* fix(shell): s3.user.provision handles existing users by attaching policy
Instead of erroring when the user already exists, the command now
creates the policy and attaches it to the existing user via UpdateUser.
Credentials are only generated and displayed for newly created users.
* fix(shell): skip duplicate policy attachment in s3.user.provision
Check if the policy is already attached before appending and calling
UpdateUser, making repeated runs idempotent.
* fix(shell): generate service account ID in s3.serviceaccount.create
The command built a ServiceAccount proto without setting Id, which was
rejected by credential.ValidateServiceAccountId on any real store. Now
generates sa:<parent>:<uuid> matching the format used by the admin UI.
* test(s3): integration tests for s3.* shell commands
Adds TestShell* integration tests covering ~40 previously untested
shell commands: user, accesskey, group, serviceaccount, anonymous,
bucket, policy.attach/detach, config.show, and iam.export/import.
Switches the test cluster's credential store from memory to filer_etc
because the memory store silently drops groups and service accounts
in LoadConfiguration/SaveConfiguration.
* fix(shell): rollback policy on key generation failure in s3.user.provision
If iam.GenerateRandomString or iam.GenerateSecretAccessKey fails after
the policy was persisted, the policy would be left orphaned. Extracts
the rollback logic into a local closure and invokes it on all failure
paths after policy creation for consistency.
* address PR review feedback for s3 shell tests and serviceaccount
- s3.serviceaccount.create: use 16 bytes of randomness (hex-encoded) for
the service account UUID instead of 4 bytes to eliminate collision risk
- s3.serviceaccount.create: print the actual ID and drop the outdated
"server-assigned" note (the ID is now client-generated)
- tests: guard createdAK in accesskey rotate/delete subtests so sibling
failures don't run invalid CLI calls
- tests: requireContains/requireNotContains use t.Fatalf to fail fast
- tests: Provision subtest asserts the "Attached policy" message on the
second provision call for an existing user
- tests: update extractServiceAccountID comment example to match the
sa:<parent>:<uuid> format
- tests: drop redundant saID empty-check (extractServiceAccountID fatals)
* test(s3): use t.Fatalf for precondition check in serviceaccount test
10e7f0f2bc