gsh-digital-services/seaweedFS
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

s3tables: Normalize action names to include service prefix

Browse Source 
Add automatic normalization of operations to full IAM-style action names
(e.g., 's3tables:CreateTableBucket') in CheckPermission(). This ensures
policy statements using prefixed actions (s3tables:*) correctly match
operations evaluated by permission helpers.

Also fixes incorrect r.Context() passed to GetIdentityNameFromContext
which expects *http.Request. Now passes r directly.
This commit is contained in:
Chris Lu
2026-01-28 17:36:16 -08:00
parent ee468749bd
commit cf5043a9f9
2 changed files with 11 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
weed/s3api/s3tables/handler.go
View File

@@ -161,7 +161,7 @@ func (h *S3TablesHandler) HandleRequest(w http.ResponseWriter, r *http.Request,
// This is also used as the principal for permission checks, ensuring alignment between // This is also used as the principal for permission checks, ensuring alignment between
// the caller identity and ownership verification when IAM is enabled. // the caller identity and ownership verification when IAM is enabled.
func (h *S3TablesHandler) getAccountID(r *http.Request) string { func (h *S3TablesHandler) getAccountID(r *http.Request) string {
if identityName := s3_constants.GetIdentityNameFromContext(r.Context()); identityName != "" { if identityName := s3_constants.GetIdentityNameFromContext(r); identityName != "" {
return identityName return identityName
} }
if accountID := r.Header.Get(s3_constants.AmzAccountId); accountID != "" { if accountID := r.Header.Get(s3_constants.AmzAccountId); accountID != "" {

12
weed/s3api/s3tables/permissions.go
View File

@@ -2,6 +2,7 @@ package s3tables
import ( import (
"encoding/json" "encoding/json"
"strings"
"github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine" "github.com/seaweedfs/seaweedfs/weed/s3api/policy_engine"
) )
@@ -39,6 +40,13 @@ func CheckPermission(operation, principal, owner, resourcePolicy string) bool {
return false return false
} }
// Normalize operation to full IAM-style action name (e.g., "s3tables:CreateTableBucket")
// if not already prefixed
fullAction := operation
if !strings.Contains(operation, ":") {
fullAction = "s3tables:" + operation
}
// Parse and evaluate policy // Parse and evaluate policy
var policy PolicyDocument var policy PolicyDocument
if err := json.Unmarshal([]byte(resourcePolicy), &policy); err != nil { if err := json.Unmarshal([]byte(resourcePolicy), &policy); err != nil {
@@ -55,8 +63,8 @@ func CheckPermission(operation, principal, owner, resourcePolicy string) bool {
continue continue
} }
// Check if action matches // Check if action matches (using normalized full action name)
if !matchesAction(stmt.Action, operation) { if !matchesAction(stmt.Action, fullAction) {
continue continue
} }