s3tables: implement granular authorization and refine error responses

- Remove mandatory ACTION_ADMIN at the router level
- Enforce granular permissions in bucket and namespace handlers
- Prioritize AccountID in ExtractPrincipalFromContext for ARN matching
- Distinguish between 404 (NoSuchBucket) and 500 (InternalError) in metadata lookups
- Clean up unused imports in s3api_tables.go

weed/s3api/s3tables/permissions.go

@@ -174,6 +174,9 @@ func ExtractPrincipalFromContext(contextID string) string {
 	// Try to parse as ARN first
 	if strings.HasPrefix(contextID, "arn:") {
 		info := utils.ParsePrincipalARN(contextID)
+		if info.AccountID != "" {
+			return info.AccountID
+		}
 		if info.RoleName != "" {
 			return info.RoleName
 		}