s3: enforce authentication and JSON error format for Iceberg REST Catalog (#8192)

* s3: enforce authentication and JSON error format for Iceberg REST Catalog

* s3/iceberg: align error exception types with OpenAPI spec examples

* s3api: refactor AuthenticateRequest to return identity object

* s3/iceberg: propagate full identity object to request context

* s3/iceberg: differentiate NotAuthorizedException and ForbiddenException

* s3/iceberg: reject requests if authenticator is nil to prevent auth bypass

* s3/iceberg: refactor Auth middleware to build context incrementally and use switch for error mapping

* s3api: update misleading comment for authRequestWithAuthType

* s3api: return ErrAccessDenied if IAM is not configured to prevent auth bypass

* s3/iceberg: optimize context update in Auth middleware

* s3api: export CanDo for external authorization use

* s3/iceberg: enforce identity-based authorization in all API handlers

* s3api: fix compilation errors by updating internal CanDo references

* s3/iceberg: robust identity validation and consistent action usage in handlers

* s3api: complete CanDo rename across tests and policy engine integration

* s3api: fix integration tests by allowing admin access when auth is disabled and explicit gRPC ports

* duckdb

* create test bucket

weed/s3api/policy_engine/integration.go

@@ -14,7 +14,7 @@ type Action string
 
 // Identity represents a user identity - this should match the type in auth_credentials.go
 type Identity interface {
-	canDo(action Action, bucket string, objectKey string) bool
+	CanDo(action Action, bucket string, objectKey string) bool
 }
 
 // PolicyBackedIAM provides policy-based access control with fallback to legacy IAM
@@ -104,7 +104,7 @@ func (p *PolicyBackedIAM) evaluateLegacyAction(action, bucketName, objectName, p
 
 		// If we have an identity, check if it can perform the action
 		if identity != nil {
-			return identity.canDo(legacyAction, bucketName, objectName)
+			return identity.CanDo(legacyAction, bucketName, objectName)
 		}
 	}