gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

s3tables: standardize access denied errors using ErrAccessDenied constant

Browse Source
This commit is contained in:
Chris Lu
2026-01-28 14:33:01 -08:00
parent d98e104dc5
commit 4d4af0589b
4 changed files with 12 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
weed/s3api/s3tables/handler.go
View File

@@ -26,6 +26,7 @@ const (
var ( var (
ErrVersionTokenMismatch = errors.New("version token mismatch") ErrVersionTokenMismatch = errors.New("version token mismatch")
ErrAccessDenied = errors.New("access denied")
) )
type ResourceType string type ResourceType string
@@ -229,5 +230,5 @@ func (h *S3TablesHandler) generateTableARN(r *http.Request, bucketName, tableID
func isAuthError(err error) bool { func isAuthError(err error) bool {
var authErr *AuthError var authErr *AuthError
return errors.As(err, &authErr) return errors.As(err, &authErr) || errors.Is(err, ErrAccessDenied)
} }

2
weed/s3api/s3tables/handler_bucket_get_list_delete.go
View File

@@ -58,7 +58,7 @@ func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Re
// Check ownership // Check ownership
if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID { if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID {
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table bucket details") h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to get table bucket details")
return fmt.Errorf("access denied") return ErrAccessDenied
} }
resp := &GetTableBucketResponse{ resp := &GetTableBucketResponse{

8
weed/s3api/s3tables/handler_namespace.go
View File

@@ -68,7 +68,7 @@ func (h *S3TablesHandler) handleCreateNamespace(w http.ResponseWriter, r *http.R
// Check ownership // Check ownership
if accountID := h.getAccountID(r); accountID != bucketMetadata.OwnerAccountID { if accountID := h.getAccountID(r); accountID != bucketMetadata.OwnerAccountID {
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create namespace in this bucket") h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create namespace in this bucket")
return fmt.Errorf("access denied") return ErrAccessDenied
} }
namespacePath := getNamespacePath(bucketName, namespaceName) namespacePath := getNamespacePath(bucketName, namespaceName)
@@ -178,7 +178,7 @@ func (h *S3TablesHandler) handleGetNamespace(w http.ResponseWriter, r *http.Requ
// Check ownership // Check ownership
if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID { if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID {
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found") h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found")
return fmt.Errorf("access denied") return ErrAccessDenied
} }
resp := &GetNamespaceResponse{ resp := &GetNamespaceResponse{
@@ -242,7 +242,7 @@ func (h *S3TablesHandler) handleListNamespaces(w http.ResponseWriter, r *http.Re
accountID := h.getAccountID(r) accountID := h.getAccountID(r)
if accountID != bucketMetadata.OwnerAccountID { if accountID != bucketMetadata.OwnerAccountID {
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, fmt.Sprintf("table bucket %s not found", bucketName)) h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, fmt.Sprintf("table bucket %s not found", bucketName))
return fmt.Errorf("access denied") return ErrAccessDenied
} }
var namespaces []NamespaceSummary var namespaces []NamespaceSummary
@@ -403,7 +403,7 @@ func (h *S3TablesHandler) handleDeleteNamespace(w http.ResponseWriter, r *http.R
// Check ownership // Check ownership
if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID { if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID {
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found") h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found")
return fmt.Errorf("access denied") return ErrAccessDenied
} }
// Check if namespace is empty // Check if namespace is empty

10
weed/s3api/s3tables/handler_table.go
View File

@@ -88,7 +88,7 @@ func (h *S3TablesHandler) handleCreateTable(w http.ResponseWriter, r *http.Reque
// Check ownership // Check ownership
if accountID := h.getAccountID(r); accountID != namespaceMetadata.OwnerAccountID { if accountID := h.getAccountID(r); accountID != namespaceMetadata.OwnerAccountID {
h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create table in this namespace") h.writeError(w, http.StatusForbidden, ErrCodeAccessDenied, "not authorized to create table in this namespace")
return fmt.Errorf("access denied") return ErrAccessDenied
} }
tablePath := getTablePath(bucketName, namespaceName, tableName) tablePath := getTablePath(bucketName, namespaceName, tableName)
@@ -241,7 +241,7 @@ func (h *S3TablesHandler) handleGetTable(w http.ResponseWriter, r *http.Request,
// Check ownership // Check ownership
if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID { if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID {
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchTable, fmt.Sprintf("table %s not found", tableName)) h.writeError(w, http.StatusNotFound, ErrCodeNoSuchTable, fmt.Sprintf("table %s not found", tableName))
return fmt.Errorf("access denied") return ErrAccessDenied
} }
tableARN := h.generateTableARN(r, bucketName, namespace+"/"+tableName) tableARN := h.generateTableARN(r, bucketName, namespace+"/"+tableName)
@@ -310,7 +310,7 @@ func (h *S3TablesHandler) handleListTables(w http.ResponseWriter, r *http.Reques
} }
if accountID := h.getAccountID(r); accountID != nsMeta.OwnerAccountID { if accountID := h.getAccountID(r); accountID != nsMeta.OwnerAccountID {
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found") h.writeError(w, http.StatusNotFound, ErrCodeNoSuchNamespace, "namespace not found")
return fmt.Errorf("access denied") return ErrAccessDenied
} }
tables, paginationToken, err = h.listTablesInNamespaceWithClient(r, client, bucketName, namespaceName, req.Prefix, req.ContinuationToken, maxTables) tables, paginationToken, err = h.listTablesInNamespaceWithClient(r, client, bucketName, namespaceName, req.Prefix, req.ContinuationToken, maxTables)
@@ -327,7 +327,7 @@ func (h *S3TablesHandler) handleListTables(w http.ResponseWriter, r *http.Reques
} }
if accountID := h.getAccountID(r); accountID != bucketMeta.OwnerAccountID { if accountID := h.getAccountID(r); accountID != bucketMeta.OwnerAccountID {
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, "bucket not found") h.writeError(w, http.StatusNotFound, ErrCodeNoSuchBucket, "bucket not found")
return fmt.Errorf("access denied") return ErrAccessDenied
} }
tables, paginationToken, err = h.listTablesInAllNamespaces(r, client, bucketName, req.Prefix, req.ContinuationToken, maxTables) tables, paginationToken, err = h.listTablesInAllNamespaces(r, client, bucketName, req.Prefix, req.ContinuationToken, maxTables)
@@ -611,7 +611,7 @@ func (h *S3TablesHandler) handleDeleteTable(w http.ResponseWriter, r *http.Reque
// Check ownership // Check ownership
if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID { if accountID := h.getAccountID(r); accountID != metadata.OwnerAccountID {
h.writeError(w, http.StatusNotFound, ErrCodeNoSuchTable, fmt.Sprintf("table %s not found", tableName)) h.writeError(w, http.StatusNotFound, ErrCodeNoSuchTable, fmt.Sprintf("table %s not found", tableName))
return fmt.Errorf("access denied") return ErrAccessDenied
} }
// Delete the table // Delete the table