ownerAccountID
This commit is contained in:
Chris Lu
@@ -76,9 +76,9 @@ func (h *S3TablesHandler) handleCreateTableBucket(w http.ResponseWriter, r *http
|
||||
// Create the bucket directory and set metadata as extended attributes
|
||||
now := time.Now()
|
||||
metadata := &tableBucketMetadata{
|
||||
Name: req.Name,
|
||||
CreatedAt: now,
|
||||
OwnerID: h.getAccountID(r),
|
||||
Name: req.Name,
|
||||
CreatedAt: now,
|
||||
OwnerAccountID: h.getAccountID(r),
|
||||
}
|
||||
|
||||
metadataBytes, err := json.Marshal(metadata)
|
||||
|
||||
@@ -57,7 +57,7 @@ func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Re
|
||||
|
||||
// Check permission
|
||||
principal := h.getPrincipalFromRequest(r)
|
||||
if !CanGetTableBucket(principal, metadata.OwnerID) {
|
||||
if !CanGetTableBucket(principal, metadata.OwnerAccountID) {
|
||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table bucket details")
|
||||
return NewAuthError("GetTableBucket", principal, "not authorized to get table bucket details")
|
||||
}
|
||||
@@ -65,7 +65,7 @@ func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Re
|
||||
resp := &GetTableBucketResponse{
|
||||
ARN: h.generateTableBucketARN(r, bucketName),
|
||||
Name: metadata.Name,
|
||||
OwnerAccountID: metadata.OwnerID,
|
||||
OwnerAccountID: metadata.OwnerAccountID,
|
||||
CreatedAt: metadata.CreatedAt,
|
||||
}
|
||||
|
||||
@@ -245,7 +245,7 @@ func (h *S3TablesHandler) handleDeleteTableBucket(w http.ResponseWriter, r *http
|
||||
|
||||
// Check permission
|
||||
principal := h.getPrincipalFromRequest(r)
|
||||
if !CanDeleteTableBucket(principal, metadata.OwnerID) {
|
||||
if !CanDeleteTableBucket(principal, metadata.OwnerAccountID) {
|
||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete table bucket")
|
||||
return NewAuthError("DeleteTableBucket", principal, "not authorized to delete table bucket")
|
||||
}
|
||||
|
||||
@@ -67,7 +67,7 @@ func (h *S3TablesHandler) handleCreateNamespace(w http.ResponseWriter, r *http.R
|
||||
|
||||
// Check permission
|
||||
principal := h.getPrincipalFromRequest(r)
|
||||
if !CanCreateNamespace(principal, bucketMetadata.OwnerID) {
|
||||
if !CanCreateNamespace(principal, bucketMetadata.OwnerAccountID) {
|
||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create namespace")
|
||||
return NewAuthError("CreateNamespace", principal, "not authorized to create namespace")
|
||||
}
|
||||
@@ -91,9 +91,9 @@ func (h *S3TablesHandler) handleCreateNamespace(w http.ResponseWriter, r *http.R
|
||||
// Create the namespace
|
||||
now := time.Now()
|
||||
metadata := &namespaceMetadata{
|
||||
Namespace: req.Namespace,
|
||||
CreatedAt: now,
|
||||
OwnerID: h.getAccountID(r),
|
||||
Namespace: req.Namespace,
|
||||
CreatedAt: now,
|
||||
OwnerAccountID: h.getAccountID(r),
|
||||
}
|
||||
|
||||
metadataBytes, err := json.Marshal(metadata)
|
||||
@@ -178,7 +178,7 @@ func (h *S3TablesHandler) handleGetNamespace(w http.ResponseWriter, r *http.Requ
|
||||
|
||||
// Check permission
|
||||
principal := h.getPrincipalFromRequest(r)
|
||||
if !CanGetNamespace(principal, metadata.OwnerID) {
|
||||
if !CanGetNamespace(principal, metadata.OwnerAccountID) {
|
||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get namespace details")
|
||||
return NewAuthError("GetNamespace", principal, "not authorized to get namespace details")
|
||||
}
|
||||
@@ -186,7 +186,7 @@ func (h *S3TablesHandler) handleGetNamespace(w http.ResponseWriter, r *http.Requ
|
||||
resp := &GetNamespaceResponse{
|
||||
Namespace: metadata.Namespace,
|
||||
CreatedAt: metadata.CreatedAt,
|
||||
OwnerAccountID: metadata.OwnerID,
|
||||
OwnerAccountID: metadata.OwnerAccountID,
|
||||
}
|
||||
|
||||
h.writeJSON(w, http.StatusOK, resp)
|
||||
@@ -242,7 +242,7 @@ func (h *S3TablesHandler) handleListNamespaces(w http.ResponseWriter, r *http.Re
|
||||
}
|
||||
|
||||
principal := h.getPrincipalFromRequest(r)
|
||||
if !CanListNamespaces(principal, bucketMetadata.OwnerID) {
|
||||
if !CanListNamespaces(principal, bucketMetadata.OwnerAccountID) {
|
||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to list namespaces")
|
||||
return NewAuthError("ListNamespaces", principal, "not authorized to list namespaces")
|
||||
}
|
||||
@@ -400,7 +400,7 @@ func (h *S3TablesHandler) handleDeleteNamespace(w http.ResponseWriter, r *http.R
|
||||
|
||||
// Check permission
|
||||
principal := h.getPrincipalFromRequest(r)
|
||||
if !CanDeleteNamespace(principal, metadata.OwnerID) {
|
||||
if !CanDeleteNamespace(principal, metadata.OwnerAccountID) {
|
||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete namespace")
|
||||
return NewAuthError("DeleteNamespace", principal, "not authorized to delete namespace")
|
||||
}
|
||||
|
||||
@@ -59,7 +59,7 @@ func (h *S3TablesHandler) handlePutTableBucketPolicy(w http.ResponseWriter, r *h
|
||||
|
||||
// Check permission
|
||||
principal := h.getPrincipalFromRequest(r)
|
||||
if !CanPutTableBucketPolicy(principal, bucketMetadata.OwnerID) {
|
||||
if !CanPutTableBucketPolicy(principal, bucketMetadata.OwnerAccountID) {
|
||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to put table bucket policy")
|
||||
return NewAuthError("PutTableBucketPolicy", principal, "not authorized to put table bucket policy")
|
||||
}
|
||||
@@ -132,7 +132,7 @@ func (h *S3TablesHandler) handleGetTableBucketPolicy(w http.ResponseWriter, r *h
|
||||
|
||||
// Check permission
|
||||
principal := h.getPrincipalFromRequest(r)
|
||||
if !CanGetTableBucketPolicy(principal, bucketMetadata.OwnerID) {
|
||||
if !CanGetTableBucketPolicy(principal, bucketMetadata.OwnerAccountID) {
|
||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table bucket policy")
|
||||
return NewAuthError("GetTableBucketPolicy", principal, "not authorized to get table bucket policy")
|
||||
}
|
||||
@@ -190,7 +190,7 @@ func (h *S3TablesHandler) handleDeleteTableBucketPolicy(w http.ResponseWriter, r
|
||||
|
||||
// Check permission
|
||||
principal := h.getPrincipalFromRequest(r)
|
||||
if !CanDeleteTableBucketPolicy(principal, bucketMetadata.OwnerID) {
|
||||
if !CanDeleteTableBucketPolicy(principal, bucketMetadata.OwnerAccountID) {
|
||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete table bucket policy")
|
||||
return NewAuthError("DeleteTableBucketPolicy", principal, "not authorized to delete table bucket policy")
|
||||
}
|
||||
@@ -270,7 +270,7 @@ func (h *S3TablesHandler) handlePutTablePolicy(w http.ResponseWriter, r *http.Re
|
||||
|
||||
// Check permission
|
||||
principal := h.getPrincipalFromRequest(r)
|
||||
if !CanPutTablePolicy(principal, metadata.OwnerID) {
|
||||
if !CanPutTablePolicy(principal, metadata.OwnerAccountID) {
|
||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to put table policy")
|
||||
return NewAuthError("PutTablePolicy", principal, "not authorized to put table policy")
|
||||
}
|
||||
@@ -354,7 +354,7 @@ func (h *S3TablesHandler) handleGetTablePolicy(w http.ResponseWriter, r *http.Re
|
||||
|
||||
// Check permission
|
||||
principal := h.getPrincipalFromRequest(r)
|
||||
if !CanGetTablePolicy(principal, metadata.OwnerID) {
|
||||
if !CanGetTablePolicy(principal, metadata.OwnerAccountID) {
|
||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table policy")
|
||||
return NewAuthError("GetTablePolicy", principal, "not authorized to get table policy")
|
||||
}
|
||||
@@ -423,7 +423,7 @@ func (h *S3TablesHandler) handleDeleteTablePolicy(w http.ResponseWriter, r *http
|
||||
|
||||
// Check permission
|
||||
principal := h.getPrincipalFromRequest(r)
|
||||
if !CanDeleteTablePolicy(principal, metadata.OwnerID) {
|
||||
if !CanDeleteTablePolicy(principal, metadata.OwnerAccountID) {
|
||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete table policy")
|
||||
return NewAuthError("DeleteTablePolicy", principal, "not authorized to delete table policy")
|
||||
}
|
||||
@@ -475,24 +475,24 @@ func (h *S3TablesHandler) handleTagResource(w http.ResponseWriter, r *http.Reque
|
||||
return err
|
||||
}
|
||||
|
||||
var ownerID string
|
||||
var ownerAccountID string
|
||||
if rType == ResourceTypeTable {
|
||||
var meta tableMetadataInternal
|
||||
if err := json.Unmarshal(data, &meta); err != nil {
|
||||
return err
|
||||
}
|
||||
ownerID = meta.OwnerID
|
||||
ownerAccountID = meta.OwnerAccountID
|
||||
} else {
|
||||
var meta tableBucketMetadata
|
||||
if err := json.Unmarshal(data, &meta); err != nil {
|
||||
return err
|
||||
}
|
||||
ownerID = meta.OwnerID
|
||||
ownerAccountID = meta.OwnerAccountID
|
||||
}
|
||||
|
||||
// Check Permission inside the closure because we just got the ID
|
||||
principal := h.getPrincipalFromRequest(r)
|
||||
if !CanManageTags(principal, ownerID) {
|
||||
if !CanManageTags(principal, ownerAccountID) {
|
||||
return NewAuthError("TagResource", principal, "not authorized to tag resource")
|
||||
}
|
||||
|
||||
@@ -574,24 +574,24 @@ func (h *S3TablesHandler) handleListTagsForResource(w http.ResponseWriter, r *ht
|
||||
return err
|
||||
}
|
||||
|
||||
var ownerID string
|
||||
var ownerAccountID string
|
||||
if rType == ResourceTypeTable {
|
||||
var meta tableMetadataInternal
|
||||
if err := json.Unmarshal(data, &meta); err != nil {
|
||||
return err
|
||||
}
|
||||
ownerID = meta.OwnerID
|
||||
ownerAccountID = meta.OwnerAccountID
|
||||
} else {
|
||||
var meta tableBucketMetadata
|
||||
if err := json.Unmarshal(data, &meta); err != nil {
|
||||
return err
|
||||
}
|
||||
ownerID = meta.OwnerID
|
||||
ownerAccountID = meta.OwnerAccountID
|
||||
}
|
||||
|
||||
// Check Permission
|
||||
principal := h.getPrincipalFromRequest(r)
|
||||
if !CheckPermission("ListTagsForResource", principal, ownerID) {
|
||||
if !CheckPermission("ListTagsForResource", principal, ownerAccountID) {
|
||||
return NewAuthError("ListTagsForResource", principal, "not authorized to list tags for resource")
|
||||
}
|
||||
|
||||
@@ -661,24 +661,24 @@ func (h *S3TablesHandler) handleUntagResource(w http.ResponseWriter, r *http.Req
|
||||
return err
|
||||
}
|
||||
|
||||
var ownerID string
|
||||
var ownerAccountID string
|
||||
if rType == ResourceTypeTable {
|
||||
var meta tableMetadataInternal
|
||||
if err := json.Unmarshal(data, &meta); err != nil {
|
||||
return err
|
||||
}
|
||||
ownerID = meta.OwnerID
|
||||
ownerAccountID = meta.OwnerAccountID
|
||||
} else {
|
||||
var meta tableBucketMetadata
|
||||
if err := json.Unmarshal(data, &meta); err != nil {
|
||||
return err
|
||||
}
|
||||
ownerID = meta.OwnerID
|
||||
ownerAccountID = meta.OwnerAccountID
|
||||
}
|
||||
|
||||
// Check Permission
|
||||
principal := h.getPrincipalFromRequest(r)
|
||||
if !CanManageTags(principal, ownerID) {
|
||||
if !CanManageTags(principal, ownerAccountID) {
|
||||
return NewAuthError("UntagResource", principal, "not authorized to untag resource")
|
||||
}
|
||||
|
||||
|
||||
@@ -87,7 +87,7 @@ func (h *S3TablesHandler) handleCreateTable(w http.ResponseWriter, r *http.Reque
|
||||
|
||||
// Check permission
|
||||
principal := h.getPrincipalFromRequest(r)
|
||||
if !CanCreateTable(principal, namespaceMetadata.OwnerID) {
|
||||
if !CanCreateTable(principal, namespaceMetadata.OwnerAccountID) {
|
||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create table")
|
||||
return NewAuthError("CreateTable", principal, "not authorized to create table")
|
||||
}
|
||||
@@ -113,14 +113,14 @@ func (h *S3TablesHandler) handleCreateTable(w http.ResponseWriter, r *http.Reque
|
||||
versionToken := generateVersionToken()
|
||||
|
||||
metadata := &tableMetadataInternal{
|
||||
Name: tableName,
|
||||
Namespace: namespaceName,
|
||||
Format: req.Format,
|
||||
CreatedAt: now,
|
||||
ModifiedAt: now,
|
||||
OwnerID: h.getAccountID(r),
|
||||
VersionToken: versionToken,
|
||||
Schema: req.Metadata,
|
||||
Name: tableName,
|
||||
Namespace: namespaceName,
|
||||
Format: req.Format,
|
||||
CreatedAt: now,
|
||||
ModifiedAt: now,
|
||||
OwnerAccountID: h.getAccountID(r),
|
||||
VersionToken: versionToken,
|
||||
Schema: req.Metadata,
|
||||
}
|
||||
|
||||
metadataBytes, err := json.Marshal(metadata)
|
||||
@@ -241,7 +241,7 @@ func (h *S3TablesHandler) handleGetTable(w http.ResponseWriter, r *http.Request,
|
||||
|
||||
// Check permission
|
||||
principal := h.getPrincipalFromRequest(r)
|
||||
if !CanGetTable(principal, metadata.OwnerID) {
|
||||
if !CanGetTable(principal, metadata.OwnerAccountID) {
|
||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table")
|
||||
return NewAuthError("GetTable", principal, "not authorized to get table")
|
||||
}
|
||||
@@ -255,7 +255,7 @@ func (h *S3TablesHandler) handleGetTable(w http.ResponseWriter, r *http.Request,
|
||||
Format: metadata.Format,
|
||||
CreatedAt: metadata.CreatedAt,
|
||||
ModifiedAt: metadata.ModifiedAt,
|
||||
OwnerAccountID: metadata.OwnerID,
|
||||
OwnerAccountID: metadata.OwnerAccountID,
|
||||
MetadataLocation: metadata.MetadataLocation,
|
||||
VersionToken: metadata.VersionToken,
|
||||
}
|
||||
@@ -311,7 +311,7 @@ func (h *S3TablesHandler) handleListTables(w http.ResponseWriter, r *http.Reques
|
||||
return err
|
||||
}
|
||||
principal := h.getPrincipalFromRequest(r)
|
||||
if !CanListTables(principal, nsMeta.OwnerID) {
|
||||
if !CanListTables(principal, nsMeta.OwnerAccountID) {
|
||||
return NewAuthError("ListTables", principal, "not authorized to list tables")
|
||||
}
|
||||
|
||||
@@ -328,7 +328,7 @@ func (h *S3TablesHandler) handleListTables(w http.ResponseWriter, r *http.Reques
|
||||
return err
|
||||
}
|
||||
principal := h.getPrincipalFromRequest(r)
|
||||
if !CanListTables(principal, bucketMeta.OwnerID) {
|
||||
if !CanListTables(principal, bucketMeta.OwnerAccountID) {
|
||||
return NewAuthError("ListTables", principal, "not authorized to list tables")
|
||||
}
|
||||
|
||||
@@ -603,7 +603,7 @@ func (h *S3TablesHandler) handleDeleteTable(w http.ResponseWriter, r *http.Reque
|
||||
|
||||
// Check permission
|
||||
principal := h.getPrincipalFromRequest(r)
|
||||
if !CanDeleteTable(principal, metadata.OwnerID) {
|
||||
if !CanDeleteTable(principal, metadata.OwnerAccountID) {
|
||||
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete table")
|
||||
return NewAuthError("DeleteTable", principal, "not authorized to delete table")
|
||||
}
|
||||
|
||||
@@ -5,10 +5,10 @@ import "time"
|
||||
// Table bucket types
|
||||
|
||||
type TableBucket struct {
|
||||
ARN string `json:"arn"`
|
||||
Name string `json:"name"`
|
||||
OwnerID string `json:"ownerAccountId"`
|
||||
CreatedAt time.Time `json:"createdAt"`
|
||||
ARN string `json:"arn"`
|
||||
Name string `json:"name"`
|
||||
OwnerAccountID string `json:"ownerAccountId"`
|
||||
CreatedAt time.Time `json:"createdAt"`
|
||||
}
|
||||
|
||||
type CreateTableBucketRequest struct {
|
||||
|
||||
@@ -71,18 +71,17 @@ func getTablePath(bucketName, namespace, tableName string) string {
|
||||
|
||||
// Metadata structures
|
||||
|
||||
// tableBucketMetadata stores metadata for a table bucket
|
||||
type tableBucketMetadata struct {
|
||||
Name string `json:"name"`
|
||||
CreatedAt time.Time `json:"createdAt"`
|
||||
OwnerID string `json:"ownerAccountId"`
|
||||
Name string `json:"name"`
|
||||
CreatedAt time.Time `json:"createdAt"`
|
||||
OwnerAccountID string `json:"ownerAccountId"`
|
||||
}
|
||||
|
||||
// namespaceMetadata stores metadata for a namespace
|
||||
type namespaceMetadata struct {
|
||||
Namespace []string `json:"namespace"`
|
||||
CreatedAt time.Time `json:"createdAt"`
|
||||
OwnerID string `json:"ownerAccountId"`
|
||||
Namespace []string `json:"namespace"`
|
||||
CreatedAt time.Time `json:"createdAt"`
|
||||
OwnerAccountID string `json:"ownerAccountId"`
|
||||
}
|
||||
|
||||
// tableMetadataInternal stores metadata for a table
|
||||
@@ -92,7 +91,7 @@ type tableMetadataInternal struct {
|
||||
Format string `json:"format"`
|
||||
CreatedAt time.Time `json:"createdAt"`
|
||||
ModifiedAt time.Time `json:"modifiedAt"`
|
||||
OwnerID string `json:"ownerAccountId"`
|
||||
OwnerAccountID string `json:"ownerAccountId"`
|
||||
VersionToken string `json:"versionToken"`
|
||||
MetadataLocation string `json:"metadataLocation,omitempty"`
|
||||
Schema *TableMetadata `json:"metadata,omitempty"`
|
||||
|
||||
Reference in New Issue
Block a user