rgw/sts: changing identity to boost::none, when role policy

is verified for putobj permissions, in case of renaming a large file. While renaming a large file, putobj is invoked as an intermediate step, and role policy is verified for the source object if temp creds are used. Since the role policy is attached to the identity (role) itself and the role policy does not contain a Principal, there is no need to verify the identity and hence boost::none is passed in place of the identity. fixes: https://tracker.ceph.com/issues/58628 Signed-off-by: Pritha Srivastava <[email protected]>
thomasgoirand · Feb 2, 2023 · c2f5716 · c2f5716
1 parent 0fd902d
commit c2f5716
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
@@ -3636,7 +3636,7 @@ int RGWPutObj::verify_permission(optional_yield y)
         auto usr_policy_res = Effect::Pass;
         rgw::ARN obj_arn(cs_object->get_obj());
         for (auto& user_policy : s->iam_user_policies) {
-          if (usr_policy_res = user_policy.eval(s->env, *s->auth.identity,
+          if (usr_policy_res = user_policy.eval(s->env, boost::none,
 			      cs_object->get_instance().empty() ?
 			      rgw::IAM::s3GetObject :
 			      rgw::IAM::s3GetObjectVersion,