s3api: fix static IAM policy enforcement after reload (#8532)

* s3api: honor attached IAM policies over legacy actions * s3api: hydrate IAM policy docs during config reload * s3api: use policy-aware auth when listing buckets * credential: propagate context through filer_etc policy reads * credential: make legacy policy deletes durable * s3api: exercise managed policy runtime loader * s3api: allow static IAM users without session tokens * iam: deny unmatched attached policies under default allow * iam: load embedded policy files from filer store * s3api: require session tokens for IAM presigning * s3api: sync runtime policies into zero-config IAM * credential: respect context in policy file loads * credential: serialize legacy policy deletes * iam: align filer policy store naming * s3api: use authenticated principals for presigning * iam: deep copy policy conditions * s3api: require request creation in policy tests * filer: keep ReadInsideFiler as the context-aware API * iam: harden filer policy store writes * credential: strengthen legacy policy serialization test * credential: forward runtime policy loaders through wrapper * s3api: harden runtime policy merging * iam: require typed already-exists errors
2026-03-06 12:35:08 -08:00
parent 338be16254
commit f9311a3422
30 changed files with 1903 additions and 168 deletions
--- a/weed/mq/kafka/gateway/coordinator_registry.go
+++ b/weed/mq/kafka/gateway/coordinator_registry.go
@@ -678,7 +678,7 @@ func (cr *CoordinatorRegistry) loadCoordinatorAssignmentWithClient(consumerGroup
 	err := clientAccessor.WithFilerClient(false, func(client filer_pb.SeaweedFilerClient) error {
 		// Load from individual file: /topics/kafka/.meta/coordinators/<consumer-group>_assignments.json
 		fileName := fmt.Sprintf("%s_assignments.json", consumerGroup)
-		data, err := filer.ReadInsideFiler(client, CoordinatorAssignmentsDir, fileName)
+		data, err := filer.ReadInsideFiler(context.Background(), client, CoordinatorAssignmentsDir, fileName)
 		if err != nil {
 			return fmt.Errorf("assignment file not found for group %s: %w", consumerGroup, err)
 		}
--- a/weed/mq/offset/consumer_group_storage.go
+++ b/weed/mq/offset/consumer_group_storage.go
@@ -108,7 +108,7 @@ func (f *FilerConsumerGroupOffsetStorage) LoadConsumerGroupPosition(t topic.Topi

 	var position *ConsumerGroupPosition
 	err := f.filerClientAccessor.WithFilerClient(false, func(client filer_pb.SeaweedFilerClient) error {
-		data, err := filer.ReadInsideFiler(client, consumersDir, offsetFileName)
+		data, err := filer.ReadInsideFiler(context.Background(), client, consumersDir, offsetFileName)
 		if err != nil {
 			return err
 		}
--- a/weed/mq/offset/filer_storage.go
+++ b/weed/mq/offset/filer_storage.go
@@ -1,6 +1,7 @@
 package offset

 import (
+	"context"
 	"fmt"
 	"time"

@@ -48,7 +49,7 @@ func (f *FilerOffsetStorage) LoadCheckpoint(namespace, topicName string, partiti

 	var offset int64 = -1
 	err := f.filerClientAccessor.WithFilerClient(false, func(client filer_pb.SeaweedFilerClient) error {
-		data, err := filer.ReadInsideFiler(client, partitionDir, fileName)
+		data, err := filer.ReadInsideFiler(context.Background(), client, partitionDir, fileName)
 		if err != nil {
 			return err
 		}
--- a/weed/mq/topic/topic.go
+++ b/weed/mq/topic/topic.go
@@ -50,7 +50,7 @@ func (t Topic) Dir() string {
 }

 func (t Topic) ReadConfFile(client filer_pb.SeaweedFilerClient) (*mq_pb.ConfigureTopicResponse, error) {
-	data, err := filer.ReadInsideFiler(client, t.Dir(), filer.TopicConfFile)
+	data, err := filer.ReadInsideFiler(context.Background(), client, t.Dir(), filer.TopicConfFile)
 	if errors.Is(err, filer_pb.ErrNotFound) {
 		return nil, err
 	}