diff --git a/weed/s3api/s3tables/handler_policy.go b/weed/s3api/s3tables/handler_policy.go index 19e86d1c8..bdf172dec 100644 --- a/weed/s3api/s3tables/handler_policy.go +++ b/weed/s3api/s3tables/handler_policy.go @@ -59,7 +59,7 @@ func (h *S3TablesHandler) handlePutTableBucketPolicy(w http.ResponseWriter, r *h } // Check permission - principal := h.getPrincipalFromRequest(r) + principal := h.getAccountID(r) if !CanPutTableBucketPolicy(principal, bucketMetadata.OwnerAccountID, "") { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to put table bucket policy") return NewAuthError("PutTableBucketPolicy", principal, "not authorized to put table bucket policy") @@ -132,7 +132,7 @@ func (h *S3TablesHandler) handleGetTableBucketPolicy(w http.ResponseWriter, r *h } // Check permission - principal := h.getPrincipalFromRequest(r) + principal := h.getAccountID(r) if !CanGetTableBucketPolicy(principal, bucketMetadata.OwnerAccountID, string(policy)) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table bucket policy") return NewAuthError("GetTableBucketPolicy", principal, "not authorized to get table bucket policy") @@ -198,7 +198,7 @@ func (h *S3TablesHandler) handleDeleteTableBucketPolicy(w http.ResponseWriter, r } // Check permission - principal := h.getPrincipalFromRequest(r) + principal := h.getAccountID(r) if !CanDeleteTableBucketPolicy(principal, bucketMetadata.OwnerAccountID, bucketPolicy) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete table bucket policy") return NewAuthError("DeleteTableBucketPolicy", principal, "not authorized to delete table bucket policy") @@ -287,7 +287,7 @@ func (h *S3TablesHandler) handlePutTablePolicy(w http.ResponseWriter, r *http.Re } // Check permission - principal := h.getPrincipalFromRequest(r) + principal := h.getAccountID(r) if !CanPutTablePolicy(principal, metadata.OwnerAccountID, bucketPolicy) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to put table policy") return NewAuthError("PutTablePolicy", principal, "not authorized to put table policy") @@ -383,7 +383,7 @@ func (h *S3TablesHandler) handleGetTablePolicy(w http.ResponseWriter, r *http.Re } // Check permission - principal := h.getPrincipalFromRequest(r) + principal := h.getAccountID(r) if !CanGetTablePolicy(principal, metadata.OwnerAccountID, bucketPolicy) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table policy") return NewAuthError("GetTablePolicy", principal, "not authorized to get table policy") @@ -461,7 +461,7 @@ func (h *S3TablesHandler) handleDeleteTablePolicy(w http.ResponseWriter, r *http } // Check permission - principal := h.getPrincipalFromRequest(r) + principal := h.getAccountID(r) if !CanDeleteTablePolicy(principal, metadata.OwnerAccountID, bucketPolicy) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete table policy") return NewAuthError("DeleteTablePolicy", principal, "not authorized to delete table policy") @@ -553,7 +553,7 @@ func (h *S3TablesHandler) handleTagResource(w http.ResponseWriter, r *http.Reque } // Check Permission inside the closure because we just got the ID - principal := h.getPrincipalFromRequest(r) + principal := h.getAccountID(r) if !CanManageTags(principal, ownerAccountID, bucketPolicy) { return NewAuthError("TagResource", principal, "not authorized to tag resource") } @@ -629,6 +629,7 @@ func (h *S3TablesHandler) handleListTagsForResource(w http.ResponseWriter, r *ht } tags := make(map[string]string) + var bucketPolicy string err = filerClient.WithFilerClient(false, func(client filer_pb.SeaweedFilerClient) error { // Read metadata for ownership check data, err := h.getExtendedAttribute(r.Context(), client, resourcePath, ExtendedKeyMetadata) @@ -637,23 +638,45 @@ func (h *S3TablesHandler) handleListTagsForResource(w http.ResponseWriter, r *ht } var ownerAccountID string + var bucketName string if rType == ResourceTypeTable { var meta tableMetadataInternal if err := json.Unmarshal(data, &meta); err != nil { return err } ownerAccountID = meta.OwnerAccountID + // Extract bucket name from resource path for tables + // resourcePath format: /tables/{bucket}/{namespace}/{table} + parts := strings.Split(strings.Trim(resourcePath, "/"), "/") + if len(parts) >= 2 { + bucketName = parts[1] + } } else { var meta tableBucketMetadata if err := json.Unmarshal(data, &meta); err != nil { return err } ownerAccountID = meta.OwnerAccountID + // Extract bucket name from resource path for buckets + // resourcePath format: /tables/{bucket} + parts := strings.Split(strings.Trim(resourcePath, "/"), "/") + if len(parts) >= 2 { + bucketName = parts[1] + } + } + + // Fetch bucket policy if we have a bucket name + if bucketName != "" { + bucketPath := getTableBucketPath(bucketName) + policyData, err := h.getExtendedAttribute(r.Context(), client, bucketPath, ExtendedKeyPolicy) + if err == nil { + bucketPolicy = string(policyData) + } } // Check Permission - principal := h.getPrincipalFromRequest(r) - if !CheckPermission("ListTagsForResource", principal, ownerAccountID, "") { + principal := h.getAccountID(r) + if !CheckPermission("ListTagsForResource", principal, ownerAccountID, bucketPolicy) { return NewAuthError("ListTagsForResource", principal, "not authorized to list tags for resource") } @@ -760,7 +783,7 @@ func (h *S3TablesHandler) handleUntagResource(w http.ResponseWriter, r *http.Req } // Check Permission - principal := h.getPrincipalFromRequest(r) + principal := h.getAccountID(r) if !CanManageTags(principal, ownerAccountID, bucketPolicy) { return NewAuthError("UntagResource", principal, "not authorized to untag resource") }