fix(s3api): ensure static config file takes precedence over dynamic updates

When a static S3 configuration file is provided, avoid overwriting
the configuration from dynamic filer updates. This ensures the
documented "Highest Priority" for the configuration file is respected.

weed/s3api/auth_credentials.go

@@ -59,6 +59,9 @@ type IdentityAccessManagement struct {
 
 	// Bucket policy engine for evaluating bucket policies
 	policyEngine *BucketPolicyEngine
+
+	// useStaticConfig indicates if the configuration was loaded from a static file
+	useStaticConfig bool
 }
 
 type Identity struct {
@@ -162,6 +165,7 @@ func NewIdentityAccessManagementWithStore(option *S3ApiServerOption, explicitSto
 		if err := iam.loadS3ApiConfigurationFromFile(option.Config); err != nil {
 			glog.Fatalf("fail to load config file %s: %v", option.Config, err)
 		}
+		iam.useStaticConfig = true
 		// Check if any identities were actually loaded from the config file
 		iam.m.RLock()
 		configLoaded = len(iam.identities) > 0
@@ -405,6 +409,10 @@ func (iam *IdentityAccessManagement) isEnabled() bool {
 	return iam.isAuthEnabled
 }
 
+func (iam *IdentityAccessManagement) IsStaticConfig() bool {
+	return iam.useStaticConfig
+}
+
 func (iam *IdentityAccessManagement) lookupByAccessKey(accessKey string) (identity *Identity, cred *Credential, found bool) {
 	iam.m.RLock()
 	defer iam.m.RUnlock()

weed/s3api/auth_credentials_subscribe.go

@@ -59,6 +59,10 @@ func (s3a *S3ApiServer) onIamConfigChange(dir string, oldEntry *filer_pb.Entry,
 	if dir != filer.IamConfigDirectory {
 		return nil
 	}
+	if s3a.iam.IsStaticConfig() {
+		glog.V(0).Infof("Ignoring IAM config change because static configuration file is in use")
+		return nil
+	}
 
 	// Handle deletion: reset to empty config
 	if newEntry == nil && oldEntry != nil && oldEntry.Name == filer.IamIdentityFile {