RGW: a subuser with no permission can still list buckets and create buckets

[shreyanshjain7174]

A S3 subuser having no permissions was able to do a normal user ops, from aws docs there's no functionality for a s3 subuser as we do have with swift. The fix here is to check the "subuser perm mask" before going forward with "no_acl" check.

Fixes: https://tracker.ceph.com/issues/63791

Contribution Guidelines

• To sign and title your commits, please refer to Submitting Patches to Ceph.

• If you are submitting a fix for a stable branch (e.g. "quincy"), please refer to Submitting Patches to Ceph - Backports for the proper workflow.

• When filling out the below checklist, you may click boxes directly in the GitHub web UI. When entering or editing the entire PR message in the GitHub web UI editor, you may also select a checklist item by adding an x between the brackets: [x]. Spaces and capitalization matter when checking off items this way.

Checklist

• Tracker (select at least one)
  • References tracker ticket
  • Very recent bug; references commit where it was introduced
  • New feature (ticket optional)
  • Doc update (no ticket needed)
  • Code cleanup (no ticket needed)
• Component impact
  • Affects Dashboard, opened tracker ticket
  • Affects Orchestrator, opened tracker ticket
  • No impact that needs to be tracked
• Documentation (select at least one)
  • Updates relevant documentation
  • No doc update is appropriate
• Tests (select at least one)
  • Includes unit test(s)
  • Includes integration test(s)
  • Includes bug reproducer
  • No tests

Show available Jenkins commands

• jenkins retest this please
• jenkins test classic perf
• jenkins test crimson perf
• jenkins test signed
• jenkins test make check
• jenkins test make check arm64
• jenkins test submodules
• jenkins test dashboard
• jenkins test dashboard cephadm
• jenkins test api
• jenkins test docs
• jenkins render docs
• jenkins test ceph-volume all
• jenkins test ceph-volume tox
• jenkins test windows
• jenkins test rook e2e

[shreyanshjain7174]

jenkins test make check

[cbodley]

passed qa in https://pulpito.ceph.com/cbodley-2024-04-09_13:16:23-rgw-wip-cbodley-testing-distro-default-smithi/

[cbodley]

this broke permissions in #54333 which is a high priority for the squid release, so i've opened #56838 to revert for now

[cbodley]

this broke permissions in #54333 which is a high priority for the squid release, so i've opened #56838 to revert for now

@shreyanshjain7174 to expand on this, the value of this perm argument comes from rgw::IAM::op_to_perm() in rgw_iam_policy.h. this function only maps the permissions of s3 actions: https://github.com/ceph/ceph/blob/62ed3a0/src/rgw/rgw_iam_policy.h#L256-L259

non-s3 actions map to RGW_PERM_INVALID. these requests had previously succeeded because of the "S3 doesn't support account ACLs, so user_acl will be uninitialized" case that was moved by this pr. after this change, these requests now fail

before we can apply this fix for subusers, we would need to update op_to_perm() to cover all of these actions too: https://github.com/ceph/ceph/blob/62ed3a0/src/rgw/rgw_iam_policy.h#L115-L149 (and note that #54333 adds several more)

[shreyanshjain7174]

Got it, Thanks! @cbodley for the detailed explanation, will be sure to look after the merge of users account implementation.