Add s3tables shell and admin UI (#8172)
* Add shared s3tables manager * Add s3tables shell commands * Add s3tables admin API * Add s3tables admin UI * Fix admin s3tables namespace create * Rename table buckets menu * Centralize s3tables tag validation * Reuse s3tables manager in admin * Extract s3tables list limit * Add s3tables bucket ARN helper * Remove write middleware from s3tables APIs * Fix bucket link and policy hint * Fix table tag parsing and nav link * Disable namespace table link on invalid ARN * Improve s3tables error decode * Return flag parse errors for s3tables tag * Accept query params for namespace create * Bind namespace create form data * Read s3tables JS data from DOM * s3tables: allow empty region ARN * shell: pass s3tables account id * shell: require account for table buckets * shell: use bucket name for namespaces * shell: use bucket name for tables * shell: use bucket name for tags * admin: add table buckets links in file browser * s3api: reuse s3tables tag validation * admin: harden s3tables UI handlers * fix admin list table buckets * allow admin s3tables access * validate s3tables bucket tags * log s3tables bucket metadata errors * rollback table bucket on owner failure * show s3tables bucket owner * add s3tables iam conditions * Add s3tables user permissions UI * Authorize s3tables using identity actions * Add s3tables permissions to user modal * Disambiguate bucket scope in user permissions * Block table bucket names that match S3 buckets * Pretty-print IAM identity JSON * Include tags in s3tables permission context * admin: refactor S3 Tables inline JavaScript into a separate file * s3tables: extend IAM policy condition operators support * shell: use LookupEntry wrapper for s3tables bucket conflict check * admin: handle buildBucketPermissions validation in create/update flows
This commit is contained in:
Chris Lu
@@ -20,6 +20,7 @@ const (
|
||||
var (
|
||||
bucketARNPattern = regexp.MustCompile(`^arn:aws:s3tables:[^:]*:[^:]*:bucket/(` + bucketNamePatternStr + `)$`)
|
||||
tableARNPattern = regexp.MustCompile(`^arn:aws:s3tables:[^:]*:[^:]*:bucket/(` + bucketNamePatternStr + `)/table/(` + tableNamespacePatternStr + `)/(` + tableNamePatternStr + `)$`)
|
||||
tagPattern = regexp.MustCompile(`^([\p{L}\p{Z}\p{N}_.:/=+\-@]*)$`)
|
||||
)
|
||||
|
||||
// ARN parsing functions
|
||||
@@ -175,6 +176,80 @@ func validateBucketName(name string) error {
|
||||
return nil
|
||||
}
|
||||
|
||||
// ValidateBucketName validates bucket name and returns an error if invalid.
|
||||
func ValidateBucketName(name string) error {
|
||||
return validateBucketName(name)
|
||||
}
|
||||
|
||||
// BuildBucketARN builds a bucket ARN with the provided region and account ID.
|
||||
// If region is empty, the ARN will omit the region field.
|
||||
func BuildBucketARN(region, accountID, bucketName string) (string, error) {
|
||||
if bucketName == "" {
|
||||
return "", fmt.Errorf("bucket name is required")
|
||||
}
|
||||
if err := validateBucketName(bucketName); err != nil {
|
||||
return "", err
|
||||
}
|
||||
if accountID == "" {
|
||||
accountID = DefaultAccountID
|
||||
}
|
||||
return buildARN(region, accountID, fmt.Sprintf("bucket/%s", bucketName)), nil
|
||||
}
|
||||
|
||||
// BuildTableARN builds a table ARN with the provided region and account ID.
|
||||
func BuildTableARN(region, accountID, bucketName, namespace, tableName string) (string, error) {
|
||||
if bucketName == "" {
|
||||
return "", fmt.Errorf("bucket name is required")
|
||||
}
|
||||
if err := validateBucketName(bucketName); err != nil {
|
||||
return "", err
|
||||
}
|
||||
if namespace == "" {
|
||||
return "", fmt.Errorf("namespace is required")
|
||||
}
|
||||
normalizedNamespace, err := validateNamespace([]string{namespace})
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
if tableName == "" {
|
||||
return "", fmt.Errorf("table name is required")
|
||||
}
|
||||
normalizedTable, err := validateTableName(tableName)
|
||||
if err != nil {
|
||||
return "", err
|
||||
}
|
||||
if accountID == "" {
|
||||
accountID = DefaultAccountID
|
||||
}
|
||||
return buildARN(region, accountID, fmt.Sprintf("bucket/%s/table/%s/%s", bucketName, normalizedNamespace, normalizedTable)), nil
|
||||
}
|
||||
|
||||
func buildARN(region, accountID, resourcePath string) string {
|
||||
return fmt.Sprintf("arn:aws:s3tables:%s:%s:%s", region, accountID, resourcePath)
|
||||
}
|
||||
|
||||
// ValidateTags validates tags for S3 Tables.
|
||||
func ValidateTags(tags map[string]string) error {
|
||||
if len(tags) > 10 {
|
||||
return fmt.Errorf("validate tags: %d tags more than 10", len(tags))
|
||||
}
|
||||
for k, v := range tags {
|
||||
if len(k) > 128 {
|
||||
return fmt.Errorf("validate tags: tag key longer than 128")
|
||||
}
|
||||
if !tagPattern.MatchString(k) {
|
||||
return fmt.Errorf("validate tags key %s error, incorrect key", k)
|
||||
}
|
||||
if len(v) > 256 {
|
||||
return fmt.Errorf("validate tags: tag value longer than 256")
|
||||
}
|
||||
if !tagPattern.MatchString(v) {
|
||||
return fmt.Errorf("validate tags value %s error, incorrect value", v)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// isValidBucketName validates bucket name characters (kept for compatibility)
|
||||
// Deprecated: use validateBucketName instead
|
||||
func isValidBucketName(name string) bool {
|
||||
|
||||
Reference in New Issue
Block a user