rgw: fixes for intra-zone object copy

Signed-off-by: Yehuda Sadeh <yehuda@inktank.com>

3 files changed, 17 insertions, 14 deletions

diff --git a/src/rgw/rgw_main.cc b/src/rgw/rgw_main.cc
index 7a285b175ce..ba894334444 100644
--- a/src/rgw/rgw_main.cc
+++ b/src/rgw/rgw_main.cc
@@ -340,15 +340,15 @@ void RGWProcess::handle_request(RGWRequest *req)
   req->log(s, "reading the cors attr");
   handler->read_cors_config();
  
-  if (!s->system_request) {
-    req->log(s, "verifying op permissions");
-    ret = op->verify_permission();
-    if (ret < 0) {
+  req->log(s, "verifying op permissions");
+  ret = op->verify_permission();
+  if (ret < 0) {
+    if (s->system_request) {
+      dout(2) << "overriding permissions due to system operation" << dendl;
+    } else {
       abort_early(s, ret);
       goto done;
     }
-  } else {
-    req->log(s, "skipping permissons checks for system request");
   }
 
   req->log(s, "verifying op params");
diff --git a/src/rgw/rgw_op.cc b/src/rgw/rgw_op.cc
index a7ac04977fb..0372e5c3cd9 100644
--- a/src/rgw/rgw_op.cc
+++ b/src/rgw/rgw_op.cc
@@ -1475,7 +1475,7 @@ int RGWCopyObj::verify_permission()
   src_bucket = src_bucket_info.bucket;
 
   /* get buckets info (source and dest) */
-  if (s->local_source) {
+  if (s->local_source &&  source_zone.empty()) {
     rgw_obj src_obj(src_bucket, src_object);
     store->set_atomic(s->obj_ctx, src_obj);
     store->set_prefetch_data(s->obj_ctx, src_obj);
@@ -1485,7 +1485,8 @@ int RGWCopyObj::verify_permission()
     if (ret < 0)
       return ret;
 
-    if (!src_policy.verify_permission(s->user.user_id, s->perm_mask, RGW_PERM_READ))
+    if (!s->system_request && /* system request overrides permission checks */
+        !src_policy.verify_permission(s->user.user_id, s->perm_mask, RGW_PERM_READ))
       return -EACCES;
   }
 
@@ -1509,7 +1510,8 @@ int RGWCopyObj::verify_permission()
   if (ret < 0)
     return ret;
 
-  if (!dest_bucket_policy.verify_permission(s->user.user_id, s->perm_mask, RGW_PERM_WRITE))
+  if (!s->system_request && /* system request overrides permission checks */
+      !dest_bucket_policy.verify_permission(s->user.user_id, s->perm_mask, RGW_PERM_WRITE))
     return -EACCES;
 
   ret = init_dest_policy();
diff --git a/src/rgw/rgw_rados.cc b/src/rgw/rgw_rados.cc
index 635608e92f0..3da9f583762 100644
--- a/src/rgw/rgw_rados.cc
+++ b/src/rgw/rgw_rados.cc
@@ -2193,7 +2193,7 @@ public:
 /*
  * prepare attrset, either replace it with new attrs, or keep it (other than acls).
  */
-static void set_copy_attrs(map<string, bufferlist>& src_attrs, map<string, bufferlist>& attrs, bool replace_attrs)
+static void set_copy_attrs(map<string, bufferlist>& src_attrs, map<string, bufferlist>& attrs, bool replace_attrs, bool intra_region)
 {
   if (replace_attrs) {
     if (!attrs[RGW_ATTR_ETAG].length())
@@ -2201,8 +2201,9 @@ static void set_copy_attrs(map<string, bufferlist>& src_attrs, map<string, buffe
 
     src_attrs = attrs;
   } else {
-    /* copying attrs from source, however acls should not be copied */
-    src_attrs[RGW_ATTR_ACL] = attrs[RGW_ATTR_ACL];
+    /* copying attrs from source, however acls should only be copied if it's intra-region operation */
+    if (!intra_region)
+      src_attrs[RGW_ATTR_ACL] = attrs[RGW_ATTR_ACL];
   }
 }
 
@@ -2319,7 +2320,7 @@ int RGWRados::copy_obj(void *ctx,
       src_attrs.erase(RGW_ATTR_MANIFEST); // not interested in original object layout
     }
 
-    set_copy_attrs(src_attrs, attrs, replace_attrs);
+    set_copy_attrs(src_attrs, attrs, replace_attrs, !source_zone.empty());
 
     ret = cb.complete(etag, mtime, src_attrs);
     if (ret < 0)
@@ -2328,7 +2329,7 @@ int RGWRados::copy_obj(void *ctx,
     return 0;
   }
 
-  set_copy_attrs(src_attrs, attrs, replace_attrs);
+  set_copy_attrs(src_attrs, attrs, replace_attrs, false);
 
   RGWObjManifest manifest;
   RGWObjState *astate = NULL;