diff options
| author | chrislu <chris.lu@gmail.com> | 2025-12-08 23:58:38 -0800 |
|---|---|---|
| committer | chrislu <chris.lu@gmail.com> | 2025-12-09 00:09:36 -0800 |
| commit | 50eba1ecf8fc7ec46fb5f4e410cee4ee835828f5 (patch) | |
| tree | 9d61ccb2ac9e38255a88e77b0000c702c3edc895 /weed/s3api/s3api_bucket_handlers.go | |
| parent | a3739c9c8c0c9f5ab8e5250d621bcd1a0c4bbdfc (diff) | |
| download | seaweedfs-50eba1ecf8fc7ec46fb5f4e410cee4ee835828f5.tar.xz seaweedfs-50eba1ecf8fc7ec46fb5f4e410cee4ee835828f5.zip | |
s3: document s3:ExistingObjectTag support and feature status
Update policy engine documentation:
- Add s3:ExistingObjectTag/<tag-key> to supported condition keys
- Add 'Object Tag-Based Access Control' section with examples
- Add 'Feature Status' section with implemented and planned features
Planned features for future implementation:
- s3:RequestObjectTag/<key>
- s3:RequestObjectTagKeys
- s3:x-amz-server-side-encryption
- Cross-account access
Diffstat (limited to 'weed/s3api/s3api_bucket_handlers.go')
| -rw-r--r-- | weed/s3api/s3api_bucket_handlers.go | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/weed/s3api/s3api_bucket_handlers.go b/weed/s3api/s3api_bucket_handlers.go index 928d500b0..2d67aa551 100644 --- a/weed/s3api/s3api_bucket_handlers.go +++ b/weed/s3api/s3api_bucket_handlers.go @@ -765,8 +765,7 @@ func (s3a *S3ApiServer) AuthWithPublicRead(handler http.HandlerFunc, action Acti // Check bucket policy for anonymous access using the policy engine principal := "*" // Anonymous principal - // Evaluate bucket policy with request context for accurate action resolution - // Note: objectEntry is nil here - for tag-based conditions, re-evaluate after fetching entry + // Evaluate bucket policy (objectEntry nil - not yet fetched) allowed, evaluated, err := s3a.policyEngine.EvaluatePolicy(bucket, object, string(action), principal, r, nil) if err != nil { // SECURITY: Fail-close on policy evaluation errors |