s3tables: implement permission checking and authorization

- Add permissions.go with permission definitions and checks
- Define permissions for all 21 S3 Tables operations
- Add permission checking helper functions
- Add getPrincipalFromRequest to extract caller identity
- Implement access control in CreateTableBucket, GetTableBucket, DeleteTableBucket
- Return 403 Forbidden for unauthorized operations
- Only bucket owner can perform operations (extensible for future policies)
- Add AuthError type for authorization failures

weed/s3api/s3tables/handler.go

@@ -140,6 +140,20 @@ func (h *S3TablesHandler) HandleRequest(w http.ResponseWriter, r *http.Request,
 	}
 }
 
+// Principal/authorization helpers
+
+func (h *S3TablesHandler) getPrincipalFromRequest(r *http.Request) string {
+	// Extract principal from request headers
+	// This can be extended to parse AWS credentials, client certificates, etc.
+	principal := r.Header.Get("X-Amz-Principal")
+	if principal != "" {
+		return principal
+	}
+
+	// Default to account ID
+	return h.accountID
+}
+
 // Request/Response helpers
 
 func (h *S3TablesHandler) readRequestBody(r *http.Request, v interface{}) error {