S3: Enforce bucket policy (#7471)

* evaluate policies during authorization * cache bucket policy * refactor * matching with regex special characters * Case Sensitivity, pattern cache, Dead Code Removal * Fixed Typo, Restored []string Case, Added Cache Size Limit * hook up with policy engine * remove old implementation * action mapping * validate * if not specified, fall through to IAM checks * fmt * Fail-close on policy evaluation errors * Explicit `Allow` bypasses IAM checks * fix error message * arn:seaweed => arn:aws * remove legacy support * fix tests * Clean up bucket policy after this test * fix for tests * address comments * security fixes * fix tests * temp comment out
2025-11-12 22:14:50 -08:00
parent 50f067bcfd
commit 508d06d9a5
47 changed files with 1104 additions and 749 deletions
--- a/test/s3/iam/STS_DISTRIBUTED.md
+++ b/test/s3/iam/STS_DISTRIBUTED.md
@@ -248,7 +248,7 @@ services:
 3. User calls SeaweedFS STS AssumeRoleWithWebIdentity
   POST /sts/assume-role-with-web-identity
   {
-     "RoleArn": "arn:seaweed:iam::role/S3AdminRole",
+     "RoleArn": "arn:aws:iam::role/S3AdminRole",
     "WebIdentityToken": "eyJ0eXAiOiJKV1QiLCJhbGc...",
     "RoleSessionName": "user-session"
   }