* s3api: prune bucket-scoped IAM actions on DeleteBucket
DeleteBucket removed the bucket directory and collection but left
behind any identity actions configured via s3.configure that were
scoped to that bucket (e.g. Read:bucket, Write:bucket/prefix),
leaving stale auth metadata that users expected to be cleaned up
along with the bucket.
After a successful delete, strip actions whose resource is exactly
the bucket or a prefix under it, save via the credential manager,
and let the existing filer metadata subscription fan the reload out
to every S3 server. Wildcarded resources and global actions are
preserved since they may cover other buckets; static identities
are left untouched.
Fixes#5310
* s3api: address review feedback on bucket IAM prune
- Apply per-identity updates via credentialManager.UpdateUser instead
of a full LoadConfiguration/SaveConfiguration round-trip, so the
prune no longer clobbers concurrent IAM edits made by s3.configure
or the IAM API during a DeleteBucket.
- Use a 30s bounded background context for the post-delete cleanup so
it survives client disconnect — the bucket is already gone by then
and this is best-effort bookkeeping.
- Skip static identities via IsStaticIdentity, since the credential
store never persists them and UpdateUser would return NotFound.
see https://blog.aqwari.net/xml-schema-go/
1. go get aqwari.net/xml/cmd/xsdgen
2. Add EncodingType element for ListBucketResult in AmazonS3.xsd
3. xsdgen -o s3api_xsd_generated.go -pkg s3api AmazonS3.xsd
4. Remove empty Grantee struct in s3api_xsd_generated.go
5. Remove xmlns: sed s'/http:\/\/s3.amazonaws.com\/doc\/2006-03-01\/\ //' s3api_xsd_generated.go
7aaa431bb4