From b7bba7e7dc34533d91dea5e73ce20877d1c7e721 Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Wed, 28 Jan 2026 17:38:22 -0800
Subject: [PATCH] s3tables: Generate ARNs using resource owner account ID

Change ARN generation to use resource OwnerAccountID instead of caller
identity (h.getAccountID(r)). This ensures ARNs are stable and consistent
regardless of which principal accesses the resource.

Updated generateTableBucketARN and generateTableARN function signatures
to accept ownerAccountID parameter. All call sites updated to pass the
resource owner's account ID from metadata.

This prevents ARN inconsistency issues when multiple principals have
access to the same resource via policies.
---
 weed/s3api/s3tables/handler.go                        | 8 ++++----
 weed/s3api/s3tables/handler_bucket_create.go          | 2 +-
 weed/s3api/s3tables/handler_bucket_get_list_delete.go | 4 ++--
 weed/s3api/s3tables/handler_table.go                  | 6 +++---
 4 files changed, 10 insertions(+), 10 deletions(-)

diff --git a/weed/s3api/s3tables/handler.go b/weed/s3api/s3tables/handler.go
index d951ff837..1280aa8fe 100644
--- a/weed/s3api/s3tables/handler.go
+++ b/weed/s3api/s3tables/handler.go
@@ -224,12 +224,12 @@ func (h *S3TablesHandler) writeError(w http.ResponseWriter, status int, code, me
 
 // ARN generation helpers
 
-func (h *S3TablesHandler) generateTableBucketARN(r *http.Request, bucketName string) string {
-	return fmt.Sprintf("arn:aws:s3tables:%s:%s:bucket/%s", h.region, h.getAccountID(r), bucketName)
+func (h *S3TablesHandler) generateTableBucketARN(ownerAccountID, bucketName string) string {
+	return fmt.Sprintf("arn:aws:s3tables:%s:%s:bucket/%s", h.region, ownerAccountID, bucketName)
 }
 
-func (h *S3TablesHandler) generateTableARN(r *http.Request, bucketName, tableID string) string {
-	return fmt.Sprintf("arn:aws:s3tables:%s:%s:bucket/%s/table/%s", h.region, h.getAccountID(r), bucketName, tableID)
+func (h *S3TablesHandler) generateTableARN(ownerAccountID, bucketName, tableID string) string {
+	return fmt.Sprintf("arn:aws:s3tables:%s:%s:bucket/%s/table/%s", h.region, ownerAccountID, bucketName, tableID)
 }
 
 func isAuthError(err error) bool {
diff --git a/weed/s3api/s3tables/handler_bucket_create.go b/weed/s3api/s3tables/handler_bucket_create.go
index 6b3f941d2..c2a58aae4 100644
--- a/weed/s3api/s3tables/handler_bucket_create.go
+++ b/weed/s3api/s3tables/handler_bucket_create.go
@@ -127,7 +127,7 @@ func (h *S3TablesHandler) handleCreateTableBucket(w http.ResponseWriter, r *http
 	}
 
 	resp := &CreateTableBucketResponse{
-		ARN: h.generateTableBucketARN(r, req.Name),
+		ARN: h.generateTableBucketARN(metadata.OwnerAccountID, req.Name),
 	}
 
 	h.writeJSON(w, http.StatusOK, resp)
diff --git a/weed/s3api/s3tables/handler_bucket_get_list_delete.go b/weed/s3api/s3tables/handler_bucket_get_list_delete.go
index 09ff62fa9..2a1131307 100644
--- a/weed/s3api/s3tables/handler_bucket_get_list_delete.go
+++ b/weed/s3api/s3tables/handler_bucket_get_list_delete.go
@@ -71,7 +71,7 @@ func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Re
 	}
 
 	resp := &GetTableBucketResponse{
-		ARN:            h.generateTableBucketARN(r, bucketName),
+		ARN:            h.generateTableBucketARN(metadata.OwnerAccountID, bucketName),
 		Name:           metadata.Name,
 		OwnerAccountID: metadata.OwnerAccountID,
 		CreatedAt:      metadata.CreatedAt,
@@ -174,7 +174,7 @@ func (h *S3TablesHandler) handleListTableBuckets(w http.ResponseWriter, r *http.
 				}
 
 				buckets = append(buckets, TableBucketSummary{
-					ARN:       h.generateTableBucketARN(r, entry.Entry.Name),
+					ARN:       h.generateTableBucketARN(metadata.OwnerAccountID, entry.Entry.Name),
 					Name:      entry.Entry.Name,
 					CreatedAt: metadata.CreatedAt,
 				})
diff --git a/weed/s3api/s3tables/handler_table.go b/weed/s3api/s3tables/handler_table.go
index 92a3b6cc5..9160714af 100644
--- a/weed/s3api/s3tables/handler_table.go
+++ b/weed/s3api/s3tables/handler_table.go
@@ -198,7 +198,7 @@ func (h *S3TablesHandler) handleCreateTable(w http.ResponseWriter, r *http.Reque
 		return err
 	}
 
-	tableARN := h.generateTableARN(r, bucketName, namespaceName+"/"+tableName)
+	tableARN := h.generateTableARN(metadata.OwnerAccountID, bucketName, namespaceName+"/"+tableName)
 
 	resp := &CreateTableResponse{
 		TableARN:     tableARN,
@@ -312,7 +312,7 @@ func (h *S3TablesHandler) handleGetTable(w http.ResponseWriter, r *http.Request,
 		return ErrAccessDenied
 	}
 
-	tableARN := h.generateTableARN(r, bucketName, namespace+"/"+tableName)
+	tableARN := h.generateTableARN(metadata.OwnerAccountID, bucketName, namespace+"/"+tableName)
 
 	resp := &GetTableResponse{
 		Name:             metadata.Name,
@@ -508,7 +508,7 @@ func (h *S3TablesHandler) listTablesWithClient(r *http.Request, client filer_pb.
 				continue
 			}
 
-			tableARN := h.generateTableARN(r, bucketName, namespaceName+"/"+entry.Entry.Name)
+			tableARN := h.generateTableARN(metadata.OwnerAccountID, bucketName, namespaceName+"/"+entry.Entry.Name)
 
 			tables = append(tables, TableSummary{
 				Name:       entry.Entry.Name,