Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

s3tables: Generate ARNs using resource owner account ID 

Change ARN generation to use resource OwnerAccountID instead of caller
identity (h.getAccountID(r)). This ensures ARNs are stable and consistent
regardless of which principal accesses the resource.

Updated generateTableBucketARN and generateTableARN function signatures
to accept ownerAccountID parameter. All call sites updated to pass the
resource owner's account ID from metadata.

This prevents ARN inconsistency issues when multiple principals have
access to the same resource via policies.
pull/8147/head
Chris Lu 4 days ago
parent
e7b2869aa9
commit
b7bba7e7dc
4 changed files with 10 additions and 10 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Unified View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 8
      weed/s3api/s3tables/handler.go
  2. 2
      weed/s3api/s3tables/handler_bucket_create.go
  3. 4
      weed/s3api/s3tables/handler_bucket_get_list_delete.go
  4. 6
      weed/s3api/s3tables/handler_table.go

8
weed/s3api/s3tables/handler.go
View File

@ -224,12 +224,12 @@ func (h *S3TablesHandler) writeError(w http.ResponseWriter, status int, code, me
// ARN generation helpers // ARN generation helpers
func (h *S3TablesHandler) generateTableBucketARN(r *http.Request, bucketName string) string {
return fmt.Sprintf("arn:aws:s3tables:%s:%s:bucket/%s", h.region, h.getAccountID(r), bucketName)
func (h *S3TablesHandler) generateTableBucketARN(ownerAccountID, bucketName string) string {
return fmt.Sprintf("arn:aws:s3tables:%s:%s:bucket/%s", h.region, ownerAccountID, bucketName)
} }
func (h *S3TablesHandler) generateTableARN(r *http.Request, bucketName, tableID string) string {
return fmt.Sprintf("arn:aws:s3tables:%s:%s:bucket/%s/table/%s", h.region, h.getAccountID(r), bucketName, tableID)
func (h *S3TablesHandler) generateTableARN(ownerAccountID, bucketName, tableID string) string {
return fmt.Sprintf("arn:aws:s3tables:%s:%s:bucket/%s/table/%s", h.region, ownerAccountID, bucketName, tableID)
} }
func isAuthError(err error) bool { func isAuthError(err error) bool {

2
weed/s3api/s3tables/handler_bucket_create.go
View File

@ -127,7 +127,7 @@ func (h *S3TablesHandler) handleCreateTableBucket(w http.ResponseWriter, r *http
} }
resp := &CreateTableBucketResponse{ resp := &CreateTableBucketResponse{
ARN: h.generateTableBucketARN(r, req.Name),
ARN: h.generateTableBucketARN(metadata.OwnerAccountID, req.Name),
} }
h.writeJSON(w, http.StatusOK, resp) h.writeJSON(w, http.StatusOK, resp)

4
weed/s3api/s3tables/handler_bucket_get_list_delete.go
View File

@ -71,7 +71,7 @@ func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Re
} }
resp := &GetTableBucketResponse{ resp := &GetTableBucketResponse{
ARN: h.generateTableBucketARN(r, bucketName),
ARN: h.generateTableBucketARN(metadata.OwnerAccountID, bucketName),
Name: metadata.Name, Name: metadata.Name,
OwnerAccountID: metadata.OwnerAccountID, OwnerAccountID: metadata.OwnerAccountID,
CreatedAt: metadata.CreatedAt, CreatedAt: metadata.CreatedAt,
@ -174,7 +174,7 @@ func (h *S3TablesHandler) handleListTableBuckets(w http.ResponseWriter, r *http.
} }
buckets = append(buckets, TableBucketSummary{ buckets = append(buckets, TableBucketSummary{
ARN: h.generateTableBucketARN(r, entry.Entry.Name),
ARN: h.generateTableBucketARN(metadata.OwnerAccountID, entry.Entry.Name),
Name: entry.Entry.Name, Name: entry.Entry.Name,
CreatedAt: metadata.CreatedAt, CreatedAt: metadata.CreatedAt,
}) })

6
weed/s3api/s3tables/handler_table.go
View File

@ -198,7 +198,7 @@ func (h *S3TablesHandler) handleCreateTable(w http.ResponseWriter, r *http.Reque
return err return err
} }
tableARN := h.generateTableARN(r, bucketName, namespaceName+"/"+tableName)
tableARN := h.generateTableARN(metadata.OwnerAccountID, bucketName, namespaceName+"/"+tableName)
resp := &CreateTableResponse{ resp := &CreateTableResponse{
TableARN: tableARN, TableARN: tableARN,
@ -312,7 +312,7 @@ func (h *S3TablesHandler) handleGetTable(w http.ResponseWriter, r *http.Request,
return ErrAccessDenied return ErrAccessDenied
} }
tableARN := h.generateTableARN(r, bucketName, namespace+"/"+tableName)
tableARN := h.generateTableARN(metadata.OwnerAccountID, bucketName, namespace+"/"+tableName)
resp := &GetTableResponse{ resp := &GetTableResponse{
Name: metadata.Name, Name: metadata.Name,
@ -508,7 +508,7 @@ func (h *S3TablesHandler) listTablesWithClient(r *http.Request, client filer_pb.
continue continue
} }
tableARN := h.generateTableARN(r, bucketName, namespaceName+"/"+entry.Entry.Name)
tableARN := h.generateTableARN(metadata.OwnerAccountID, bucketName, namespaceName+"/"+entry.Entry.Name)
tables = append(tables, TableSummary{ tables = append(tables, TableSummary{
Name: entry.Entry.Name, Name: entry.Entry.Name,

Write Preview
Loading…
Cancel
Save