S3: Enforce bucket policy (#7471)

* evaluate policies during authorization * cache bucket policy * refactor * matching with regex special characters * Case Sensitivity, pattern cache, Dead Code Removal * Fixed Typo, Restored []string Case, Added Cache Size Limit * hook up with policy engine * remove old implementation * action mapping * validate * if not specified, fall through to IAM checks * fmt * Fail-close on policy evaluation errors * Explicit `Allow` bypasses IAM checks * fix error message * arn:seaweed => arn:aws * remove legacy support * fix tests * Clean up bucket policy after this test * fix for tests * address comments * security fixes * fix tests * temp comment out
2025-11-12 22:14:50 -08:00
parent 50f067bcfd
commit 508d06d9a5
47 changed files with 1104 additions and 749 deletions
--- a/test/s3/iam/README-Docker.md
+++ b/test/s3/iam/README-Docker.md
@@ -170,7 +170,7 @@ The `setup_keycloak_docker.sh` script automatically generates `iam_config.json`
 {
  "claim": "roles",
  "value": "s3-admin", 
-  "role": "arn:seaweed:iam::role/KeycloakAdminRole"
+  "role": "arn:aws:iam::role/KeycloakAdminRole"
 }
 ```