Skip to content

rgw: respect policies in data sync in user mode#60685

Merged
ivancich merged 2 commits intoceph:mainfrom
clwluvw:data-sync-perm
Jan 3, 2025
Merged

rgw: respect policies in data sync in user mode#60685
ivancich merged 2 commits intoceph:mainfrom
clwluvw:data-sync-perm

Conversation

@clwluvw
Copy link
Member

@clwluvw clwluvw commented Nov 10, 2024

In the data sync phase, both source and destination object permissions are evaluated locally on the destination zone, leading to two issues:

  1. Source object policies aren't evaluated, causing access to be denied when the uid is bound to an account or IAM policies are involved. This can be fixed by passing the UID as rgwx-uid, allowing the source zone to handle policy evaluation.
  2. Destination object policies are skipped, resulting in access denial when IAM policies grant access to the UID. This can be resolved by using verify_bucket_permission() instead of verify_bucket_permission_no_policy().

Fixes: https://tracker.ceph.com/issues/68884

@clwluvw
rgw: pass uid on fetch object in data sync
a3f40b4 
Source object policies aren't evaluated, causing access to be denied
when the uid is bound to an account or IAM policies are involved.
This can be fixed by passing the UID as 'rgwx-uid', allowing the
source zone to handle policy evaluation.

Fixes: https://tracker.ceph.com/issues/68884
Signed-off-by: Seena Fallah <[email protected]>
@clwluvw
rgw: evaluate policies for dest object in data sync
b8a5917 
Destination object policies are skipped, resulting in access denial
when IAM policies grant access to the UID. This can be resolved by
using verify_bucket_permission() instead of
verify_bucket_permission_no_policy().

Fixes: https://tracker.ceph.com/issues/68884
Signed-off-by: Seena Fallah <[email protected]>
@clwluvw clwluvw requested a review from a team as a code owner November 10, 2024 20:45
@github-actions github-actions bot added the rgw label Nov 10, 2024
This was referenced Nov 10, 2024
Closed
Merged
@clwluvw
Copy link
Member Author

clwluvw commented Nov 27, 2024

jenkins test api

@ivancich ivancich added the wip-eric-testing-2 for ivancich testing label Jan 2, 2025
@ivancich
Copy link
Member

ivancich commented Jan 3, 2025

QA run:

@ivancich ivancich merged commit 49a44ce into ceph:main Jan 3, 2025
@ivancich ivancich removed needs-qa wip-eric-testing-2 for ivancich testing labels Jan 3, 2025
@smanjara smanjara mentioned this pull request Feb 14, 2025
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adamemerson adamemerson adamemerson approved these changes

Assignees

No one assigned

Labels

rgw

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@clwluvw @ivancich @adamemerson