diff options
| author | chrislu <chris.lu@gmail.com> | 2025-12-08 23:58:38 -0800 |
|---|---|---|
| committer | chrislu <chris.lu@gmail.com> | 2025-12-09 00:09:36 -0800 |
| commit | 50eba1ecf8fc7ec46fb5f4e410cee4ee835828f5 (patch) | |
| tree | 9d61ccb2ac9e38255a88e77b0000c702c3edc895 /weed/s3api/policy_engine/conditions.go | |
| parent | a3739c9c8c0c9f5ab8e5250d621bcd1a0c4bbdfc (diff) | |
| download | seaweedfs-50eba1ecf8fc7ec46fb5f4e410cee4ee835828f5.tar.xz seaweedfs-50eba1ecf8fc7ec46fb5f4e410cee4ee835828f5.zip | |
s3: document s3:ExistingObjectTag support and feature status
Update policy engine documentation:
- Add s3:ExistingObjectTag/<tag-key> to supported condition keys
- Add 'Object Tag-Based Access Control' section with examples
- Add 'Feature Status' section with implemented and planned features
Planned features for future implementation:
- s3:RequestObjectTag/<key>
- s3:RequestObjectTagKeys
- s3:x-amz-server-side-encryption
- Cross-account access
Diffstat (limited to 'weed/s3api/policy_engine/conditions.go')
| -rw-r--r-- | weed/s3api/policy_engine/conditions.go | 10 |
1 files changed, 4 insertions, 6 deletions
diff --git a/weed/s3api/policy_engine/conditions.go b/weed/s3api/policy_engine/conditions.go index feb582e89..ffbae51e6 100644 --- a/weed/s3api/policy_engine/conditions.go +++ b/weed/s3api/policy_engine/conditions.go @@ -10,6 +10,7 @@ import ( "time" "github.com/seaweedfs/seaweedfs/weed/glog" + "github.com/seaweedfs/seaweedfs/weed/s3api/s3_constants" ) // LRUNode represents a node in the doubly-linked list for efficient LRU operations @@ -705,12 +706,9 @@ func GetConditionEvaluator(operator string) (ConditionEvaluator, error) { } } -// ExistingObjectTagPrefix is the prefix for object tag condition keys +// ExistingObjectTagPrefix is the prefix for S3 policy condition keys const ExistingObjectTagPrefix = "s3:ExistingObjectTag/" -// ObjectTagMetadataPrefix is the prefix used to store tags in entry.Extended -const ObjectTagMetadataPrefix = "X-Amz-Tagging-" - // EvaluateConditions evaluates all conditions in a policy statement // objectEntry is the object's metadata from entry.Extended (can be nil) func EvaluateConditions(conditions PolicyConditions, contextValues map[string][]string, objectEntry map[string][]byte) bool { @@ -733,7 +731,7 @@ func EvaluateConditions(conditions PolicyConditions, contextValues map[string][] if strings.HasPrefix(key, ExistingObjectTagPrefix) { // Extract tag value from entry.Extended using the tag prefix tagKey := key[len(ExistingObjectTagPrefix):] - metadataKey := ObjectTagMetadataPrefix + tagKey + metadataKey := s3_constants.AmzObjectTaggingPrefix + tagKey if objectEntry != nil { if tagValue, exists := objectEntry[metadataKey]; exists { contextVals = []string{string(tagValue)} @@ -784,7 +782,7 @@ func EvaluateConditionsLegacy(conditions map[string]interface{}, contextValues m // Handle s3:ExistingObjectTag/<tag-key> condition keys if strings.HasPrefix(key, ExistingObjectTagPrefix) { tagKey := key[len(ExistingObjectTagPrefix):] - metadataKey := ObjectTagMetadataPrefix + tagKey + metadataKey := s3_constants.AmzObjectTaggingPrefix + tagKey if objectEntry != nil { if tagValue, exists := objectEntry[metadataKey]; exists { contextVals = []string{string(tagValue)} |