//token claims from STS token for ops log (can be used for Keystone token also)
std::vector<string> token_claims;
+ vector<rgw::IAM::Policy> session_policies;
+
req_state(CephContext* _cct, RGWEnv* e, uint64_t id);
~req_state();
/** Check if the req_state's user has the necessary permissions
* to do the requested action */
-rgw::IAM::Effect eval_user_policies(const vector<rgw::IAM::Policy>& user_policies,
+rgw::IAM::Effect eval_identity_or_session_policies(const vector<rgw::IAM::Policy>& user_policies,
const rgw::IAM::Environment& env,
boost::optional<const rgw::auth::Identity&> id,
const uint64_t op,
RGWAccessControlPolicy * const user_acl,
RGWAccessControlPolicy * const bucket_acl,
const boost::optional<rgw::IAM::Policy>& bucket_policy,
- const vector<rgw::IAM::Policy>& user_policies,
+ const vector<rgw::IAM::Policy>& identity_policies,
+ const vector<rgw::IAM::Policy>& session_policies,
const uint64_t op);
bool verify_bucket_permission(const DoutPrefixProvider* dpp, struct req_state * const s, const uint64_t op);
bool verify_bucket_permission_no_policy(
RGWAccessControlPolicy * const bucket_acl,
RGWAccessControlPolicy * const object_acl,
const boost::optional<rgw::IAM::Policy>& bucket_policy,
- const vector<rgw::IAM::Policy>& user_policies,
+ const vector<rgw::IAM::Policy>& identity_policies,
+ const vector<rgw::IAM::Policy>& session_policies,
const uint64_t op);
extern bool verify_object_permission(const DoutPrefixProvider* dpp, struct req_state *s, uint64_t op);
extern bool verify_object_permission_no_policy(