s3api: Allow anonymous access to SOSAPI virtual objects

Enable discovery of SOSAPI capabilities without requiring credentials.

- Modify AuthWithPublicRead to bypass auth for SOSAPI objects if bucket exists
- Supports Veeam's initial discovery phase before full IAM setup
- Validates bucket existence to prevent information disclosure

weed/s3api/s3api_bucket_handlers.go

@@ -624,6 +624,17 @@ func (s3a *S3ApiServer) AuthWithPublicRead(handler http.HandlerFunc, action Acti
 
 		glog.V(4).Infof("AuthWithPublicRead: bucket=%s, object=%s, authType=%v, isAnonymous=%v", bucket, object, authType, isAnonymous)
 
+		// Allow anonymous access for SOSAPI virtual objects (discovery)
+		if isSOSAPIObject(object) {
+			// Ensure the bucket exists anyway
+			_, errCode := s3a.getBucketConfig(bucket)
+			if errCode == s3err.ErrNone {
+				glog.V(3).Infof("AuthWithPublicRead: allowing anonymous access to SOSAPI object %s in bucket %s", object, bucket)
+				handler(w, r)
+				return
+			}
+		}
+
 		// For anonymous requests, check if bucket allows public read via ACLs or bucket policies
 		if isAnonymous {
 			// First check ACL-based public access