s3tables: implement granular authorization and refine error responses

- Remove mandatory ACTION_ADMIN at the router level - Enforce granular permissions in bucket and namespace handlers - Prioritize AccountID in ExtractPrincipalFromContext for ARN matching - Distinguish between 404 (NoSuchBucket) and 500 (InternalError) in metadata lookups - Clean up unused imports in s3api_tables.go
4 days ago · 04514071a7
4 changed files with 45 additions and 4 deletions
--- a/weed/s3api/s3api_tables.go
+++ b/weed/s3api/s3api_tables.go
@ -8,7 +8,6 @@ import (
 	"github.com/seaweedfs/seaweedfs/weed/glog"
 	"github.com/seaweedfs/seaweedfs/weed/pb/filer_pb"
 	. "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants"
 	"github.com/seaweedfs/seaweedfs/weed/s3api/s3tables"
 )
@ -100,9 +99,9 @@ func (s3a *S3ApiServer) registerS3TablesRoutes(router *mux.Router) {
 	// Register the S3 Tables handler
 	router.Methods(http.MethodPost).Path("/").MatcherFunc(s3TablesMatcher).
 		HandlerFunc(track(s3a.iam.Auth(func(w http.ResponseWriter, r *http.Request) {
 		HandlerFunc(track(func(w http.ResponseWriter, r *http.Request) {
 			s3TablesApi.S3TablesHandler(w, r)
 		}, ACTION_ADMIN), "S3Tables"))
 		}, "S3Tables"))
 	glog.V(1).Infof("S3 Tables API enabled")
 }
--- a/weed/s3api/s3tables/handler_bucket_get_list_delete.go
+++ b/weed/s3api/s3tables/handler_bucket_get_list_delete.go
@ -48,7 +48,11 @@ func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Re
 	})
 	if err != nil {
 		h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, fmt.Sprintf("table bucket %s not found", bucketName))
 		if errors.Is(err, ErrNotFound) {
 			h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, fmt.Sprintf("table bucket %s not found", bucketName))
 		} else {
 			h.writeError(w, http.StatusInternalServerError, ErrCodeInternalError, fmt.Sprintf("failed to get table bucket: %v", err))
 		}
 		return err
 	}
@ -71,6 +75,13 @@ func (h *S3TablesHandler) handleListTableBuckets(w http.ResponseWriter, r *http.
 		return err
 	}
 	// Check permission
 	principal := h.getPrincipalFromRequest(r)
 	if !CanListTableBuckets(principal, h.accountID) {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to list table buckets")
 		return NewAuthError("ListTableBuckets", principal, "not authorized to list table buckets")
 	}
 	maxBuckets := req.MaxBuckets
 	if maxBuckets <= 0 {
 		maxBuckets = 100
--- a/weed/s3api/s3tables/handler_namespace.go
+++ b/weed/s3api/s3tables/handler_namespace.go
@ -19,6 +19,13 @@ func (h *S3TablesHandler) handleCreateNamespace(w http.ResponseWriter, r *http.R
 		return err
 	}
 	// Check permission
 	principal := h.getPrincipalFromRequest(r)
 	if !CanCreateNamespace(principal, h.accountID) {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create namespace")
 		return NewAuthError("CreateNamespace", principal, "not authorized to create namespace")
 	}
 	if req.TableBucketARN == "" {
 		h.writeError(w, http.StatusBadRequest, ErrCodeInvalidRequest, "tableBucketARN is required")
 		return fmt.Errorf("tableBucketARN is required")
@ -120,6 +127,13 @@ func (h *S3TablesHandler) handleGetNamespace(w http.ResponseWriter, r *http.Requ
 		return err
 	}
 	// Check permission
 	principal := h.getPrincipalFromRequest(r)
 	if !CanGetNamespace(principal, h.accountID) {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get namespace details")
 		return NewAuthError("GetNamespace", principal, "not authorized to get namespace details")
 	}
 	if req.TableBucketARN == "" {
 		h.writeError(w, http.StatusBadRequest, ErrCodeInvalidRequest, "tableBucketARN is required")
 		return fmt.Errorf("tableBucketARN is required")
@ -172,6 +186,13 @@ func (h *S3TablesHandler) handleListNamespaces(w http.ResponseWriter, r *http.Re
 		return err
 	}
 	// Check permission
 	principal := h.getPrincipalFromRequest(r)
 	if !CanListNamespaces(principal, h.accountID) {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to list namespaces")
 		return NewAuthError("ListNamespaces", principal, "not authorized to list namespaces")
 	}
 	if req.TableBucketARN == "" {
 		h.writeError(w, http.StatusBadRequest, ErrCodeInvalidRequest, "tableBucketARN is required")
 		return fmt.Errorf("tableBucketARN is required")
@ -276,6 +297,13 @@ func (h *S3TablesHandler) handleDeleteNamespace(w http.ResponseWriter, r *http.R
 		return err
 	}
 	// Check permission
 	principal := h.getPrincipalFromRequest(r)
 	if !CanDeleteNamespace(principal, h.accountID) {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete namespace")
 		return NewAuthError("DeleteNamespace", principal, "not authorized to delete namespace")
 	}
 	if req.TableBucketARN == "" {
 		h.writeError(w, http.StatusBadRequest, ErrCodeInvalidRequest, "tableBucketARN is required")
 		return fmt.Errorf("tableBucketARN is required")
--- a/weed/s3api/s3tables/permissions.go
+++ b/weed/s3api/s3tables/permissions.go
@ -174,6 +174,9 @@ func ExtractPrincipalFromContext(contextID string) string {
 	// Try to parse as ARN first
 	if strings.HasPrefix(contextID, "arn:") {
 		info := utils.ParsePrincipalARN(contextID)
 		if info.AccountID != "" {
 			return info.AccountID
 		}
 		if info.RoleName != "" {
 			return info.RoleName
 		}