From 1697ec862f6e9ce0adc75edc401a3c4bcc883445 Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Wed, 28 Jan 2026 13:54:49 -0800 Subject: [PATCH] ownerAccountID --- weed/s3api/s3tables/handler_bucket_create.go | 6 ++-- .../handler_bucket_get_list_delete.go | 6 ++-- weed/s3api/s3tables/handler_namespace.go | 16 ++++----- weed/s3api/s3tables/handler_policy.go | 36 +++++++++---------- weed/s3api/s3tables/handler_table.go | 28 +++++++-------- weed/s3api/s3tables/types.go | 8 ++--- weed/s3api/s3tables/utils.go | 15 ++++---- 7 files changed, 57 insertions(+), 58 deletions(-) diff --git a/weed/s3api/s3tables/handler_bucket_create.go b/weed/s3api/s3tables/handler_bucket_create.go index 90b623123..a8c7a9494 100644 --- a/weed/s3api/s3tables/handler_bucket_create.go +++ b/weed/s3api/s3tables/handler_bucket_create.go @@ -76,9 +76,9 @@ func (h *S3TablesHandler) handleCreateTableBucket(w http.ResponseWriter, r *http // Create the bucket directory and set metadata as extended attributes now := time.Now() metadata := &tableBucketMetadata{ - Name: req.Name, - CreatedAt: now, - OwnerID: h.getAccountID(r), + Name: req.Name, + CreatedAt: now, + OwnerAccountID: h.getAccountID(r), } metadataBytes, err := json.Marshal(metadata) diff --git a/weed/s3api/s3tables/handler_bucket_get_list_delete.go b/weed/s3api/s3tables/handler_bucket_get_list_delete.go index 7705f29f9..5615e4dbb 100644 --- a/weed/s3api/s3tables/handler_bucket_get_list_delete.go +++ b/weed/s3api/s3tables/handler_bucket_get_list_delete.go @@ -57,7 +57,7 @@ func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Re // Check permission principal := h.getPrincipalFromRequest(r) - if !CanGetTableBucket(principal, metadata.OwnerID) { + if !CanGetTableBucket(principal, metadata.OwnerAccountID) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table bucket details") return NewAuthError("GetTableBucket", principal, "not authorized to get table bucket details") } @@ -65,7 +65,7 @@ func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Re resp := &GetTableBucketResponse{ ARN: h.generateTableBucketARN(r, bucketName), Name: metadata.Name, - OwnerAccountID: metadata.OwnerID, + OwnerAccountID: metadata.OwnerAccountID, CreatedAt: metadata.CreatedAt, } @@ -245,7 +245,7 @@ func (h *S3TablesHandler) handleDeleteTableBucket(w http.ResponseWriter, r *http // Check permission principal := h.getPrincipalFromRequest(r) - if !CanDeleteTableBucket(principal, metadata.OwnerID) { + if !CanDeleteTableBucket(principal, metadata.OwnerAccountID) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete table bucket") return NewAuthError("DeleteTableBucket", principal, "not authorized to delete table bucket") } diff --git a/weed/s3api/s3tables/handler_namespace.go b/weed/s3api/s3tables/handler_namespace.go index ff2d86120..26c75a9f4 100644 --- a/weed/s3api/s3tables/handler_namespace.go +++ b/weed/s3api/s3tables/handler_namespace.go @@ -67,7 +67,7 @@ func (h *S3TablesHandler) handleCreateNamespace(w http.ResponseWriter, r *http.R // Check permission principal := h.getPrincipalFromRequest(r) - if !CanCreateNamespace(principal, bucketMetadata.OwnerID) { + if !CanCreateNamespace(principal, bucketMetadata.OwnerAccountID) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create namespace") return NewAuthError("CreateNamespace", principal, "not authorized to create namespace") } @@ -91,9 +91,9 @@ func (h *S3TablesHandler) handleCreateNamespace(w http.ResponseWriter, r *http.R // Create the namespace now := time.Now() metadata := &namespaceMetadata{ - Namespace: req.Namespace, - CreatedAt: now, - OwnerID: h.getAccountID(r), + Namespace: req.Namespace, + CreatedAt: now, + OwnerAccountID: h.getAccountID(r), } metadataBytes, err := json.Marshal(metadata) @@ -178,7 +178,7 @@ func (h *S3TablesHandler) handleGetNamespace(w http.ResponseWriter, r *http.Requ // Check permission principal := h.getPrincipalFromRequest(r) - if !CanGetNamespace(principal, metadata.OwnerID) { + if !CanGetNamespace(principal, metadata.OwnerAccountID) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get namespace details") return NewAuthError("GetNamespace", principal, "not authorized to get namespace details") } @@ -186,7 +186,7 @@ func (h *S3TablesHandler) handleGetNamespace(w http.ResponseWriter, r *http.Requ resp := &GetNamespaceResponse{ Namespace: metadata.Namespace, CreatedAt: metadata.CreatedAt, - OwnerAccountID: metadata.OwnerID, + OwnerAccountID: metadata.OwnerAccountID, } h.writeJSON(w, http.StatusOK, resp) @@ -242,7 +242,7 @@ func (h *S3TablesHandler) handleListNamespaces(w http.ResponseWriter, r *http.Re } principal := h.getPrincipalFromRequest(r) - if !CanListNamespaces(principal, bucketMetadata.OwnerID) { + if !CanListNamespaces(principal, bucketMetadata.OwnerAccountID) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to list namespaces") return NewAuthError("ListNamespaces", principal, "not authorized to list namespaces") } @@ -400,7 +400,7 @@ func (h *S3TablesHandler) handleDeleteNamespace(w http.ResponseWriter, r *http.R // Check permission principal := h.getPrincipalFromRequest(r) - if !CanDeleteNamespace(principal, metadata.OwnerID) { + if !CanDeleteNamespace(principal, metadata.OwnerAccountID) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete namespace") return NewAuthError("DeleteNamespace", principal, "not authorized to delete namespace") } diff --git a/weed/s3api/s3tables/handler_policy.go b/weed/s3api/s3tables/handler_policy.go index 682f3b42a..1c489dec4 100644 --- a/weed/s3api/s3tables/handler_policy.go +++ b/weed/s3api/s3tables/handler_policy.go @@ -59,7 +59,7 @@ func (h *S3TablesHandler) handlePutTableBucketPolicy(w http.ResponseWriter, r *h // Check permission principal := h.getPrincipalFromRequest(r) - if !CanPutTableBucketPolicy(principal, bucketMetadata.OwnerID) { + if !CanPutTableBucketPolicy(principal, bucketMetadata.OwnerAccountID) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to put table bucket policy") return NewAuthError("PutTableBucketPolicy", principal, "not authorized to put table bucket policy") } @@ -132,7 +132,7 @@ func (h *S3TablesHandler) handleGetTableBucketPolicy(w http.ResponseWriter, r *h // Check permission principal := h.getPrincipalFromRequest(r) - if !CanGetTableBucketPolicy(principal, bucketMetadata.OwnerID) { + if !CanGetTableBucketPolicy(principal, bucketMetadata.OwnerAccountID) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table bucket policy") return NewAuthError("GetTableBucketPolicy", principal, "not authorized to get table bucket policy") } @@ -190,7 +190,7 @@ func (h *S3TablesHandler) handleDeleteTableBucketPolicy(w http.ResponseWriter, r // Check permission principal := h.getPrincipalFromRequest(r) - if !CanDeleteTableBucketPolicy(principal, bucketMetadata.OwnerID) { + if !CanDeleteTableBucketPolicy(principal, bucketMetadata.OwnerAccountID) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete table bucket policy") return NewAuthError("DeleteTableBucketPolicy", principal, "not authorized to delete table bucket policy") } @@ -270,7 +270,7 @@ func (h *S3TablesHandler) handlePutTablePolicy(w http.ResponseWriter, r *http.Re // Check permission principal := h.getPrincipalFromRequest(r) - if !CanPutTablePolicy(principal, metadata.OwnerID) { + if !CanPutTablePolicy(principal, metadata.OwnerAccountID) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to put table policy") return NewAuthError("PutTablePolicy", principal, "not authorized to put table policy") } @@ -354,7 +354,7 @@ func (h *S3TablesHandler) handleGetTablePolicy(w http.ResponseWriter, r *http.Re // Check permission principal := h.getPrincipalFromRequest(r) - if !CanGetTablePolicy(principal, metadata.OwnerID) { + if !CanGetTablePolicy(principal, metadata.OwnerAccountID) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table policy") return NewAuthError("GetTablePolicy", principal, "not authorized to get table policy") } @@ -423,7 +423,7 @@ func (h *S3TablesHandler) handleDeleteTablePolicy(w http.ResponseWriter, r *http // Check permission principal := h.getPrincipalFromRequest(r) - if !CanDeleteTablePolicy(principal, metadata.OwnerID) { + if !CanDeleteTablePolicy(principal, metadata.OwnerAccountID) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete table policy") return NewAuthError("DeleteTablePolicy", principal, "not authorized to delete table policy") } @@ -475,24 +475,24 @@ func (h *S3TablesHandler) handleTagResource(w http.ResponseWriter, r *http.Reque return err } - var ownerID string + var ownerAccountID string if rType == ResourceTypeTable { var meta tableMetadataInternal if err := json.Unmarshal(data, &meta); err != nil { return err } - ownerID = meta.OwnerID + ownerAccountID = meta.OwnerAccountID } else { var meta tableBucketMetadata if err := json.Unmarshal(data, &meta); err != nil { return err } - ownerID = meta.OwnerID + ownerAccountID = meta.OwnerAccountID } // Check Permission inside the closure because we just got the ID principal := h.getPrincipalFromRequest(r) - if !CanManageTags(principal, ownerID) { + if !CanManageTags(principal, ownerAccountID) { return NewAuthError("TagResource", principal, "not authorized to tag resource") } @@ -574,24 +574,24 @@ func (h *S3TablesHandler) handleListTagsForResource(w http.ResponseWriter, r *ht return err } - var ownerID string + var ownerAccountID string if rType == ResourceTypeTable { var meta tableMetadataInternal if err := json.Unmarshal(data, &meta); err != nil { return err } - ownerID = meta.OwnerID + ownerAccountID = meta.OwnerAccountID } else { var meta tableBucketMetadata if err := json.Unmarshal(data, &meta); err != nil { return err } - ownerID = meta.OwnerID + ownerAccountID = meta.OwnerAccountID } // Check Permission principal := h.getPrincipalFromRequest(r) - if !CheckPermission("ListTagsForResource", principal, ownerID) { + if !CheckPermission("ListTagsForResource", principal, ownerAccountID) { return NewAuthError("ListTagsForResource", principal, "not authorized to list tags for resource") } @@ -661,24 +661,24 @@ func (h *S3TablesHandler) handleUntagResource(w http.ResponseWriter, r *http.Req return err } - var ownerID string + var ownerAccountID string if rType == ResourceTypeTable { var meta tableMetadataInternal if err := json.Unmarshal(data, &meta); err != nil { return err } - ownerID = meta.OwnerID + ownerAccountID = meta.OwnerAccountID } else { var meta tableBucketMetadata if err := json.Unmarshal(data, &meta); err != nil { return err } - ownerID = meta.OwnerID + ownerAccountID = meta.OwnerAccountID } // Check Permission principal := h.getPrincipalFromRequest(r) - if !CanManageTags(principal, ownerID) { + if !CanManageTags(principal, ownerAccountID) { return NewAuthError("UntagResource", principal, "not authorized to untag resource") } diff --git a/weed/s3api/s3tables/handler_table.go b/weed/s3api/s3tables/handler_table.go index b182d8aec..4f33b108c 100644 --- a/weed/s3api/s3tables/handler_table.go +++ b/weed/s3api/s3tables/handler_table.go @@ -87,7 +87,7 @@ func (h *S3TablesHandler) handleCreateTable(w http.ResponseWriter, r *http.Reque // Check permission principal := h.getPrincipalFromRequest(r) - if !CanCreateTable(principal, namespaceMetadata.OwnerID) { + if !CanCreateTable(principal, namespaceMetadata.OwnerAccountID) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create table") return NewAuthError("CreateTable", principal, "not authorized to create table") } @@ -113,14 +113,14 @@ func (h *S3TablesHandler) handleCreateTable(w http.ResponseWriter, r *http.Reque versionToken := generateVersionToken() metadata := &tableMetadataInternal{ - Name: tableName, - Namespace: namespaceName, - Format: req.Format, - CreatedAt: now, - ModifiedAt: now, - OwnerID: h.getAccountID(r), - VersionToken: versionToken, - Schema: req.Metadata, + Name: tableName, + Namespace: namespaceName, + Format: req.Format, + CreatedAt: now, + ModifiedAt: now, + OwnerAccountID: h.getAccountID(r), + VersionToken: versionToken, + Schema: req.Metadata, } metadataBytes, err := json.Marshal(metadata) @@ -241,7 +241,7 @@ func (h *S3TablesHandler) handleGetTable(w http.ResponseWriter, r *http.Request, // Check permission principal := h.getPrincipalFromRequest(r) - if !CanGetTable(principal, metadata.OwnerID) { + if !CanGetTable(principal, metadata.OwnerAccountID) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table") return NewAuthError("GetTable", principal, "not authorized to get table") } @@ -255,7 +255,7 @@ func (h *S3TablesHandler) handleGetTable(w http.ResponseWriter, r *http.Request, Format: metadata.Format, CreatedAt: metadata.CreatedAt, ModifiedAt: metadata.ModifiedAt, - OwnerAccountID: metadata.OwnerID, + OwnerAccountID: metadata.OwnerAccountID, MetadataLocation: metadata.MetadataLocation, VersionToken: metadata.VersionToken, } @@ -311,7 +311,7 @@ func (h *S3TablesHandler) handleListTables(w http.ResponseWriter, r *http.Reques return err } principal := h.getPrincipalFromRequest(r) - if !CanListTables(principal, nsMeta.OwnerID) { + if !CanListTables(principal, nsMeta.OwnerAccountID) { return NewAuthError("ListTables", principal, "not authorized to list tables") } @@ -328,7 +328,7 @@ func (h *S3TablesHandler) handleListTables(w http.ResponseWriter, r *http.Reques return err } principal := h.getPrincipalFromRequest(r) - if !CanListTables(principal, bucketMeta.OwnerID) { + if !CanListTables(principal, bucketMeta.OwnerAccountID) { return NewAuthError("ListTables", principal, "not authorized to list tables") } @@ -603,7 +603,7 @@ func (h *S3TablesHandler) handleDeleteTable(w http.ResponseWriter, r *http.Reque // Check permission principal := h.getPrincipalFromRequest(r) - if !CanDeleteTable(principal, metadata.OwnerID) { + if !CanDeleteTable(principal, metadata.OwnerAccountID) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete table") return NewAuthError("DeleteTable", principal, "not authorized to delete table") } diff --git a/weed/s3api/s3tables/types.go b/weed/s3api/s3tables/types.go index f4dc4ef75..f2aa67e05 100644 --- a/weed/s3api/s3tables/types.go +++ b/weed/s3api/s3tables/types.go @@ -5,10 +5,10 @@ import "time" // Table bucket types type TableBucket struct { - ARN string `json:"arn"` - Name string `json:"name"` - OwnerID string `json:"ownerAccountId"` - CreatedAt time.Time `json:"createdAt"` + ARN string `json:"arn"` + Name string `json:"name"` + OwnerAccountID string `json:"ownerAccountId"` + CreatedAt time.Time `json:"createdAt"` } type CreateTableBucketRequest struct { diff --git a/weed/s3api/s3tables/utils.go b/weed/s3api/s3tables/utils.go index a557c09cf..c52378a95 100644 --- a/weed/s3api/s3tables/utils.go +++ b/weed/s3api/s3tables/utils.go @@ -71,18 +71,17 @@ func getTablePath(bucketName, namespace, tableName string) string { // Metadata structures -// tableBucketMetadata stores metadata for a table bucket type tableBucketMetadata struct { - Name string `json:"name"` - CreatedAt time.Time `json:"createdAt"` - OwnerID string `json:"ownerAccountId"` + Name string `json:"name"` + CreatedAt time.Time `json:"createdAt"` + OwnerAccountID string `json:"ownerAccountId"` } // namespaceMetadata stores metadata for a namespace type namespaceMetadata struct { - Namespace []string `json:"namespace"` - CreatedAt time.Time `json:"createdAt"` - OwnerID string `json:"ownerAccountId"` + Namespace []string `json:"namespace"` + CreatedAt time.Time `json:"createdAt"` + OwnerAccountID string `json:"ownerAccountId"` } // tableMetadataInternal stores metadata for a table @@ -92,7 +91,7 @@ type tableMetadataInternal struct { Format string `json:"format"` CreatedAt time.Time `json:"createdAt"` ModifiedAt time.Time `json:"modifiedAt"` - OwnerID string `json:"ownerAccountId"` + OwnerAccountID string `json:"ownerAccountId"` VersionToken string `json:"versionToken"` MetadataLocation string `json:"metadataLocation,omitempty"` Schema *TableMetadata `json:"metadata,omitempty"`