gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

s3tables: enforce strict resource ownership and implement result filtering for namespaces

Browse Source
This commit is contained in:
Chris Lu
2026-01-28 13:59:24 -08:00
parent 9d54f4d160
commit 43aebc10da
1 changed files with 20 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files

39
weed/s3api/s3tables/handler_namespace.go
View File

@@ -65,11 +65,10 @@ func (h *S3TablesHandler) handleCreateNamespace(w http.ResponseWriter, r *http.R
return err return err
} }
// Check permission // Check ownership
principal := h.getPrincipalFromRequest(r) if accountID := h.getAccountID(r); accountID != bucketMetadata.OwnerAccountID {
if !CanCreateNamespace(principal, bucketMetadata.OwnerAccountID) { h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create namespace in this bucket")
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create namespace") return fmt.Errorf("access denied")
return NewAuthError("CreateNamespace", principal, "not authorized to create namespace")
} }
namespacePath := getNamespacePath(bucketName, namespaceName) namespacePath := getNamespacePath(bucketName, namespaceName)
@@ -176,11 +175,10 @@ func (h *S3TablesHandler) handleGetNamespace(w http.ResponseWriter, r *http.Requ
return err return err
} }
// Check permission // Check ownership
principal := h.getPrincipalFromRequest(r) if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID {
if !CanGetNamespace(principal, metadata.OwnerAccountID) { h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found")
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get namespace details") return fmt.Errorf("access denied")
return NewAuthError("GetNamespace", principal, "not authorized to get namespace details")
} }
resp := &GetNamespaceResponse{ resp := &GetNamespaceResponse{
@@ -241,10 +239,10 @@ func (h *S3TablesHandler) handleListNamespaces(w http.ResponseWriter, r *http.Re
return err return err
} }
principal := h.getPrincipalFromRequest(r) accountID := h.getAccountID(r)
if !CanListNamespaces(principal, bucketMetadata.OwnerAccountID) { if accountID != bucketMetadata.OwnerAccountID {
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to list namespaces") h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, fmt.Sprintf("table bucket %s not found", bucketName))
return NewAuthError("ListNamespaces", principal, "not authorized to list namespaces") return fmt.Errorf("access denied")
} }
var namespaces []NamespaceSummary var namespaces []NamespaceSummary
@@ -308,6 +306,10 @@ func (h *S3TablesHandler) handleListNamespaces(w http.ResponseWriter, r *http.Re
continue continue
} }
if metadata.OwnerAccountID != accountID {
continue
}
namespaces = append(namespaces, NamespaceSummary{ namespaces = append(namespaces, NamespaceSummary{
Namespace: metadata.Namespace, Namespace: metadata.Namespace,
CreatedAt: metadata.CreatedAt, CreatedAt: metadata.CreatedAt,
@@ -398,11 +400,10 @@ func (h *S3TablesHandler) handleDeleteNamespace(w http.ResponseWriter, r *http.R
return err return err
} }
// Check permission // Check ownership
principal := h.getPrincipalFromRequest(r) if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID {
if !CanDeleteNamespace(principal, metadata.OwnerAccountID) { h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found")
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to delete namespace") return fmt.Errorf("access denied")
return NewAuthError("DeleteNamespace", principal, "not authorized to delete namespace")
} }
// Check if namespace is empty // Check if namespace is empty