rgw/s3: CreateBucket accepts x-amz-object-ownership header

cbodley · cbodley · commit f97e90d0966c · 2025-07-30T15:31:06.000-04:00
Signed-off-by: Casey Bodley &lt;cbodley@redhat.com&gt;
diff --git a/src/rgw/rgw_common.h b/src/rgw/rgw_common.h
@@ -120,6 +120,8 @@ using ceph::crypto::MD5;
 #define RGW_ATTR_OBJECT_RETENTION   RGW_ATTR_PREFIX "object-retention"
 #define RGW_ATTR_OBJECT_LEGAL_HOLD  RGW_ATTR_PREFIX "object-legal-hold"
 
+// S3 Object Ownership
+#define RGW_ATTR_OWNERSHIP_CONTROLS RGW_ATTR_PREFIX "ownership-controls"
 
 #define RGW_ATTR_PG_VER 	RGW_ATTR_PREFIX "pg_ver"
 #define RGW_ATTR_SOURCE_ZONE    RGW_ATTR_PREFIX "source_zone"
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
@@ -3452,6 +3452,13 @@ int RGWCreateBucket::verify_permission(optional_yield y)
     return -EACCES;
   }
 
+  if (object_ownership) {
+    // x-amz-object-ownership requires s3:PutBucketOwnershipControls permission
+    if (!verify_user_permission(this, s, arn, rgw::IAM::s3PutBucketOwnershipControls, false)) {
+      return -EACCES;
+    }
+  }
+
   if (s->auth.identity->get_tenant() != s->bucket_tenant) {
     //AssumeRole is meant for cross account access
     if (s->auth.identity->get_identity_type() != TYPE_ROLE) {
@@ -3814,6 +3821,12 @@ void RGWCreateBucket::execute(optional_yield y)
     createparams.attrs[RGW_ATTR_CORS] = std::move(corsbl);
   }
 
+  if (object_ownership) {
+    rgw::s3::OwnershipControls controls;
+    controls.object_ownership = *object_ownership;
+    encode(controls, createparams.attrs[RGW_ATTR_OWNERSHIP_CONTROLS]);
+  } // TODO: config option to set default ownership when not requested
+
   if (need_metadata_upload()) {
     /* It's supposed that following functions WILL NOT change any special
      * attributes (like RGW_ATTR_ACL) if they are already present in attrs. */
diff --git a/src/rgw/rgw_op.h b/src/rgw/rgw_op.h
@@ -1153,6 +1153,7 @@ class RGWCreateBucket : public RGWOp {
   RGWCORSConfiguration cors_config;
   std::set<std::string> rmattr_names;
   bufferlist in_data;
+  std::optional<rgw::s3::ObjectOwnership> object_ownership;
 
   virtual bool need_metadata_upload() const { return false; }
 
diff --git a/src/rgw/rgw_rest_s3.cc b/src/rgw/rgw_rest_s3.cc
@@ -2691,6 +2691,15 @@ int RGWCreateBucket_ObjStore_S3::get_params(optional_yield y)
     }
     createparams.obj_lock_enabled = boost::algorithm::iequals(iter->second, "true");
   }
+
+  if (auto i = s->info.x_meta_map.find("x-amz-object-ownership");
+      i != s->info.x_meta_map.end()) {
+    rgw::s3::ObjectOwnership tmp;
+    if (!rgw::s3::parse(i->second, tmp, s->err.message)) {
+      return -EINVAL;
+    }
+    object_ownership = std::move(tmp);
+  }
   return 0;
 }
 

Original file line number	Diff line number	Diff line change
`@@ -2691,6 +2691,15 @@ int RGWCreateBucket_ObjStore_S3::get_params(optional_yield y)`
`2691`	`2691`	`}`
`2692`	`2692`	`createparams.obj_lock_enabled = boost::algorithm::iequals(iter->second, "true");`
`2693`	`2693`	`}`
	`2694`	`+`
	`2695`	`+ if (auto i = s->info.x_meta_map.find("x-amz-object-ownership");`
	`2696`	`+ i != s->info.x_meta_map.end()) {`
	`2697`	`+ rgw::s3::ObjectOwnership tmp;`
	`2698`	`+ if (!rgw::s3::parse(i->second, tmp, s->err.message)) {`
	`2699`	`+ return -EINVAL;`
	`2700`	`+ }`
	`2701`	`+ object_ownership = std::move(tmp);`
	`2702`	`+ }`
`2694`	`2703`	`return 0;`
`2695`	`2704`	`}`
`2696`	`2705`