s3api: add AttachUserPolicy/DetachUserPolicy/ListAttachedUserPolicies (#8379)

* iam: add XML responses for managed user policy APIs

* s3api: implement attach/detach/list attached user policies

* s3api: add embedded IAM tests for managed user policies

* iam: update CredentialStore interface and Manager for managed policies

Updated the `CredentialStore` interface to include `AttachUserPolicy`,
`DetachUserPolicy`, and `ListAttachedUserPolicies` methods.
The `CredentialManager` was updated to delegate these calls to the store.
Added common error variables for policy management.

* iam: implement managed policy methods in MemoryStore

Implemented `AttachUserPolicy`, `DetachUserPolicy`, and
`ListAttachedUserPolicies` in the MemoryStore.
Also ensured deep copying of identities includes PolicyNames.

* iam: implement managed policy methods in PostgresStore

Modified Postgres schema to include `policy_names` JSONB column in `users`.
Implemented `AttachUserPolicy`, `DetachUserPolicy`, and `ListAttachedUserPolicies`.
Updated user CRUD operations to handle policy names persistence.

* iam: implement managed policy methods in remaining stores

Implemented user policy management in:
- `FilerEtcStore` (partial implementation)
- `IamGrpcStore` (delegated via GetUser/UpdateUser)
- `PropagatingCredentialStore` (to broadcast updates)
Ensures cluster-wide consistency for policy attachments.

* s3api: refactor EmbeddedIamApi to use managed policy APIs

- Refactored `AttachUserPolicy`, `DetachUserPolicy`, and `ListAttachedUserPolicies`
  to use `e.credentialManager` directly.
- Fixed a critical error suppression bug in `ExecuteAction` that always
  returned success even on failure.
- Implemented robust error matching using string comparison fallbacks.
- Improved consistency by reloading configuration after policy changes.

* s3api: update and refine IAM integration tests

- Updated tests to use a real `MemoryStore`-backed `CredentialManager`.
- Refined test configuration synchronization using `sync.Once` and
  manual deep-copying to prevent state corruption.
- Improved `extractEmbeddedIamErrorCodeAndMessage` to handle more XML
  formats robustly.
- Adjusted test expectations to match current AWS IAM behavior.

* fix compilation

* visibility

* ensure 10 policies

* reload

* add integration tests

* Guard raft command registration

* Allow IAM actions in policy tests

* Validate gRPC policy attachments

* Revert Validate gRPC policy attachments

* Tighten gRPC policy attach/detach

* Improve IAM managed policy handling

* Improve managed policy filters

weed/credential/credential_store.go

@@ -15,6 +15,9 @@ var (
 	ErrUserAlreadyExists      = errors.New("user already exists")
 	ErrAccessKeyNotFound      = errors.New("access key not found")
 	ErrServiceAccountNotFound = errors.New("service account not found")
+	ErrPolicyNotFound         = errors.New("policy not found")
+	ErrPolicyAlreadyAttached  = errors.New("policy already attached")
+	ErrPolicyNotAttached      = errors.New("policy not attached to user")
 )
 
 // CredentialStoreTypeName represents the type name of a credential store
@@ -81,6 +84,14 @@ type CredentialStore interface {
 	ListServiceAccounts(ctx context.Context) ([]*iam_pb.ServiceAccount, error)
 	GetServiceAccountByAccessKey(ctx context.Context, accessKey string) (*iam_pb.ServiceAccount, error)
 
+	// User Policy Attachment Management
+	// AttachUserPolicy attaches a managed policy to a user by policy name
+	AttachUserPolicy(ctx context.Context, username string, policyName string) error
+	// DetachUserPolicy detaches a managed policy from a user
+	DetachUserPolicy(ctx context.Context, username string, policyName string) error
+	// ListAttachedUserPolicies returns the list of policy names attached to a user
+	ListAttachedUserPolicies(ctx context.Context, username string) ([]string, error)
+
 	// Shutdown performs cleanup when the store is being shut down
 	Shutdown()
 }