{ ERR_AMZ_CONTENT_SHA256_MISMATCH, {400, "XAmzContentSHA256Mismatch" }},
{ ERR_INVALID_TAG, {400, "InvalidTag"}},
{ ERR_MALFORMED_ACL_ERROR, {400, "MalformedACLError" }},
+ { ERR_INVALID_ENCRYPTION_ALGORITHM, {400, "InvalidEncryptionAlgorithmError" }},
{ ERR_LENGTH_REQUIRED, {411, "MissingContentLength" }},
{ EACCES, {403, "AccessDenied" }},
{ EPERM, {403, "AccessDenied" }},
rgw_http_errors rgw_http_swift_errors({
{ EACCES, {403, "AccessDenied" }},
{ EPERM, {401, "AccessDenied" }},
+ { ENAMETOOLONG, {400, "Metadata name too long" }},
{ ERR_USER_SUSPENDED, {401, "UserSuspended" }},
{ ERR_INVALID_UTF8, {412, "Invalid UTF8" }},
{ ERR_BAD_URL, {412, "Bad URL" }},
{ ERR_NOT_SLO_MANIFEST, {400, "Not an SLO manifest" }},
{ ERR_QUOTA_EXCEEDED, {413, "QuotaExceeded" }},
+ { ENOTEMPTY, {409, "There was a conflict when trying "
+ "to complete your request." }},
/* FIXME(rzarzynski): we need to find a way to apply Swift's error handling
* procedures also for ERR_ZERO_IN_URL. This make a problem as the validation
* is performed very early, even before setting the req_state::proto_flags. */
{
if (s) {
set_req_state_err(s, err_no);
- s->err.message = err_msg;
+ if (s->prot_flags & RGW_REST_SWIFT && !err_msg.empty()) {
+ /* TODO(rzarzynski): there never ever should be a check like this one.
+ * It's here only for the sake of the patch's backportability. Further
+ * commits will move the logic to a per-RGWHandler replacement of
+ * the end_header() function. Alternativaly, we might consider making
+ * that just for the dump(). Please take a look on @cbodley's comments
+ * in PR #10690 (https://github.com/ceph/ceph/pull/10690). */
+ s->err.err_code = err_msg;
+ } else {
+ s->err.message = err_msg;
+ }
}
}
return false;
}
+namespace {
+Effect eval_or_pass(const optional<Policy>& policy,
+ const rgw::IAM::Environment& env,
+ const rgw::auth::Identity& id,
+ const uint64_t op,
+ const ARN& arn) {
+ if (!policy)
+ return Effect::Pass;
+ else
+ return policy->eval(env, id, op, arn);
+}
+}
+
bool verify_bucket_permission(struct req_state * const s,
const rgw_bucket& bucket,
RGWAccessControlPolicy * const user_acl,
if (!verify_requester_payer_permission(s))
return false;
- if (bucket_policy) {
- auto r = bucket_policy->eval(s->env, *s->auth.identity, op, ARN(bucket));
- if (r == Effect::Allow)
- // It looks like S3 ACLs only GRANT permissions rather than
- // denying them, so this should be safe.
- return true;
- else if (r == Effect::Deny)
- return false;
- }
+ auto r = eval_or_pass(bucket_policy, s->env, *s->auth.identity,
+ op, ARN(bucket));
+ if (r == Effect::Allow)
+ // It looks like S3 ACLs only GRANT permissions rather than
+ // denying them, so this should be safe.
+ return true;
+ else if (r == Effect::Deny)
+ return false;
const auto perm = op_to_perm(op);
op);
}
+// Authorize anyone permitted by the policy and the bucket owner
+// unless explicitly denied by the policy.
+
+int verify_bucket_owner_or_policy(struct req_state* const s,
+ const uint64_t op)
+{
+ auto e = eval_or_pass(s->iam_policy,
+ s->env, *s->auth.identity,
+ op, ARN(s->bucket));
+ if (e == Effect::Allow ||
+ (e == Effect::Pass &&
+ s->auth.identity->is_owner_of(s->bucket_owner.get_id()))) {
+ return 0;
+ } else {
+ return -EACCES;
+ }
+}
+
+
static inline bool check_deferred_bucket_perms(struct req_state * const s,
const rgw_bucket& bucket,
RGWAccessControlPolicy * const user_acl,
if (!verify_requester_payer_permission(s))
return false;
- if (bucket_policy) {
- auto r = bucket_policy->eval(s->env, *s->auth.identity, op, ARN(obj));
- if (r == Effect::Allow)
- // It looks like S3 ACLs only GRANT permissions rather than
- // denying them, so this should be safe.
- return true;
- else if (r == Effect::Deny)
- return false;
- }
+
+ auto r = eval_or_pass(bucket_policy, s->env, *s->auth.identity, op, ARN(obj));
+ if (r == Effect::Allow)
+ // It looks like S3 ACLs only GRANT permissions rather than
+ // denying them, so this should be safe.
+ return true;
+ else if (r == Effect::Deny)
+ return false;
const auto perm = op_to_perm(op);
projects / ceph.git / blobdiff