diff options
| author | chrislu <chris.lu@gmail.com> | 2025-12-08 23:58:13 -0800 |
|---|---|---|
| committer | chrislu <chris.lu@gmail.com> | 2025-12-09 00:01:31 -0800 |
| commit | c6721bb18d8f70ec9e86b6aa043b488d2d2f0239 (patch) | |
| tree | df61724296cab7caa59d2b2627956bc02a839b04 /weed/s3api/policy_engine/engine.go | |
| parent | d5f21fd8ba6ee20c2504455093a9ceeaa178b826 (diff) | |
| download | seaweedfs-c6721bb18d8f70ec9e86b6aa043b488d2d2f0239.tar.xz seaweedfs-c6721bb18d8f70ec9e86b6aa043b488d2d2f0239.zip | |
s3: add s3:ExistingObjectTag condition support in policy engine
Add support for s3:ExistingObjectTag/<tag-key> condition keys in bucket
policies, allowing access control based on object tags.
Changes:
- Add ObjectEntry field to PolicyEvaluationArgs (entry.Extended metadata)
- Update EvaluateConditions to handle s3:ExistingObjectTag/<key> format
- Extract tag value from entry metadata using X-Amz-Tagging-<key> prefix
This enables policies like:
{
"Condition": {
"StringEquals": {
"s3:ExistingObjectTag/status": ["public"]
}
}
}
Fixes: https://github.com/seaweedfs/seaweedfs/issues/7447
Diffstat (limited to 'weed/s3api/policy_engine/engine.go')
| -rw-r--r-- | weed/s3api/policy_engine/engine.go | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/weed/s3api/policy_engine/engine.go b/weed/s3api/policy_engine/engine.go index 01af3c240..57a13881c 100644 --- a/weed/s3api/policy_engine/engine.go +++ b/weed/s3api/policy_engine/engine.go @@ -154,7 +154,7 @@ func (engine *PolicyEngine) evaluateStatement(stmt *CompiledStatement, args *Pol // Check conditions if len(stmt.Statement.Condition) > 0 { - if !EvaluateConditions(stmt.Statement.Condition, args.Conditions) { + if !EvaluateConditions(stmt.Statement.Condition, args.Conditions, args.ObjectEntry) { return false } } |