|
|
@ -30,11 +30,8 @@ func (h *S3TablesHandler) handleCreateTableBucket(w http.ResponseWriter, r *http |
|
|
identityActions := getIdentityActions(r) |
|
|
identityActions := getIdentityActions(r) |
|
|
identityPolicyNames := getIdentityPolicyNames(r) |
|
|
identityPolicyNames := getIdentityPolicyNames(r) |
|
|
if h.shouldUseIAM(r, identityActions, identityPolicyNames) { |
|
|
if h.shouldUseIAM(r, identityActions, identityPolicyNames) { |
|
|
ownerAccountID := principal |
|
|
|
|
|
tableBucketARN := h.generateTableBucketARN(ownerAccountID, req.Name) |
|
|
|
|
|
s3BucketARN := fmt.Sprintf("arn:aws:s3:::%s", req.Name) |
|
|
|
|
|
allowed, err := h.authorizeIAMAction(r, identityPolicyNames, "s3tables:CreateTableBucket", tableBucketARN, s3BucketARN) |
|
|
|
|
|
if err != nil || !allowed { |
|
|
|
|
|
|
|
|
sessionToken := extractSessionToken(r) |
|
|
|
|
|
if !h.authorizeIAMAction(r, identityPolicyNames, "CreateTableBucket", h.generateTableBucketARN(principal, req.Name), fmt.Sprintf("arn:aws:s3:::%s", req.Name)) { |
|
|
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create table buckets") |
|
|
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create table buckets") |
|
|
return NewAuthError("CreateTableBucket", principal, "not authorized to create table buckets") |
|
|
return NewAuthError("CreateTableBucket", principal, "not authorized to create table buckets") |
|
|
} |
|
|
} |
|
|
|
Chris Lu
2 days ago