Fix STS authorization in streaming/chunked uploads

During streaming/chunked uploads (SigV4 streaming), authorization happens twice: 1. Initial authorization in authRequestWithAuthType() - works correctly 2. Second authorization in verifyV4Signature() - was failing for STS The issue was that verifyV4Signature() only used identity.canDo() for permission checks, which always denies STS identities (they have empty Actions). This bypassed IAM authorization completely. This commit makes verifyV4Signature() IAM-aware by adding the same fallback logic used in authRequestWithAuthType(): - Traditional identities (with Actions) use legacy canDo() check - STS/JWT identities (empty Actions) fall back to IAM authorization Fixes: https://github.com/seaweedfs/seaweedfs/pull/7986#issuecomment-3723196038
6 days ago · 615bdd7047
1 changed files with 12 additions and 1 deletions
--- a/weed/s3api/auth_signature_v4.go
+++ b/weed/s3api/auth_signature_v4.go
@ -248,7 +248,18 @@ func (iam *IdentityAccessManagement) verifyV4Signature(r *http.Request, shouldCh
 		if r.Method != http.MethodGet && r.Method != http.MethodHead {
 			action = s3_constants.ACTION_WRITE
 		}
-		if !identity.canDo(Action(action), bucket, object) {
+
+		// Traditional identities (with Actions from -s3.config) use legacy auth,
+		// JWT/STS identities (no Actions) use IAM authorization
+		if len(identity.Actions) > 0 {
+			if !identity.canDo(Action(action), bucket, object) {
+				return nil, nil, "", nil, s3err.ErrAccessDenied
+			}
+		} else if iam.iamIntegration != nil {
+			if errCode := iam.authorizeWithIAM(r, identity, Action(action), bucket, object); errCode != s3err.ErrNone {
+				return nil, nil, "", nil, errCode
+			}
+		} else {
 			return nil, nil, "", nil, s3err.ErrAccessDenied
 		}
 	}