@ -59,7 +59,7 @@ func (h *S3TablesHandler) handlePutTableBucketPolicy(w http.ResponseWriter, r *h
}
// Check permission
principal := h . getPrincipalFromRequest ( r )
principal := h . getAccountID ( r )
if ! CanPutTableBucketPolicy ( principal , bucketMetadata . OwnerAccountID , "" ) {
h . writeError ( w , http . StatusForbidden , ErrCodeAccessDenied , "not authorized to put table bucket policy" )
return NewAuthError ( "PutTableBucketPolicy" , principal , "not authorized to put table bucket policy" )
@ -132,7 +132,7 @@ func (h *S3TablesHandler) handleGetTableBucketPolicy(w http.ResponseWriter, r *h
}
// Check permission
principal := h . getPrincipalFromRequest ( r )
principal := h . getAccountID ( r )
if ! CanGetTableBucketPolicy ( principal , bucketMetadata . OwnerAccountID , string ( policy ) ) {
h . writeError ( w , http . StatusForbidden , ErrCodeAccessDenied , "not authorized to get table bucket policy" )
return NewAuthError ( "GetTableBucketPolicy" , principal , "not authorized to get table bucket policy" )
@ -198,7 +198,7 @@ func (h *S3TablesHandler) handleDeleteTableBucketPolicy(w http.ResponseWriter, r
}
// Check permission
principal := h . getPrincipalFromRequest ( r )
principal := h . getAccountID ( r )
if ! CanDeleteTableBucketPolicy ( principal , bucketMetadata . OwnerAccountID , bucketPolicy ) {
h . writeError ( w , http . StatusForbidden , ErrCodeAccessDenied , "not authorized to delete table bucket policy" )
return NewAuthError ( "DeleteTableBucketPolicy" , principal , "not authorized to delete table bucket policy" )
@ -287,7 +287,7 @@ func (h *S3TablesHandler) handlePutTablePolicy(w http.ResponseWriter, r *http.Re
}
// Check permission
principal := h . getPrincipalFromRequest ( r )
principal := h . getAccountID ( r )
if ! CanPutTablePolicy ( principal , metadata . OwnerAccountID , bucketPolicy ) {
h . writeError ( w , http . StatusForbidden , ErrCodeAccessDenied , "not authorized to put table policy" )
return NewAuthError ( "PutTablePolicy" , principal , "not authorized to put table policy" )
@ -383,7 +383,7 @@ func (h *S3TablesHandler) handleGetTablePolicy(w http.ResponseWriter, r *http.Re
}
// Check permission
principal := h . getPrincipalFromRequest ( r )
principal := h . getAccountID ( r )
if ! CanGetTablePolicy ( principal , metadata . OwnerAccountID , bucketPolicy ) {
h . writeError ( w , http . StatusForbidden , ErrCodeAccessDenied , "not authorized to get table policy" )
return NewAuthError ( "GetTablePolicy" , principal , "not authorized to get table policy" )
@ -461,7 +461,7 @@ func (h *S3TablesHandler) handleDeleteTablePolicy(w http.ResponseWriter, r *http
}
// Check permission
principal := h . getPrincipalFromRequest ( r )
principal := h . getAccountID ( r )
if ! CanDeleteTablePolicy ( principal , metadata . OwnerAccountID , bucketPolicy ) {
h . writeError ( w , http . StatusForbidden , ErrCodeAccessDenied , "not authorized to delete table policy" )
return NewAuthError ( "DeleteTablePolicy" , principal , "not authorized to delete table policy" )
@ -553,7 +553,7 @@ func (h *S3TablesHandler) handleTagResource(w http.ResponseWriter, r *http.Reque
}
// Check Permission inside the closure because we just got the ID
principal := h . getPrincipalFromRequest ( r )
principal := h . getAccountID ( r )
if ! CanManageTags ( principal , ownerAccountID , bucketPolicy ) {
return NewAuthError ( "TagResource" , principal , "not authorized to tag resource" )
}
@ -629,6 +629,7 @@ func (h *S3TablesHandler) handleListTagsForResource(w http.ResponseWriter, r *ht
}
tags := make ( map [ string ] string )
var bucketPolicy string
err = filerClient . WithFilerClient ( false , func ( client filer_pb . SeaweedFilerClient ) error {
// Read metadata for ownership check
data , err := h . getExtendedAttribute ( r . Context ( ) , client , resourcePath , ExtendedKeyMetadata )
@ -637,23 +638,45 @@ func (h *S3TablesHandler) handleListTagsForResource(w http.ResponseWriter, r *ht
}
var ownerAccountID string
var bucketName string
if rType == ResourceTypeTable {
var meta tableMetadataInternal
if err := json . Unmarshal ( data , & meta ) ; err != nil {
return err
}
ownerAccountID = meta . OwnerAccountID
// Extract bucket name from resource path for tables
// resourcePath format: /tables/{bucket}/{namespace}/{table}
parts := strings . Split ( strings . Trim ( resourcePath , "/" ) , "/" )
if len ( parts ) >= 2 {
bucketName = parts [ 1 ]
}
} else {
var meta tableBucketMetadata
if err := json . Unmarshal ( data , & meta ) ; err != nil {
return err
}
ownerAccountID = meta . OwnerAccountID
// Extract bucket name from resource path for buckets
// resourcePath format: /tables/{bucket}
parts := strings . Split ( strings . Trim ( resourcePath , "/" ) , "/" )
if len ( parts ) >= 2 {
bucketName = parts [ 1 ]
}
}
// Fetch bucket policy if we have a bucket name
if bucketName != "" {
bucketPath := getTableBucketPath ( bucketName )
policyData , err := h . getExtendedAttribute ( r . Context ( ) , client , bucketPath , ExtendedKeyPolicy )
if err == nil {
bucketPolicy = string ( policyData )
}
}
// Check Permission
principal := h . getPrincipalFromRequest ( r )
if ! CheckPermission ( "ListTagsForResource" , principal , ownerAccountID , "" ) {
principal := h . getAccountID ( r )
if ! CheckPermission ( "ListTagsForResource" , principal , ownerAccountID , bucketPolicy ) {
return NewAuthError ( "ListTagsForResource" , principal , "not authorized to list tags for resource" )
}
@ -760,7 +783,7 @@ func (h *S3TablesHandler) handleUntagResource(w http.ResponseWriter, r *http.Req
}
// Check Permission
principal := h . getPrincipalFromRequest ( r )
principal := h . getAccountID ( r )
if ! CanManageTags ( principal , ownerAccountID , bucketPolicy ) {
return NewAuthError ( "UntagResource" , principal , "not authorized to untag resource" )
}
Chris Lu
4 days ago