gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

s3tables: update namespace handlers for multi-account support

Browse Source 
Updated namespace creation to use authenticated account ID for ownership
and unified permission checks across all namespace operations to use the
correct account principal.
This commit is contained in:
Chris Lu
2026-01-28 13:25:27 -08:00
parent 922b0c3171
commit 12c1190a5c
1 changed files with 9 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
weed/s3api/s3tables/handler_namespace.go
View File

@@ -22,7 +22,8 @@ func (h *S3TablesHandler) handleCreateNamespace(w http.ResponseWriter, r *http.R
// Check permission // Check permission
principal := h.getPrincipalFromRequest(r) principal := h.getPrincipalFromRequest(r)
if !CanCreateNamespace(principal, h.accountID) { accountID := h.getAccountID(r)
if !CanCreateNamespace(principal, accountID) {
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create namespace") h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create namespace")
return NewAuthError("CreateNamespace", principal, "not authorized to create namespace") return NewAuthError("CreateNamespace", principal, "not authorized to create namespace")
} }
@@ -86,7 +87,7 @@ func (h *S3TablesHandler) handleCreateNamespace(w http.ResponseWriter, r *http.R
metadata := &namespaceMetadata{ metadata := &namespaceMetadata{
Namespace: req.Namespace, Namespace: req.Namespace,
CreatedAt: now, CreatedAt: now,
OwnerID: h.accountID, OwnerID: h.getAccountID(r),
} }
metadataBytes, err := json.Marshal(metadata) metadataBytes, err := json.Marshal(metadata)
@@ -133,7 +134,8 @@ func (h *S3TablesHandler) handleGetNamespace(w http.ResponseWriter, r *http.Requ
// Check permission // Check permission
principal := h.getPrincipalFromRequest(r) principal := h.getPrincipalFromRequest(r)
if !CanGetNamespace(principal, h.accountID) { accountID := h.getAccountID(r)
if !CanGetNamespace(principal, accountID) {
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get namespace details") h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get namespace details")
return NewAuthError("GetNamespace", principal, "not authorized to get namespace details") return NewAuthError("GetNamespace", principal, "not authorized to get namespace details")
} }
@@ -196,7 +198,8 @@ func (h *S3TablesHandler) handleListNamespaces(w http.ResponseWriter, r *http.Re
// Check permission // Check permission
principal := h.getPrincipalFromRequest(r) principal := h.getPrincipalFromRequest(r)
if !CanListNamespaces(principal, h.accountID) { accountID := h.getAccountID(r)
if !CanListNamespaces(principal, accountID) {
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to list namespaces") h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to list namespaces")
return NewAuthError("ListNamespaces", principal, "not authorized to list namespaces") return NewAuthError("ListNamespaces", principal, "not authorized to list namespaces")
} }
@@ -330,7 +333,8 @@ func (h *S3TablesHandler) handleDeleteNamespace(w http.ResponseWriter, r *http.R
// Check permission // Check permission
principal := h.getPrincipalFromRequest(r) principal := h.getPrincipalFromRequest(r)
if !CanDeleteNamespace(principal, h.accountID) { accountID := h.getAccountID(r)
if !CanDeleteNamespace(principal, accountID) {
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete namespace") h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete namespace")
return NewAuthError("DeleteNamespace", principal, "not authorized to delete namespace") return NewAuthError("DeleteNamespace", principal, "not authorized to delete namespace")
} }