From 4d4af0589bed2bab3f93f0002537ae0114c0726c Mon Sep 17 00:00:00 2001 From: Chris Lu Date: Wed, 28 Jan 2026 14:33:01 -0800 Subject: [PATCH] s3tables: standardize access denied errors using ErrAccessDenied constant --- weed/s3api/s3tables/handler.go | 3 ++- weed/s3api/s3tables/handler_bucket_get_list_delete.go | 2 +- weed/s3api/s3tables/handler_namespace.go | 8 ++++---- weed/s3api/s3tables/handler_table.go | 10 +++++----- 4 files changed, 12 insertions(+), 11 deletions(-) diff --git a/weed/s3api/s3tables/handler.go b/weed/s3api/s3tables/handler.go index 428315fee..0ff7a3099 100644 --- a/weed/s3api/s3tables/handler.go +++ b/weed/s3api/s3tables/handler.go @@ -26,6 +26,7 @@ const ( var ( ErrVersionTokenMismatch = errors.New("version token mismatch") + ErrAccessDenied = errors.New("access denied") ) type ResourceType string @@ -229,5 +230,5 @@ func (h *S3TablesHandler) generateTableARN(r *http.Request, bucketName, tableID func isAuthError(err error) bool { var authErr *AuthError - return errors.As(err, &authErr) + return errors.As(err, &authErr) || errors.Is(err, ErrAccessDenied) } diff --git a/weed/s3api/s3tables/handler_bucket_get_list_delete.go b/weed/s3api/s3tables/handler_bucket_get_list_delete.go index fa06f94ba..7471d0330 100644 --- a/weed/s3api/s3tables/handler_bucket_get_list_delete.go +++ b/weed/s3api/s3tables/handler_bucket_get_list_delete.go @@ -58,7 +58,7 @@ func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Re // Check ownership if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table bucket details") - return fmt.Errorf("access denied") + return ErrAccessDenied } resp := &GetTableBucketResponse{ diff --git a/weed/s3api/s3tables/handler_namespace.go b/weed/s3api/s3tables/handler_namespace.go index 4dcbad742..d99df4603 100644 --- a/weed/s3api/s3tables/handler_namespace.go +++ b/weed/s3api/s3tables/handler_namespace.go @@ -68,7 +68,7 @@ func (h *S3TablesHandler) handleCreateNamespace(w http.ResponseWriter, r *http.R // Check ownership if accountID := h.getAccountID(r); accountID != bucketMetadata.OwnerAccountID { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create namespace in this bucket") - return fmt.Errorf("access denied") + return ErrAccessDenied } namespacePath := getNamespacePath(bucketName, namespaceName) @@ -178,7 +178,7 @@ func (h *S3TablesHandler) handleGetNamespace(w http.ResponseWriter, r *http.Requ // Check ownership if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID { h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found") - return fmt.Errorf("access denied") + return ErrAccessDenied } resp := &GetNamespaceResponse{ @@ -242,7 +242,7 @@ func (h *S3TablesHandler) handleListNamespaces(w http.ResponseWriter, r *http.Re accountID := h.getAccountID(r) if accountID != bucketMetadata.OwnerAccountID { h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, fmt.Sprintf("table bucket %s not found", bucketName)) - return fmt.Errorf("access denied") + return ErrAccessDenied } var namespaces []NamespaceSummary @@ -403,7 +403,7 @@ func (h *S3TablesHandler) handleDeleteNamespace(w http.ResponseWriter, r *http.R // Check ownership if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID { h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found") - return fmt.Errorf("access denied") + return ErrAccessDenied } // Check if namespace is empty diff --git a/weed/s3api/s3tables/handler_table.go b/weed/s3api/s3tables/handler_table.go index 996eb0250..9e592b15a 100644 --- a/weed/s3api/s3tables/handler_table.go +++ b/weed/s3api/s3tables/handler_table.go @@ -88,7 +88,7 @@ func (h *S3TablesHandler) handleCreateTable(w http.ResponseWriter, r *http.Reque // Check ownership if accountID := h.getAccountID(r); accountID != namespaceMetadata.OwnerAccountID { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create table in this namespace") - return fmt.Errorf("access denied") + return ErrAccessDenied } tablePath := getTablePath(bucketName, namespaceName, tableName) @@ -241,7 +241,7 @@ func (h *S3TablesHandler) handleGetTable(w http.ResponseWriter, r *http.Request, // Check ownership if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID { h.writeError(w, http.StatusNotFound, ErrCodeNoSuchTable, fmt.Sprintf("table %s not found", tableName)) - return fmt.Errorf("access denied") + return ErrAccessDenied } tableARN := h.generateTableARN(r, bucketName, namespace+"/"+tableName) @@ -310,7 +310,7 @@ func (h *S3TablesHandler) handleListTables(w http.ResponseWriter, r *http.Reques } if accountID := h.getAccountID(r); accountID != nsMeta.OwnerAccountID { h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found") - return fmt.Errorf("access denied") + return ErrAccessDenied } tables, paginationToken, err = h.listTablesInNamespaceWithClient(r, client, bucketName, namespaceName, req.Prefix, req.ContinuationToken, maxTables) @@ -327,7 +327,7 @@ func (h *S3TablesHandler) handleListTables(w http.ResponseWriter, r *http.Reques } if accountID := h.getAccountID(r); accountID != bucketMeta.OwnerAccountID { h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, "bucket not found") - return fmt.Errorf("access denied") + return ErrAccessDenied } tables, paginationToken, err = h.listTablesInAllNamespaces(r, client, bucketName, req.Prefix, req.ContinuationToken, maxTables) @@ -611,7 +611,7 @@ func (h *S3TablesHandler) handleDeleteTable(w http.ResponseWriter, r *http.Reque // Check ownership if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID { h.writeError(w, http.StatusNotFound, ErrCodeNoSuchTable, fmt.Sprintf("table %s not found", tableName)) - return fmt.Errorf("access denied") + return ErrAccessDenied } // Delete the table