rgw/s3: add Put/Get/DeleteBucketOwnershipControls

cbodley · cbodley · commit e834454a6d59 · 2025-07-30T15:31:06.000-04:00
Signed-off-by: Casey Bodley &lt;cbodley@redhat.com&gt;
diff --git a/src/rgw/rgw_common.cc b/src/rgw/rgw_common.cc
@@ -145,6 +145,8 @@ rgw_http_errors rgw_http_s3_errors({
     { EDQUOT, {507, "InsufficientCapacity"}},
     { ENOSPC, {507, "InsufficientCapacity"}},
     { ERR_ACLS_NOT_SUPPORTED, {400, "AccessControlListNotSupported"}},
+    { ERR_INVALID_BUCKET_ACL, {400, "InvalidBucketAclWithObjectOwnership"}},
+    { ERR_NO_SUCH_OWNERSHIP_CONTROLS, {404, "OwnershipControlsNotFoundError"}},
 });
 
 rgw_http_errors rgw_http_swift_errors({
diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
@@ -353,6 +353,8 @@ inline constexpr const char* RGW_REST_STS_XMLNS =
 #define ERR_AUTHORIZATION        2225 // SNS 403 AuthorizationError
 #define ERR_ILLEGAL_LOCATION_CONSTRAINT_EXCEPTION 2226
 #define ERR_ACLS_NOT_SUPPORTED   2227 // 400 AccessControlListNotSupported
+#define ERR_INVALID_BUCKET_ACL   2228 // 400 InvalidBucketAclWithObjectOwnership
+#define ERR_NO_SUCH_OWNERSHIP_CONTROLS 2229 // 404 OwnershipControlsNotFoundError
 
 #define ERR_BUSY_RESHARDING      2300 // also in cls_rgw_types.h, don't change!
 #define ERR_NO_SUCH_ENTITY       2301
diff --git a/src/rgw/rgw_iam_policy.h b/src/rgw/rgw_iam_policy.h
@@ -303,6 +303,7 @@ inline int op_to_perm(std::uint64_t op) {
   case s3GetReplicationConfiguration:
   case s3GetBucketObjectLockConfiguration:
   case s3GetBucketPublicAccessBlock:
+  case s3GetBucketOwnershipControls:
     return RGW_PERM_READ_ACP;
 
   case s3DeleteBucketPolicy:
@@ -326,6 +327,7 @@ inline int op_to_perm(std::uint64_t op) {
   case s3PutReplicationConfiguration:
   case s3PutBucketObjectLockConfiguration:
   case s3PutBucketPublicAccessBlock:
+  case s3PutBucketOwnershipControls:
     return RGW_PERM_WRITE_ACP;
 
   case s3All:
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
@@ -9570,6 +9570,119 @@ void RGWDeleteBucketEncryption::execute(optional_yield y)
   }, y);
 }
 
+int RGWPutBucketOwnershipControls::verify_permission(optional_yield y)
+{
+  if (!verify_bucket_permission(this, s, rgw::IAM::s3PutBucketOwnershipControls)) {
+    return -EACCES;
+  }
+  return 0;
+}
+
+void RGWPutBucketOwnershipControls::execute(optional_yield y)
+{
+  op_ret = get_params(y);
+  if (op_ret < 0) {
+    return;
+  }
+
+  op_ret = rgw_forward_request_to_master(this, *s->penv.site, s->owner.id,
+                                         &data, nullptr, s->info, s->err, y);
+  if (op_ret < 0) {
+    ldpp_dout(this, 20) << "forward_request_to_master returned ret=" << op_ret << dendl;
+    return;
+  }
+
+  bufferlist conf_bl;
+  encode(ownership, conf_bl);
+
+  // construct a default private acl for BucketOwnerEnforced comparison
+  RGWAccessControlPolicy private_acl;
+  private_acl.create_default(s->bucket_owner.id,
+                             s->bucket_owner.display_name);
+
+  op_ret = retry_raced_bucket_write(this, s->bucket.get(),
+      [this, y, &conf_bl, &private_acl] {
+        rgw::sal::Attrs& attrs = s->bucket->get_attrs();
+
+        using rgw::s3::ObjectOwnership::BucketOwnerEnforced;
+        if (ownership.object_ownership == BucketOwnerEnforced) {
+          // reject BucketOwnerEnforced if the bucket's acl doesn't
+          // match the default private acl policy
+          RGWAccessControlPolicy bucket_acl;
+          if (auto i = attrs.find(RGW_ATTR_ACL); i != attrs.end()) {
+            try {
+              auto p = i->second.cbegin();
+              decode(bucket_acl, p);
+            } catch (const buffer::error&) {
+              ldpp_dout(this, 20) << "failed to decode RGW_ATTR_ACL" << dendl;
+              return -EIO;
+            }
+            if (bucket_acl != private_acl) {
+              s->err.message = "The bucket's ACL must be made private "
+                  "before setting BucketOwnerEnforced.";
+              return -ERR_INVALID_BUCKET_ACL;
+            }
+          }
+        }
+
+        attrs[RGW_ATTR_OWNERSHIP_CONTROLS] = conf_bl;
+        return s->bucket->put_info(this, false, real_time(), y);
+      }, y);
+}
+
+int RGWGetBucketOwnershipControls::verify_permission(optional_yield y)
+{
+  if (!verify_bucket_permission(this, s, rgw::IAM::s3GetBucketOwnershipControls)) {
+    return -EACCES;
+  }
+  return 0;
+}
+
+void RGWGetBucketOwnershipControls::execute(optional_yield y)
+{
+  const auto& attrs = s->bucket_attrs;
+  if (auto aiter = attrs.find(RGW_ATTR_OWNERSHIP_CONTROLS);
+      aiter == attrs.end()) {
+    op_ret = -ENOENT;
+    s->err.message = "The bucket ownership controls were not found";
+    return;
+  } else {
+    bufferlist::const_iterator iter{&aiter->second};
+    try {
+      decode(ownership, iter);
+    } catch (const buffer::error& e) {
+      ldpp_dout(this, 0) << __func__ << " failed to decode "
+          "RGW_ATTR_OWNERSHIP_CONTROLS: " << e.what() << dendl;
+      op_ret = -EIO;
+      return;
+    }
+  }
+}
+
+int RGWDeleteBucketOwnershipControls::verify_permission(optional_yield y)
+{
+  if (!verify_bucket_permission(this, s, rgw::IAM::s3PutBucketOwnershipControls)) {
+    return -EACCES;
+  }
+  return 0;
+}
+
+void RGWDeleteBucketOwnershipControls::execute(optional_yield y)
+{
+  op_ret = rgw_forward_request_to_master(this, *s->penv.site, s->owner.id,
+                                         nullptr, nullptr, s->info, s->err, y);
+  if (op_ret < 0) {
+    ldpp_dout(this, 0) << "forward_request_to_master returned ret=" << op_ret << dendl;
+    return;
+  }
+
+  op_ret = retry_raced_bucket_write(this, s->bucket.get(), [this, y] {
+    rgw::sal::Attrs& attrs = s->bucket->get_attrs();
+    attrs.erase(RGW_ATTR_OWNERSHIP_CONTROLS);
+    return s->bucket->put_info(this, false, real_time(), y);
+  }, y);
+}
+
 void rgw_slo_entry::decode_json(JSONObj *obj)
 {
   JSONDecoder::decode_json("path", path, obj);
diff --git a/src/rgw/rgw_op.h b/src/rgw/rgw_op.h
@@ -1934,6 +1934,39 @@ class RGWDeleteBucketEncryption : public RGWOp {
   uint32_t op_mask() override { return RGW_OP_TYPE_WRITE; }
 };
 
+class RGWPutBucketOwnershipControls : public RGWOp {
+ protected:
+  rgw::s3::OwnershipControls ownership;
+  bufferlist data;
+ public:
+  virtual int get_params(optional_yield y) = 0;
+  int verify_permission(optional_yield y) override;
+  void execute(optional_yield y) override;
+  const char* name() const override { return "put_bucket_ownership_controls"; }
+  RGWOpType get_type() override { return RGW_OP_PUT_BUCKET_OWNERSHIP_CONTROLS; }
+  uint32_t op_mask() override { return RGW_OP_TYPE_WRITE; }
+};
+
+class RGWGetBucketOwnershipControls : public RGWOp {
+ protected:
+  rgw::s3::OwnershipControls ownership;
+ public:
+  int verify_permission(optional_yield y) override;
+  void execute(optional_yield y) override;
+  const char* name() const override { return "get_bucket_ownership_controls"; }
+  RGWOpType get_type() override { return RGW_OP_GET_BUCKET_OWNERSHIP_CONTROLS; }
+  uint32_t op_mask() override { return RGW_OP_TYPE_READ; }
+};
+
+class RGWDeleteBucketOwnershipControls : public RGWOp {
+ public:
+  int verify_permission(optional_yield y) override;
+  void execute(optional_yield y) override;
+  const char* name() const override { return "delete_bucket_ownership_controls"; }
+  RGWOpType get_type() override { return RGW_OP_DELETE_BUCKET_OWNERSHIP_CONTROLS; }
+  uint32_t op_mask() override { return RGW_OP_TYPE_WRITE; }
+};
+
 class RGWGetRequestPayment : public RGWOp {
 protected:
   bool requester_pays;
diff --git a/src/rgw/rgw_op_type.h b/src/rgw/rgw_op_type.h
@@ -69,6 +69,9 @@ enum RGWOpType {
   RGW_OP_GET_OBJ_RETENTION,
   RGW_OP_PUT_OBJ_LEGAL_HOLD,
   RGW_OP_GET_OBJ_LEGAL_HOLD,
+  RGW_OP_PUT_BUCKET_OWNERSHIP_CONTROLS,
+  RGW_OP_GET_BUCKET_OWNERSHIP_CONTROLS,
+  RGW_OP_DELETE_BUCKET_OWNERSHIP_CONTROLS,
   // IAM
   RGW_OP_PUT_USER_POLICY,
   RGW_OP_GET_USER_POLICY,
diff --git a/src/rgw/rgw_rest.h b/src/rgw/rgw_rest.h
@@ -434,6 +434,12 @@ class RGWDeleteBucketEncryption_ObjStore : public RGWDeleteBucketEncryption {
   ~RGWDeleteBucketEncryption_ObjStore() override {}
 };
 
+class RGWGetBucketOwnershipControls_ObjStore : public RGWGetBucketOwnershipControls {};
+
+class RGWPutBucketOwnershipControls_ObjStore : public RGWPutBucketOwnershipControls {};
+
+class RGWDeleteBucketOwnershipControls_ObjStore : public RGWDeleteBucketOwnershipControls {};
+
 class RGWInitMultipart_ObjStore : public RGWInitMultipart {
 public:
   RGWInitMultipart_ObjStore() {}
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
@@ -4408,6 +4408,73 @@ void RGWDeleteBucketEncryption_ObjStore_S3::send_response()
   end_header(s);
 }
 
+int RGWPutBucketOwnershipControls_ObjStore_S3::get_params(optional_yield y)
+{
+  const auto max_size = s->cct->_conf->rgw_max_put_param_size;
+  int ret = 0;
+  std::tie(ret, data) = read_all_input(s, max_size, false);
+  if (ret < 0) {
+    return ret;
+  }
+
+  RGWXMLParser parser;
+  if (!parser.init()) {
+    return -EINVAL;
+  }
+  if (!parser.parse(data.c_str(), data.length(), 1)) {
+    ldpp_dout(this, 5) << "ERROR: malformed XML" << dendl;
+    return -ERR_MALFORMED_XML;
+  }
+  XMLObj* o = parser.find_first("OwnershipControls");
+  if (!o) {
+    s->err.message = "Missing required element OwnershipControls";
+    return -ERR_MALFORMED_XML;
+  }
+  if (!ownership.decode_xml(o, s->err.message)) {
+    return -ERR_MALFORMED_XML;
+  }
+  return 0;
+}
+
+void RGWPutBucketOwnershipControls_ObjStore_S3::send_response()
+{
+  if (op_ret) {
+    set_req_state_err(s, op_ret);
+  }
+  dump_errno(s);
+  end_header(s);
+}
+
+void RGWGetBucketOwnershipControls_ObjStore_S3::send_response()
+{
+  if (op_ret) {
+    if (op_ret == -ENOENT)
+      set_req_state_err(s, -ERR_NO_SUCH_OWNERSHIP_CONTROLS);
+    else
+      set_req_state_err(s, op_ret);
+  }
+
+  dump_errno(s);
+  end_header(s, this, to_mime_type(s->format));
+  dump_start(s);
+
+  if (!op_ret) {
+    encode_xml("OwnershipControls", XMLNS_AWS_S3, ownership, s->formatter);
+    rgw_flush_formatter_and_reset(s, s->formatter);
+  }
+}
+
+void RGWDeleteBucketOwnershipControls_ObjStore_S3::send_response()
+{
+  if (op_ret == 0) {
+    op_ret = STATUS_NO_CONTENT;
+  }
+
+  set_req_state_err(s, op_ret);
+  dump_errno(s);
+  end_header(s);
+}
+
 void RGWGetRequestPayment_ObjStore_S3::send_response()
 {
   dump_errno(s);
@@ -5235,6 +5302,8 @@ RGWOp *RGWHandler_REST_Bucket_S3::op_get()
     return new RGWGetBucketPublicAccessBlock_ObjStore_S3;
   } else if (is_bucket_encryption_op()) {
     return new RGWGetBucketEncryption_ObjStore_S3;
+  } else if (is_bucket_ownership_op()) {
+    return new RGWGetBucketOwnershipControls_ObjStore_S3;
   }
   return get_obj_op(true);
 }
@@ -5293,6 +5362,8 @@ RGWOp *RGWHandler_REST_Bucket_S3::op_put()
     return new RGWPutBucketPublicAccessBlock_ObjStore_S3;
   } else if (is_bucket_encryption_op()) {
     return new RGWPutBucketEncryption_ObjStore_S3;
+  } else if (is_bucket_ownership_op()) {
+    return new RGWPutBucketOwnershipControls_ObjStore_S3;
   }
   return new RGWCreateBucket_ObjStore_S3;
 }
@@ -5318,6 +5389,8 @@ RGWOp *RGWHandler_REST_Bucket_S3::op_delete()
     return new RGWDeleteBucketPublicAccessBlock;
   } else if (is_bucket_encryption_op()) {
     return new RGWDeleteBucketEncryption_ObjStore_S3;
+  } else if (is_bucket_ownership_op()) {
+    return new RGWDeleteBucketOwnershipControls_ObjStore_S3;
   }
 
   if (s->info.args.sub_resource_exists("website")) {
@@ -6510,6 +6583,7 @@ AWSGeneralAbstractor::get_auth_data_v4(const req_state* const s,
         case RGW_OP_PUT_BUCKET_LOGGING:
         case RGW_OP_POST_BUCKET_LOGGING:
         case RGW_OP_GET_BUCKET_LOGGING: 
+        case RGW_OP_PUT_BUCKET_OWNERSHIP_CONTROLS:
           break;
         default:
           ldpp_dout(s, 10) << "ERROR: AWS4 completion for operation: " << s->op_type << ", NOT IMPLEMENTED" << dendl;
diff --git a/src/rgw/rgw_rest_s3.h b/src/rgw/rgw_rest_s3.h
@@ -467,6 +467,22 @@ class RGWDeleteBucketEncryption_ObjStore_S3 : public RGWDeleteBucketEncryption_O
   void send_response() override;
 };
 
+class RGWGetBucketOwnershipControls_ObjStore_S3 : public RGWGetBucketOwnershipControls_ObjStore {
+ public:
+  void send_response() override;
+};
+
+class RGWPutBucketOwnershipControls_ObjStore_S3 : public RGWPutBucketOwnershipControls_ObjStore {
+  int get_params(optional_yield y) override;
+ public:
+  void send_response() override;
+};
+
+class RGWDeleteBucketOwnershipControls_ObjStore_S3 : public RGWDeleteBucketOwnershipControls_ObjStore {
+ public:
+  void send_response() override;
+};
+
 class RGWGetRequestPayment_ObjStore_S3 : public RGWGetRequestPayment {
 public:
   RGWGetRequestPayment_ObjStore_S3() {}
@@ -750,6 +766,9 @@ class RGWHandler_REST_Bucket_S3 : public RGWHandler_REST_S3 {
   bool is_bucket_encryption_op() {
     return s->info.args.exists("encryption");
   }
+  bool is_bucket_ownership_op() const {
+    return s->info.args.exists("ownershipControls");
+  }
 
   RGWOp *get_obj_op(bool get_data) const;
   RGWOp *op_get() override;
