Ceph » rgw

from the example bucket policy in https://docs.aws.amazon.com/AmazonS3/latest/userguide/enable-server-access-logging.html#grant-log-delivery-permissions-bucket-policy:

            "Principal": {
                "Service": "logging.s3.amazonaws.com" 
            },

we'll first need to teach the iam policy parser about Service principals. that would happen in rgw_iam_policy.cc:parse_principal() and probably involve adding Service to the Principal::types enum

the bucket logging code would then call through verify_bucket_permission() to evaluate_iam_policies(), where the given const rgw::auth::Identity& identity would override Identity::is_identity(const Principal& p) to match such a service principal

            "Condition": {
                "ArnLike": {
                    "aws:SourceArn": "arn:aws:s3:::amzn-s3-demo-source-bucket" 
                },
                "StringEquals": {
                    "aws:SourceAccount": "SOURCE-ACCOUNT-ID" 
                }
            }

evaluate_iam_policies() uses the given const rgw::IAM::Environment& env to match conditions like this. the bucket logging code would have to add key/value pairs for these keys to that environment. you can find some examples of this in rgw_op.cc by searching for rgw_add_to_iam_environment(). for aws:SourceAccount, you should be able to use to_string(source_bucket_info.owner) as the value to match both user- and account owners