s3tables: standardize access denied errors using ErrAccessDenied constant

4 days ago · 4d4af0589b
4 changed files with 12 additions and 11 deletions
--- a/weed/s3api/s3tables/handler.go
+++ b/weed/s3api/s3tables/handler.go
@ -26,6 +26,7 @@ const (

 var (
 	ErrVersionTokenMismatch = errors.New("version token mismatch")
+	ErrAccessDenied         = errors.New("access denied")
 )

 type ResourceType string
@ -229,5 +230,5 @@ func (h *S3TablesHandler) generateTableARN(r *http.Request, bucketName, tableID

 func isAuthError(err error) bool {
 	var authErr *AuthError
-	return errors.As(err, &authErr)
+	return errors.As(err, &authErr) || errors.Is(err, ErrAccessDenied)
 }
--- a/weed/s3api/s3tables/handler_bucket_get_list_delete.go
+++ b/weed/s3api/s3tables/handler_bucket_get_list_delete.go
@ -58,7 +58,7 @@ func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Re
 	// Check ownership
 	if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table bucket details")
-		return fmt.Errorf("access denied")
+		return ErrAccessDenied
 	}

 	resp := &GetTableBucketResponse{
--- a/weed/s3api/s3tables/handler_namespace.go
+++ b/weed/s3api/s3tables/handler_namespace.go
@ -68,7 +68,7 @@ func (h *S3TablesHandler) handleCreateNamespace(w http.ResponseWriter, r *http.R
 	// Check ownership
 	if accountID := h.getAccountID(r); accountID != bucketMetadata.OwnerAccountID {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create namespace in this bucket")
-		return fmt.Errorf("access denied")
+		return ErrAccessDenied
 	}

 	namespacePath := getNamespacePath(bucketName, namespaceName)
@ -178,7 +178,7 @@ func (h *S3TablesHandler) handleGetNamespace(w http.ResponseWriter, r *http.Requ
 	// Check ownership
 	if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID {
 		h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found")
-		return fmt.Errorf("access denied")
+		return ErrAccessDenied
 	}

 	resp := &GetNamespaceResponse{
@ -242,7 +242,7 @@ func (h *S3TablesHandler) handleListNamespaces(w http.ResponseWriter, r *http.Re
 	accountID := h.getAccountID(r)
 	if accountID != bucketMetadata.OwnerAccountID {
 		h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, fmt.Sprintf("table bucket %s not found", bucketName))
-		return fmt.Errorf("access denied")
+		return ErrAccessDenied
 	}

 	var namespaces []NamespaceSummary
@ -403,7 +403,7 @@ func (h *S3TablesHandler) handleDeleteNamespace(w http.ResponseWriter, r *http.R
 	// Check ownership
 	if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID {
 		h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found")
-		return fmt.Errorf("access denied")
+		return ErrAccessDenied
 	}

 	// Check if namespace is empty
--- a/weed/s3api/s3tables/handler_table.go
+++ b/weed/s3api/s3tables/handler_table.go
@ -88,7 +88,7 @@ func (h *S3TablesHandler) handleCreateTable(w http.ResponseWriter, r *http.Reque
 	// Check ownership
 	if accountID := h.getAccountID(r); accountID != namespaceMetadata.OwnerAccountID {
 		h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create table in this namespace")
-		return fmt.Errorf("access denied")
+		return ErrAccessDenied
 	}

 	tablePath := getTablePath(bucketName, namespaceName, tableName)
@ -241,7 +241,7 @@ func (h *S3TablesHandler) handleGetTable(w http.ResponseWriter, r *http.Request,
 	// Check ownership
 	if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID {
 		h.writeError(w, http.StatusNotFound, ErrCodeNoSuchTable, fmt.Sprintf("table %s not found", tableName))
-		return fmt.Errorf("access denied")
+		return ErrAccessDenied
 	}

 	tableARN := h.generateTableARN(r, bucketName, namespace+"/"+tableName)
@ -310,7 +310,7 @@ func (h *S3TablesHandler) handleListTables(w http.ResponseWriter, r *http.Reques
 			}
 			if accountID := h.getAccountID(r); accountID != nsMeta.OwnerAccountID {
 				h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found")
-				return fmt.Errorf("access denied")
+				return ErrAccessDenied
 			}

 			tables, paginationToken, err = h.listTablesInNamespaceWithClient(r, client, bucketName, namespaceName, req.Prefix, req.ContinuationToken, maxTables)
@ -327,7 +327,7 @@ func (h *S3TablesHandler) handleListTables(w http.ResponseWriter, r *http.Reques
 			}
 			if accountID := h.getAccountID(r); accountID != bucketMeta.OwnerAccountID {
 				h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, "bucket not found")
-				return fmt.Errorf("access denied")
+				return ErrAccessDenied
 			}

 			tables, paginationToken, err = h.listTablesInAllNamespaces(r, client, bucketName, req.Prefix, req.ContinuationToken, maxTables)
@ -611,7 +611,7 @@ func (h *S3TablesHandler) handleDeleteTable(w http.ResponseWriter, r *http.Reque
 	// Check ownership
 	if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID {
 		h.writeError(w, http.StatusNotFound, ErrCodeNoSuchTable, fmt.Sprintf("table %s not found", tableName))
-		return fmt.Errorf("access denied")
+		return ErrAccessDenied
 	}

 	// Delete the table