s3tables: Generate ARNs using resource owner account ID
Change ARN generation to use resource OwnerAccountID instead of caller identity (h.getAccountID(r)). This ensures ARNs are stable and consistent regardless of which principal accesses the resource. Updated generateTableBucketARN and generateTableARN function signatures to accept ownerAccountID parameter. All call sites updated to pass the resource owner's account ID from metadata. This prevents ARN inconsistency issues when multiple principals have access to the same resource via policies.
This commit is contained in:
Chris Lu
@@ -224,12 +224,12 @@ func (h *S3TablesHandler) writeError(w http.ResponseWriter, status int, code, me
|
|||||||
|
|
||||||
// ARN generation helpers
|
// ARN generation helpers
|
||||||
|
|
||||||
func (h *S3TablesHandler) generateTableBucketARN(r *http.Request, bucketName string) string {
|
func (h *S3TablesHandler) generateTableBucketARN(ownerAccountID, bucketName string) string {
|
||||||
return fmt.Sprintf("arn:aws:s3tables:%s:%s:bucket/%s", h.region, h.getAccountID(r), bucketName)
|
return fmt.Sprintf("arn:aws:s3tables:%s:%s:bucket/%s", h.region, ownerAccountID, bucketName)
|
||||||
}
|
}
|
||||||
|
|
||||||
func (h *S3TablesHandler) generateTableARN(r *http.Request, bucketName, tableID string) string {
|
func (h *S3TablesHandler) generateTableARN(ownerAccountID, bucketName, tableID string) string {
|
||||||
return fmt.Sprintf("arn:aws:s3tables:%s:%s:bucket/%s/table/%s", h.region, h.getAccountID(r), bucketName, tableID)
|
return fmt.Sprintf("arn:aws:s3tables:%s:%s:bucket/%s/table/%s", h.region, ownerAccountID, bucketName, tableID)
|
||||||
}
|
}
|
||||||
|
|
||||||
func isAuthError(err error) bool {
|
func isAuthError(err error) bool {
|
||||||
|
|||||||
@@ -127,7 +127,7 @@ func (h *S3TablesHandler) handleCreateTableBucket(w http.ResponseWriter, r *http
|
|||||||
}
|
}
|
||||||
|
|
||||||
resp := &CreateTableBucketResponse{
|
resp := &CreateTableBucketResponse{
|
||||||
ARN: h.generateTableBucketARN(r, req.Name),
|
ARN: h.generateTableBucketARN(metadata.OwnerAccountID, req.Name),
|
||||||
}
|
}
|
||||||
|
|
||||||
h.writeJSON(w, http.StatusOK, resp)
|
h.writeJSON(w, http.StatusOK, resp)
|
||||||
|
|||||||
@@ -71,7 +71,7 @@ func (h *S3TablesHandler) handleGetTableBucket(w http.ResponseWriter, r *http.Re
|
|||||||
}
|
}
|
||||||
|
|
||||||
resp := &GetTableBucketResponse{
|
resp := &GetTableBucketResponse{
|
||||||
ARN: h.generateTableBucketARN(r, bucketName),
|
ARN: h.generateTableBucketARN(metadata.OwnerAccountID, bucketName),
|
||||||
Name: metadata.Name,
|
Name: metadata.Name,
|
||||||
OwnerAccountID: metadata.OwnerAccountID,
|
OwnerAccountID: metadata.OwnerAccountID,
|
||||||
CreatedAt: metadata.CreatedAt,
|
CreatedAt: metadata.CreatedAt,
|
||||||
@@ -174,7 +174,7 @@ func (h *S3TablesHandler) handleListTableBuckets(w http.ResponseWriter, r *http.
|
|||||||
}
|
}
|
||||||
|
|
||||||
buckets = append(buckets, TableBucketSummary{
|
buckets = append(buckets, TableBucketSummary{
|
||||||
ARN: h.generateTableBucketARN(r, entry.Entry.Name),
|
ARN: h.generateTableBucketARN(metadata.OwnerAccountID, entry.Entry.Name),
|
||||||
Name: entry.Entry.Name,
|
Name: entry.Entry.Name,
|
||||||
CreatedAt: metadata.CreatedAt,
|
CreatedAt: metadata.CreatedAt,
|
||||||
})
|
})
|
||||||
|
|||||||
@@ -198,7 +198,7 @@ func (h *S3TablesHandler) handleCreateTable(w http.ResponseWriter, r *http.Reque
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
tableARN := h.generateTableARN(r, bucketName, namespaceName+"/"+tableName)
|
tableARN := h.generateTableARN(metadata.OwnerAccountID, bucketName, namespaceName+"/"+tableName)
|
||||||
|
|
||||||
resp := &CreateTableResponse{
|
resp := &CreateTableResponse{
|
||||||
TableARN: tableARN,
|
TableARN: tableARN,
|
||||||
@@ -312,7 +312,7 @@ func (h *S3TablesHandler) handleGetTable(w http.ResponseWriter, r *http.Request,
|
|||||||
return ErrAccessDenied
|
return ErrAccessDenied
|
||||||
}
|
}
|
||||||
|
|
||||||
tableARN := h.generateTableARN(r, bucketName, namespace+"/"+tableName)
|
tableARN := h.generateTableARN(metadata.OwnerAccountID, bucketName, namespace+"/"+tableName)
|
||||||
|
|
||||||
resp := &GetTableResponse{
|
resp := &GetTableResponse{
|
||||||
Name: metadata.Name,
|
Name: metadata.Name,
|
||||||
@@ -508,7 +508,7 @@ func (h *S3TablesHandler) listTablesWithClient(r *http.Request, client filer_pb.
|
|||||||
continue
|
continue
|
||||||
}
|
}
|
||||||
|
|
||||||
tableARN := h.generateTableARN(r, bucketName, namespaceName+"/"+entry.Entry.Name)
|
tableARN := h.generateTableARN(metadata.OwnerAccountID, bucketName, namespaceName+"/"+entry.Entry.Name)
|
||||||
|
|
||||||
tables = append(tables, TableSummary{
|
tables = append(tables, TableSummary{
|
||||||
Name: entry.Entry.Name,
|
Name: entry.Entry.Name,
|
||||||
|
|||||||
Reference in New Issue
Block a user