1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
#include <string.h>
#include <iostream>
#include <map>
#include "include/types.h"
#include "common/Formatter.h"
#include "rgw_acl.h"
#include "rgw_user.h"
#include "rgw_acl_s3.h" // required for backward compatibility
#define dout_subsys ceph_subsys_rgw
using namespace std;
void RGWAccessControlList::_add_grant(ACLGrant *grant)
{
ACLPermission& perm = grant->get_permission();
ACLGranteeType& type = grant->get_type();
switch (type.get_type()) {
case ACL_TYPE_GROUP:
acl_group_map[grant->get_group()] |= perm.get_permissions();
break;
default:
{
string id;
if (!grant->get_id(id)) {
ldout(cct, 0) << "ERROR: grant->get_id() failed" << dendl;
}
acl_user_map[id] |= perm.get_permissions();
}
}
}
void RGWAccessControlList::add_grant(ACLGrant *grant)
{
string id;
grant->get_id(id); // not that this will return false for groups, but that's ok, we won't search groups
grant_map.insert(pair<string, ACLGrant>(id, *grant));
_add_grant(grant);
}
int RGWAccessControlList::get_perm(string& id, int perm_mask) {
ldout(cct, 5) << "Searching permissions for uid=" << id << " mask=" << perm_mask << dendl;
map<string, int>::iterator iter = acl_user_map.find(id);
if (iter != acl_user_map.end()) {
ldout(cct, 5) << "Found permission: " << iter->second << dendl;
return iter->second & perm_mask;
}
ldout(cct, 5) << "Permissions for user not found" << dendl;
return 0;
}
int RGWAccessControlList::get_group_perm(ACLGroupTypeEnum group, int perm_mask) {
ldout(cct, 5) << "Searching permissions for group=" << (int)group << " mask=" << perm_mask << dendl;
map<uint32_t, int>::iterator iter = acl_group_map.find((uint32_t)group);
if (iter != acl_group_map.end()) {
ldout(cct, 5) << "Found permission: " << iter->second << dendl;
return iter->second & perm_mask;
}
ldout(cct, 5) << "Permissions for group not found" << dendl;
return 0;
}
int RGWAccessControlPolicy::get_perm(string& id, int perm_mask) {
int perm = acl.get_perm(id, perm_mask);
if (id.compare(owner.get_id()) == 0) {
perm |= perm_mask & (RGW_PERM_READ_ACP | RGW_PERM_WRITE_ACP);
}
if (perm == perm_mask)
return perm;
/* should we continue looking up? */
if ((perm & perm_mask) != perm_mask) {
perm |= acl.get_group_perm(ACL_GROUP_ALL_USERS, perm_mask);
if (compare_group_name(id, ACL_GROUP_ALL_USERS) != 0) {
/* this is not the anonymous user */
perm |= acl.get_group_perm(ACL_GROUP_AUTHENTICATED_USERS, perm_mask);
}
}
ldout(cct, 5) << "Getting permissions id=" << id << " owner=" << owner.get_id() << " perm=" << perm << dendl;
return perm;
}
bool RGWAccessControlPolicy::verify_permission(string& uid, int user_perm_mask, int perm)
{
int test_perm = perm | RGW_PERM_READ_OBJS | RGW_PERM_WRITE_OBJS;
int policy_perm = get_perm(uid, test_perm);
/* the swift WRITE_OBJS perm is equivalent to the WRITE obj, just
convert those bits. Note that these bits will only be set on
buckets, so the swift READ permission on bucket will allow listing
the bucket content */
if (policy_perm & RGW_PERM_WRITE_OBJS) {
policy_perm |= (RGW_PERM_WRITE | RGW_PERM_WRITE_ACP);
}
if (policy_perm & RGW_PERM_READ_OBJS) {
policy_perm |= (RGW_PERM_READ | RGW_PERM_READ_ACP);
}
int acl_perm = policy_perm & perm & user_perm_mask;
ldout(cct, 10) << " uid=" << uid << " requested perm (type)=" << perm << ", policy perm=" << policy_perm << ", user_perm_mask=" << user_perm_mask << ", acl perm=" << acl_perm << dendl;
return (perm == acl_perm);
}
ACLGroupTypeEnum ACLGrant::uri_to_group(string& uri)
{
// this is required for backward compatibility
return ACLGrant_S3::uri_to_group(uri);
}
|
