Fix IAM defaults and S3Tables IAM regression (#8374)

* Fix IAM defaults and s3tables identities * Refine S3Tables identity tests * Clarify identity tests
2026-02-18 18:20:03 -08:00
parent 38e14a867b
commit d1fecdface
5 changed files with 316 additions and 12 deletions
--- a/weed/s3api/s3tables/permissions.go
+++ b/weed/s3api/s3tables/permissions.go
@@ -208,6 +208,11 @@ func hasIdentityPermission(operation string, ctx *PolicyContext) bool {
 		candidates = append(candidates, operation+":"+ctx.TableBucketName, fullAction+":"+ctx.TableBucketName)
 	}
 	for _, action := range ctx.IdentityActions {
+		// Legacy static identities may still use broad admin markers or s3 wildcards.
+		// s3:* is treated as s3tables:* so shared admin policies still permit table access.
+		if action == "*" || action == string(s3_constants.ACTION_ADMIN) || action == "s3:*" || action == "s3tables:*" {
+			return true
+		}
 		for _, candidate := range candidates {
 			if action == candidate {
 				return true