_acl != "" && canned_acl != "bucket-owner-full-control") {
+      error_message = "Cannot set ACLs when ObjectOwnership is BucketOwnerEnforced.";
+      return -ERR_ACLS_NOT_SUPPORTED;
+    }
+    policy.set_owner(bucket_owner);
+  } else if (object_ownership == ObjectOwnership::BucketOwnerPreferred) {
+    // prefer bucket owner only for bucket-owner-full-control
+    if (canned_acl == "bucket-owner-full-control") {
+      policy.set_owner(bucket_owner);
+    }
+  }
+
   return create_canned(owner, bucket_owner, canned_acl, policy.get_acl());
 }
 
diff --git a/src/rgw/rgw_acl_s3.h b/src/rgw/rgw_acl_s3.h
@@ -11,6 +11,7 @@
 #include "common/async/yield_context.h"
 #include "rgw_xml.h"
 #include "rgw_acl.h"
+#include "rgw_object_ownership.h"
 #include "rgw_sal_fwd.h"
 
 class RGWEnv;
@@ -34,8 +35,10 @@ void write_policy_xml(const RGWAccessControlPolicy& policy,
 /// Construct a policy from a s3 canned acl string.
 int create_canned_acl(const ACLOwner& owner,
                       const ACLOwner& bucket_owner,
+                      ObjectOwnership object_ownership,
                       const std::string& canned_acl,
-                      RGWAccessControlPolicy& policy);
+                      RGWAccessControlPolicy& policy,
+                      std::string& error_message);
 
 /// Construct a policy from x-amz-grant-* request headers.
 int create_policy_from_headers(const DoutPrefixProvider* dpp,
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
@@ -2526,7 +2526,8 @@ static int create_s3_policy(req_state *s, rgw::sal::Driver* driver,
   }
 
   return rgw::s3::create_canned_acl(owner, s->bucket_owner,
-                                    s->canned_acl, policy);
+                                    s->bucket_object_ownership,
+                                    s->canned_acl, policy, s->err.message);
 }
 
 class RGWLocationConstraint : public XMLObj
@@ -3423,7 +3424,8 @@ int RGWPostObj_ObjStore_S3::get_policy(optional_yield y)
 
   ldpp_dout(this, 20) << "canned_acl=" << canned_acl << dendl;
   int r = rgw::s3::create_canned_acl(s->owner, s->bucket_owner,
-                                     canned_acl, policy);
+                                     s->bucket_object_ownership,
+                                     canned_acl, policy, s->err.message);
   if (r < 0) {
     err_msg = "Bad canned ACLs";
     return r;
