From 83deff51264574d51115f20b1caebb844983397d Mon Sep 17 00:00:00 2001 From: chrislu Date: Thu, 13 Nov 2025 12:11:28 -0800 Subject: [PATCH] no need for action copy object --- weed/s3api/s3_action_resolver.go | 6 +- weed/s3api/s3_constants/s3_action_strings.go | 86 ++++++++++---------- 2 files changed, 44 insertions(+), 48 deletions(-) diff --git a/weed/s3api/s3_action_resolver.go b/weed/s3api/s3_action_resolver.go index 49de7fd17..dc1fab4bb 100644 --- a/weed/s3api/s3_action_resolver.go +++ b/weed/s3api/s3_action_resolver.go @@ -217,10 +217,8 @@ func resolveObjectLevelAction(method string, baseAction string, r *http.Request) case http.MethodPut: if baseAction == s3_constants.ACTION_WRITE { - // Check for copy operation - if r.Header.Get("X-Amz-Copy-Source") != "" { - return s3_constants.S3_ACTION_COPY_OBJECT - } + // Note: CopyObject operations also use s3:PutObject permission (same as MinIO/AWS) + // Copy requires s3:PutObject on destination and s3:GetObject on source return s3_constants.S3_ACTION_PUT_OBJECT } diff --git a/weed/s3api/s3_constants/s3_action_strings.go b/weed/s3api/s3_constants/s3_action_strings.go index b52865046..d655d60d0 100644 --- a/weed/s3api/s3_constants/s3_action_strings.go +++ b/weed/s3api/s3_constants/s3_action_strings.go @@ -4,61 +4,60 @@ package s3_constants // These match the official AWS S3 action format used in IAM and bucket policies const ( // Object operations - S3_ACTION_GET_OBJECT = "s3:GetObject" - S3_ACTION_PUT_OBJECT = "s3:PutObject" - S3_ACTION_COPY_OBJECT = "s3:CopyObject" - S3_ACTION_DELETE_OBJECT = "s3:DeleteObject" - S3_ACTION_DELETE_OBJECT_VERSION = "s3:DeleteObjectVersion" - S3_ACTION_GET_OBJECT_VERSION = "s3:GetObjectVersion" + S3_ACTION_GET_OBJECT = "s3:GetObject" + S3_ACTION_PUT_OBJECT = "s3:PutObject" + S3_ACTION_DELETE_OBJECT = "s3:DeleteObject" + S3_ACTION_DELETE_OBJECT_VERSION = "s3:DeleteObjectVersion" + S3_ACTION_GET_OBJECT_VERSION = "s3:GetObjectVersion" // Object ACL operations - S3_ACTION_GET_OBJECT_ACL = "s3:GetObjectAcl" - S3_ACTION_PUT_OBJECT_ACL = "s3:PutObjectAcl" + S3_ACTION_GET_OBJECT_ACL = "s3:GetObjectAcl" + S3_ACTION_PUT_OBJECT_ACL = "s3:PutObjectAcl" // Object tagging operations - S3_ACTION_GET_OBJECT_TAGGING = "s3:GetObjectTagging" - S3_ACTION_PUT_OBJECT_TAGGING = "s3:PutObjectTagging" - S3_ACTION_DELETE_OBJECT_TAGGING = "s3:DeleteObjectTagging" + S3_ACTION_GET_OBJECT_TAGGING = "s3:GetObjectTagging" + S3_ACTION_PUT_OBJECT_TAGGING = "s3:PutObjectTagging" + S3_ACTION_DELETE_OBJECT_TAGGING = "s3:DeleteObjectTagging" // Object retention and legal hold - S3_ACTION_GET_OBJECT_RETENTION = "s3:GetObjectRetention" - S3_ACTION_PUT_OBJECT_RETENTION = "s3:PutObjectRetention" - S3_ACTION_GET_OBJECT_LEGAL_HOLD = "s3:GetObjectLegalHold" - S3_ACTION_PUT_OBJECT_LEGAL_HOLD = "s3:PutObjectLegalHold" - S3_ACTION_BYPASS_GOVERNANCE = "s3:BypassGovernanceRetention" + S3_ACTION_GET_OBJECT_RETENTION = "s3:GetObjectRetention" + S3_ACTION_PUT_OBJECT_RETENTION = "s3:PutObjectRetention" + S3_ACTION_GET_OBJECT_LEGAL_HOLD = "s3:GetObjectLegalHold" + S3_ACTION_PUT_OBJECT_LEGAL_HOLD = "s3:PutObjectLegalHold" + S3_ACTION_BYPASS_GOVERNANCE = "s3:BypassGovernanceRetention" // Multipart upload operations - S3_ACTION_CREATE_MULTIPART = "s3:CreateMultipartUpload" - S3_ACTION_UPLOAD_PART = "s3:UploadPart" - S3_ACTION_COMPLETE_MULTIPART = "s3:CompleteMultipartUpload" - S3_ACTION_ABORT_MULTIPART = "s3:AbortMultipartUpload" - S3_ACTION_LIST_PARTS = "s3:ListMultipartUploadParts" + S3_ACTION_CREATE_MULTIPART = "s3:CreateMultipartUpload" + S3_ACTION_UPLOAD_PART = "s3:UploadPart" + S3_ACTION_COMPLETE_MULTIPART = "s3:CompleteMultipartUpload" + S3_ACTION_ABORT_MULTIPART = "s3:AbortMultipartUpload" + S3_ACTION_LIST_PARTS = "s3:ListMultipartUploadParts" // Bucket operations - S3_ACTION_CREATE_BUCKET = "s3:CreateBucket" - S3_ACTION_DELETE_BUCKET = "s3:DeleteBucket" - S3_ACTION_LIST_BUCKET = "s3:ListBucket" - S3_ACTION_LIST_BUCKET_VERSIONS = "s3:ListBucketVersions" - S3_ACTION_LIST_MULTIPART_UPLOADS = "s3:ListBucketMultipartUploads" + S3_ACTION_CREATE_BUCKET = "s3:CreateBucket" + S3_ACTION_DELETE_BUCKET = "s3:DeleteBucket" + S3_ACTION_LIST_BUCKET = "s3:ListBucket" + S3_ACTION_LIST_BUCKET_VERSIONS = "s3:ListBucketVersions" + S3_ACTION_LIST_MULTIPART_UPLOADS = "s3:ListBucketMultipartUploads" // Bucket ACL operations - S3_ACTION_GET_BUCKET_ACL = "s3:GetBucketAcl" - S3_ACTION_PUT_BUCKET_ACL = "s3:PutBucketAcl" + S3_ACTION_GET_BUCKET_ACL = "s3:GetBucketAcl" + S3_ACTION_PUT_BUCKET_ACL = "s3:PutBucketAcl" // Bucket policy operations - S3_ACTION_GET_BUCKET_POLICY = "s3:GetBucketPolicy" - S3_ACTION_PUT_BUCKET_POLICY = "s3:PutBucketPolicy" - S3_ACTION_DELETE_BUCKET_POLICY = "s3:DeleteBucketPolicy" + S3_ACTION_GET_BUCKET_POLICY = "s3:GetBucketPolicy" + S3_ACTION_PUT_BUCKET_POLICY = "s3:PutBucketPolicy" + S3_ACTION_DELETE_BUCKET_POLICY = "s3:DeleteBucketPolicy" // Bucket tagging operations - S3_ACTION_GET_BUCKET_TAGGING = "s3:GetBucketTagging" - S3_ACTION_PUT_BUCKET_TAGGING = "s3:PutBucketTagging" - S3_ACTION_DELETE_BUCKET_TAGGING = "s3:DeleteBucketTagging" + S3_ACTION_GET_BUCKET_TAGGING = "s3:GetBucketTagging" + S3_ACTION_PUT_BUCKET_TAGGING = "s3:PutBucketTagging" + S3_ACTION_DELETE_BUCKET_TAGGING = "s3:DeleteBucketTagging" // Bucket CORS operations - S3_ACTION_GET_BUCKET_CORS = "s3:GetBucketCors" - S3_ACTION_PUT_BUCKET_CORS = "s3:PutBucketCors" - S3_ACTION_DELETE_BUCKET_CORS = "s3:DeleteBucketCors" + S3_ACTION_GET_BUCKET_CORS = "s3:GetBucketCors" + S3_ACTION_PUT_BUCKET_CORS = "s3:PutBucketCors" + S3_ACTION_DELETE_BUCKET_CORS = "s3:DeleteBucketCors" // Bucket lifecycle operations S3_ACTION_GET_BUCKET_LIFECYCLE = "s3:GetLifecycleConfiguration" @@ -66,21 +65,20 @@ const ( S3_ACTION_DELETE_BUCKET_LIFECYCLE = "s3:PutLifecycleConfiguration" // Bucket versioning operations - S3_ACTION_GET_BUCKET_VERSIONING = "s3:GetBucketVersioning" - S3_ACTION_PUT_BUCKET_VERSIONING = "s3:PutBucketVersioning" + S3_ACTION_GET_BUCKET_VERSIONING = "s3:GetBucketVersioning" + S3_ACTION_PUT_BUCKET_VERSIONING = "s3:PutBucketVersioning" // Bucket location - S3_ACTION_GET_BUCKET_LOCATION = "s3:GetBucketLocation" + S3_ACTION_GET_BUCKET_LOCATION = "s3:GetBucketLocation" // Bucket notification S3_ACTION_GET_BUCKET_NOTIFICATION = "s3:GetBucketNotification" S3_ACTION_PUT_BUCKET_NOTIFICATION = "s3:PutBucketNotification" // Bucket object lock operations - S3_ACTION_GET_BUCKET_OBJECT_LOCK = "s3:GetBucketObjectLockConfiguration" - S3_ACTION_PUT_BUCKET_OBJECT_LOCK = "s3:PutBucketObjectLockConfiguration" + S3_ACTION_GET_BUCKET_OBJECT_LOCK = "s3:GetBucketObjectLockConfiguration" + S3_ACTION_PUT_BUCKET_OBJECT_LOCK = "s3:PutBucketObjectLockConfiguration" // Wildcard for all S3 actions - S3_ACTION_ALL = "s3:*" + S3_ACTION_ALL = "s3:*" ) -