Skip to content

rgw/iam: add policy evaluation for Arn-based Conditions#62285

Merged
ivancich merged 3 commits intoceph:mainfrom
cbodley:wip-rgw-iam-arnlike
Mar 20, 2025
Merged

rgw/iam: add policy evaluation for Arn-based Conditions#62285
ivancich merged 3 commits intoceph:mainfrom
cbodley:wip-rgw-iam-arnlike

Conversation

@cbodley
Copy link
Copy Markdown
Contributor

@cbodley cbodley commented Mar 13, 2025
edited
Loading

arn-based conditions[1] like ArnEquals etc are recognized by the policy parser, but not enforced during policy evaluation

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN

Fixes: https://tracker.ceph.com/issues/70481

Show available Jenkins commands

@cbodley
Copy link
Copy Markdown
Contributor Author

cbodley commented Mar 13, 2025

first draft just copied the behavior of StringEquals, but the ARN matching is more complicated:

Case-sensitive matching of the ARN. Each of the six colon-delimited components of the ARN is checked separately and each can include multi-character match wildcards (*) or single-character match wildcards (?). The ArnEquals and ArnLike condition operators behave identically.

@cbodley cbodley mentioned this pull request Mar 13, 2025
Merged
14 tasks
@cbodley cbodley force-pushed the wip-rgw-iam-arnlike branch from b6dc106 to 4fb233d Compare March 13, 2025 22:53
cbodley added 2 commits March 13, 2025 20:23
@cbodley
rgw/iam: simplify match_policy() for colon-delimited use only
4cd40c7 
remove unused MATCH_POLICY_STRING

ARN::match() was the only caller for MATCH_POLICY_ARN, but it was used
to match the 'region' and 'account' components that were already parsed
out of the colon-separated ARN string. for that use, we don't need the
loop-over-colons behavior of match_policy() so can call match_wildcards()
directly

after doing the same for MATCH_POLICY_RESOURCE, we no longer have any
non-looping callers of match_policy() so can treat 'bool colonblocks' as
unconditionally true

Signed-off-by: Casey Bodley <cbodley@redhat.com>
@cbodley
rgw/iam: match_policy() treats MATCH_POLICY_ARN as case-sensitive
a7a63aa 
now that the ArnLike conditions are the only user of MATCH_POLICY_ARN,
change their case-sensitivity to comply with Amazon Resource Name (ARN)
condition operators[1]

[1] https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_policies_elements_condition_operators.html#Conditions_ARN

Signed-off-by: Casey Bodley <cbodley@redhat.com>
@cbodley cbodley force-pushed the wip-rgw-iam-arnlike branch 2 times, most recently from dbe93c8 to c64d729 Compare March 14, 2025 13:56
@cbodley cbodley marked this pull request as ready for review March 14, 2025 13:56
@cbodley cbodley requested a review from a team as a code owner March 14, 2025 13:56
@cbodley
rgw/iam: add policy evaluation for Arn-based Conditions
62c3e5e 
arn-based conditions like ArnEquals etc are recognized by the policy
parser, but not enforced during policy evaluation

Fixes: https://tracker.ceph.com/issues/70481

Signed-off-by: Casey Bodley <cbodley@redhat.com>
@cbodley cbodley force-pushed the wip-rgw-iam-arnlike branch from c64d729 to 62c3e5e Compare March 14, 2025 14:23
@cbodley
Copy link
Copy Markdown
Contributor Author

cbodley commented Mar 14, 2025

opened https://tracker.ceph.com/issues/70481 for backports

@yuvalif
Copy link
Copy Markdown
Contributor

yuvalif commented Mar 18, 2025

tested together with the bucket logging policy PR. follwoing policy. target resource ARN:

"Resource": "arn:aws:s3:::all-logs/logs*"

was matched with "arn:aws:s3:::all-logs/logs.
and source ARN condition:

"ArnLike": {
    "aws:SourceArn": "arn:aws:s3:::????"
},

matched source bucket ARN: "arn:aws:s3:::fish"

@cbodley
Copy link
Copy Markdown
Contributor Author

cbodley commented Mar 19, 2025

jenkins test api

@ivancich ivancich added the wip-eric-testing-1 for ivancich testing label Mar 19, 2025
@ivancich
Copy link
Copy Markdown
Member

ivancich commented Mar 20, 2025

jenkins test api

@ivancich
Copy link
Copy Markdown
Member

ivancich commented Mar 20, 2025

QA results -- no regressions:

@ivancich ivancich added TESTED and removed needs-qa wip-eric-testing-1 for ivancich testing labels Mar 20, 2025
@ivancich
Copy link
Copy Markdown
Member

ivancich commented Mar 20, 2025

This passed QA, but ceph API tests still running, so I cannot merge.

@cbodley
Copy link
Copy Markdown
Contributor Author

cbodley commented Mar 20, 2025

jenkins test api

@ivancich ivancich merged commit ce31042 into ceph:main Mar 20, 2025
This was referenced Mar 21, 2025
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adamemerson adamemerson adamemerson approved these changes

@yuvalif yuvalif yuvalif approved these changes

Assignees

No one assigned

Labels

bug-fix documentation rgw TESTED tests

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@cbodley @yuvalif @ivancich @adamemerson