Skip to content

Commit 37c2d36

Browse files
clwluvwcbodley
clwluvw
authored and
cbodley
committed
rgw: use is_admin() for permission checks
Signed-off-by: Seena Fallah <[email protected]> (cherry picked from commit cc033cb)
1 parent c31b2fa commit 37c2d36

File tree

2 files changed

+6
-12
lines changed

2 files changed

+6
-12
lines changed

src/rgw/rgw_lib.cc

Lines changed: 2 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -281,9 +281,7 @@ namespace rgw {
281281
ldpp_dout(s, 2) << "verifying op permissions" << dendl;
282282
ret = op->verify_permission(null_yield);
283283
if (ret < 0) {
284-
if (s->system_request) {
285-
ldpp_dout(op, 2) << "overriding permissions due to system operation" << dendl;
286-
} else if (s->auth.identity->is_admin()) {
284+
if (s->auth.identity->is_admin()) {
287285
ldpp_dout(op, 2) << "overriding permissions due to admin operation" << dendl;
288286
} else {
289287
abort_req(s, op, ret);
@@ -418,9 +416,7 @@ namespace rgw {
418416
ldpp_dout(s, 2) << "verifying op permissions" << dendl;
419417
ret = op->verify_permission(null_yield);
420418
if (ret < 0) {
421-
if (s->system_request) {
422-
ldpp_dout(op, 2) << "overriding permissions due to system operation" << dendl;
423-
} else if (s->auth.identity->is_admin()) {
419+
if (s->auth.identity->is_admin()) {
424420
ldpp_dout(op, 2) << "overriding permissions due to admin operation" << dendl;
425421
} else {
426422
abort_req(s, op, ret);

src/rgw/rgw_op.cc

Lines changed: 4 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -360,7 +360,7 @@ static int read_bucket_policy(const DoutPrefixProvider *dpp,
360360
rgw_bucket& bucket,
361361
optional_yield y)
362362
{
363-
if (!s->system_request && bucket_info.flags & BUCKET_SUSPENDED) {
363+
if (!s->auth.identity->is_admin() && bucket_info.flags & BUCKET_SUSPENDED) {
364364
ldpp_dout(dpp, 0) << "NOTICE: bucket " << bucket_info.bucket.name
365365
<< " is suspended" << dendl;
366366
return -ERR_USER_SUSPENDED;
@@ -397,7 +397,7 @@ static int read_obj_policy(const DoutPrefixProvider *dpp,
397397
std::unique_ptr<rgw::sal::Object> mpobj;
398398
rgw_obj obj;
399399

400-
if (!s->system_request && bucket_info.flags & BUCKET_SUSPENDED) {
400+
if (!s->auth.identity->is_admin() && bucket_info.flags & BUCKET_SUSPENDED) {
401401
ldpp_dout(dpp, 0) << "NOTICE: bucket " << bucket_info.bucket.name
402402
<< " is suspended" << dendl;
403403
return -ERR_USER_SUSPENDED;
@@ -604,7 +604,7 @@ int rgw_build_bucket_policies(const DoutPrefixProvider *dpp, rgw::sal::Driver* d
604604
// send a PutBucketPolicy or DeleteBucketPolicy request as an admin/system
605605
// user. We can allow such requests, because even if the policy denied
606606
// access, admin/system users override that error from verify_permission().
607-
if (!s->system_request) {
607+
if (!s->auth.identity->is_admin()) {
608608
ret = -EACCES;
609609
}
610610
}
@@ -1856,9 +1856,7 @@ int RGWGetObj::read_user_manifest_part(rgw::sal::Bucket* bucket,
18561856

18571857
/* We can use global user_acl because LOs cannot have segments
18581858
* stored inside different accounts. */
1859-
if (s->system_request) {
1860-
ldpp_dout(this, 2) << "overriding permissions due to system operation" << dendl;
1861-
} else if (s->auth.identity->is_admin()) {
1859+
if (s->auth.identity->is_admin()) {
18621860
ldpp_dout(this, 2) << "overriding permissions due to admin operation" << dendl;
18631861
} else if (!verify_object_permission(this, s, part->get_obj(), s->user_acl,
18641862
bucket_acl, obj_policy, bucket_policy,

0 commit comments

Comments
 (0)