Mirror
/
seaweedfs
mirror of https://github.com/seaweedfs/seaweedfs.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity
Browse Source

s3tables: Normalize action names to include service prefix 

Add automatic normalization of operations to full IAM-style action names
(e.g., 's3tables:CreateTableBucket') in CheckPermission(). This ensures
policy statements using prefixed actions (s3tables:*) correctly match
operations evaluated by permission helpers.

Also fixes incorrect r.Context() passed to GetIdentityNameFromContext
which expects *http.Request. Now passes r directly.
pull/8147/head
Chris Lu 3 days ago
parent
ee468749bd
commit
cf5043a9f9
2 changed files with 11 additions and 3 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 2
      weed/s3api/s3tables/handler.go
  2. 12
      weed/s3api/s3tables/permissions.go

2
weed/s3api/s3tables/handler.go
View File

@ -161,7 +161,7 @@ func (h *S3TablesHandler) HandleRequest(w http.ResponseWriter, r *http.Request,
// This is also used as the principal for permission checks, ensuring alignment between
// the caller identity and ownership verification when IAM is enabled.
func (h *S3TablesHandler) getAccountID(r *http.Request) string {
if identityName := s3_constants.GetIdentityNameFromContext(r.Context()); identityName != "" {
if identityName := s3_constants.GetIdentityNameFromContext(r); identityName != "" {
return identityName
}
if accountID := r.Header.Get(s3_constants.AmzAccountId); accountID != "" {

12
weed/s3api/s3tables/permissions.go
View File

@ -2,6 +2,7 @@ package s3tables
import (
"encoding/json"
"strings"
"github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine"
)
@ -39,6 +40,13 @@ func CheckPermission(operation, principal, owner, resourcePolicy string) bool {
return false
}
// Normalize operation to full IAM-style action name (e.g., "s3tables:CreateTableBucket")
// if not already prefixed
fullAction := operation
if !strings.Contains(operation, ":") {
fullAction = "s3tables:" + operation
}
// Parse and evaluate policy
var policy PolicyDocument
if err := json.Unmarshal([]byte(resourcePolicy), &policy); err != nil {
@ -55,8 +63,8 @@ func CheckPermission(operation, principal, owner, resourcePolicy string) bool {
continue
}
// Check if action matches
if !matchesAction(stmt.Action, operation) {
// Check if action matches (using normalized full action name)
if !matchesAction(stmt.Action, fullAction) {
continue
}

Write Preview
Loading…
Cancel
Save