From c39e271848a3bea478b3f1358796f58fdea5a43f Mon Sep 17 00:00:00 2001
From: Chris Lu <chris.lu@gmail.com>
Date: Tue, 19 May 2026 17:58:53 -0700
Subject: [PATCH] update

---
 Amazon-IAM-API.md          | 10 ++++++++++
 Amazon-S3-API.md           | 24 ++++++++++++------------
 Supported-APIs-vs-Minio.md | 28 +++++++++++++++++++---------
 3 files changed, 41 insertions(+), 21 deletions(-)

diff --git a/Amazon-IAM-API.md b/Amazon-IAM-API.md
index b749e78..3c70b32 100644
--- a/Amazon-IAM-API.md
+++ b/Amazon-IAM-API.md
@@ -86,6 +86,16 @@ weed iam -filer=localhost:8888 -port=8111
 | `ListGroupPolicies` | List inline policy names for group | Admin only |
 | `ListGroupsForUser` | List groups a user belongs to | Admin only |
 | `UpdateGroup` | Rename or enable/disable a group (SeaweedFS extension) | Admin only |
+| `TagUser` | Attach key/value tags to a user (max 50 tags, key 1-128, value 0-256) | Admin only |
+| `UntagUser` | Remove tags from a user | Admin only |
+| `ListUserTags` | List tags attached to a user | Admin only |
+| `GetPolicyVersion` | Read a specific managed-policy version | Admin only |
+| `ListPolicyVersions` | List versions of a managed policy | Admin only |
+| `CreateServiceAccount` | Create a service-account credential | Admin only |
+| `DeleteServiceAccount` | Delete a service-account credential | Admin only |
+| `GetServiceAccount` | Get service-account details | Admin only |
+| `ListServiceAccounts` | List service-account credentials | Admin only |
+| `UpdateServiceAccount` | Update a service-account credential | Admin only |
 
 ### Self-Service Operations
 
diff --git a/Amazon-S3-API.md b/Amazon-S3-API.md
index d6bc48a..d1aff41 100644
--- a/Amazon-S3-API.md
+++ b/Amazon-S3-API.md
@@ -86,33 +86,33 @@ For IAM action names used in bucket policies (e.g., `s3:ListBucketMultipartUploa
 | GetPublicAccessBlock | Yes | |
 | PutPublicAccessBlock | Yes | |
 | DeletePublicAccessBlock | Yes | |
-| GetBucketAccelerateConfiguration | No | |
+| GetBucketAccelerateConfiguration | Yes | Always returns `Suspended` |
+| GetBucketAnalyticsConfiguration | Yes | Stub: returns `NoSuchConfiguration` |
+| ListBucketAnalyticsConfigurations | Yes | Stub: returns an empty list |
+| GetBucketIntelligentTieringConfiguration | Yes | Stub: returns `NoSuchConfiguration` |
+| ListBucketIntelligentTieringConfigurations | Yes | Stub: returns an empty list |
+| GetBucketInventoryConfiguration | Yes | Stub: returns `NoSuchConfiguration` |
+| ListBucketInventoryConfigurations | Yes | Stub: returns an empty list |
+| GetBucketLogging | Yes | Always returns an empty `BucketLoggingStatus` |
+| GetBucketMetricsConfiguration | Yes | Stub: returns `NoSuchConfiguration` |
+| ListBucketMetricsConfigurations | Yes | Stub: returns an empty list |
+| GetBucketPolicyStatus | Yes | Computes `IsPublic` from the bucket policy |
+| PutBucketRequestPayment | Yes | Accepts only `Payer=BucketOwner` |
 | PutBucketAccelerateConfiguration | No | |
-| GetBucketAnalyticsConfiguration | No | |
 | PutBucketAnalyticsConfiguration | No | |
 | DeleteBucketAnalyticsConfiguration | No | |
-| ListBucketAnalyticsConfigurations | No | |
-| GetBucketIntelligentTieringConfiguration | No | |
 | PutBucketIntelligentTieringConfiguration | No | |
 | DeleteBucketIntelligentTieringConfiguration | No | |
-| ListBucketIntelligentTieringConfigurations | No | |
-| GetBucketInventoryConfiguration | No | |
 | PutBucketInventoryConfiguration | No | |
 | DeleteBucketInventoryConfiguration | No | |
-| ListBucketInventoryConfigurations | No | |
-| GetBucketLogging | No | |
 | PutBucketLogging | No | |
-| GetBucketMetricsConfiguration | No | |
 | PutBucketMetricsConfiguration | No | |
 | DeleteBucketMetricsConfiguration | No | |
-| ListBucketMetricsConfigurations | No | |
 | GetBucketNotificationConfiguration | No | |
 | PutBucketNotificationConfiguration | No | |
-| GetBucketPolicyStatus | No | |
 | GetBucketReplication | No | |
 | PutBucketReplication | No | |
 | DeleteBucketReplication | No | |
-| PutBucketRequestPayment | No | |
 | GetBucketWebsite | No | |
 | PutBucketWebsite | No | |
 | DeleteBucketWebsite | No | |
diff --git a/Supported-APIs-vs-Minio.md b/Supported-APIs-vs-Minio.md
index cd7957a..1988039 100644
--- a/Supported-APIs-vs-Minio.md
+++ b/Supported-APIs-vs-Minio.md
@@ -20,7 +20,8 @@ This page compares the S3 API implementation in SeaweedFS with MinIO.
 | **ACLs** | ✅ Full | ⚠️ Dummy | MinIO accepts but does not enforce bucket and object ACL requests |
 | **Bucket Notifications** | ❌ No | ✅ Full | `GetBucketNotification`, `PutBucketNotification`, `ListenBucketNotification` |
 | **Bucket Replication** | ❌ No | ✅ Full | `Get/Put/DeleteBucketReplication` plus metrics and reset extensions |
-| **Bucket Policy Status** | ❌ No | ✅ Full | `GetBucketPolicyStatus` |
+| **Bucket Policy Status** | ✅ Full | ✅ Full | `GetBucketPolicyStatus` |
+| **Analytics / Inventory / IntelligentTiering / Metrics configs** | ⚠️ Stub | ❌ Rejected (OSS) | SeaweedFS returns an empty list / `NoSuchConfiguration` so SDK probes succeed; MinIO OSS returns 501 NotImplemented (the equivalents live in `mc admin` / AIStor workflows, not the standard S3 endpoint) |
 | **S3 Tables** | ✅ Full | ❌ No | SeaweedFS supports Iceberg via S3 Tables |
 | **Object Select** | ❌ No | ✅ Yes | `SelectObjectContent` |
 | **Object Attributes**| ✅ Yes | ✅ Yes | `GetObjectAttributes` |
@@ -47,8 +48,7 @@ This page compares the S3 API implementation in SeaweedFS with MinIO.
 - **Extensions**: `GetObjectLambda`, `PostRestoreObject`, `PutObjectExtract` (Snowball auto-extract).
 - **Bucket Notifications**: `GetBucketNotification`, `PutBucketNotification`, plus MinIO's `ListenBucketNotification` SSE-style event stream.
 - **Bucket Replication**: `GetBucketReplication`, `PutBucketReplication`, `DeleteBucketReplication`, replication metrics (v1/v2), `ResetBucketReplicationStart`, `ResetBucketReplicationStatus`, `ValidateBucketReplicationCreds`.
-- **Bucket Policy Status**: `GetBucketPolicyStatus`.
-- **Dummy bucket configs** (accepted, not enforced): `GetBucketWebsite`/`DeleteBucketWebsite`, `GetBucketLogging`, `GetBucketAccelerate`.
+- **Persisted bucket configurations**: AWS Analytics, Inventory, IntelligentTiering, and Metrics configurations are not implemented on either side at the standard S3 endpoint. MinIO OSS rejects all methods with 501 NotImplemented; SeaweedFS exposes well-formed empty / `NoSuchConfiguration` stubs so AWS-SDK probes succeed. The equivalents live in MinIO's `mc admin` / AIStor workflows.
 
 ## STS API Comparison
 
@@ -95,13 +95,23 @@ This page compares the S3 API implementation in SeaweedFS with MinIO.
 | `s3:GetBucketReplication` | ❌ | ✅ |
 | `s3:PutBucketReplication` | ❌ | ✅ |
 | `s3:DeleteBucketReplication` | ❌ | ✅ |
-| `s3:GetBucketPolicyStatus` | ❌ | ✅ |
+| `s3:GetBucketPolicyStatus` | ✅ | ✅ |
+| `s3:PutBucketRequestPayment` | ✅ (`BucketOwner` only) | ❌ (Rejected) |
+| `s3:GetBucketAccelerate` | ⚠️ (Static `Suspended`) | ⚠️ (Dummy) |
+| `s3:GetBucketLogging` | ⚠️ (Static empty) | ⚠️ (Dummy) |
+| `s3:GetBucketAnalyticsConfiguration` / `s3:ListBucketAnalyticsConfigurations` | ⚠️ (Stub) | ❌ (Rejected, 501) |
+| `s3:GetBucketInventoryConfiguration` / `s3:ListBucketInventoryConfigurations` | ⚠️ (Stub) | ❌ (Rejected, 501) |
+| `s3:GetBucketIntelligentTieringConfiguration` / `s3:ListBucketIntelligentTieringConfigurations` | ⚠️ (Stub) | ❌ (Rejected, 501) |
+| `s3:GetBucketMetricsConfiguration` / `s3:ListBucketMetricsConfigurations` | ⚠️ (Stub) | ❌ (Rejected, 501) |
 | `s3:GetBucketWebsite` | ❌ | ⚠️ (Dummy) |
-| `s3:GetBucketLogging` | ❌ | ⚠️ (Dummy) |
-| `s3:GetBucketAccelerate` | ❌ | ⚠️ (Dummy) |
 | `s3:GetObjectACL` | ✅ | ⚠️ (Dummy) |
 | `s3:PutObjectACL` | ✅ | ⚠️ (Dummy) |
 
+### Notes on behavioral divergence
+
+- **`s3:GetBucketPolicyStatus`** — both services return an `IsPublic` flag, but the definition of "public" differs. MinIO marks a bucket public only when anonymous credentials can **both** `ListBucket` **and** `PutObject`. SeaweedFS marks it public if **any** `Allow` statement grants `Principal: "*"` without a `Condition`. A bucket open to anonymous reads only would report `true` in SeaweedFS and `FALSE` in MinIO.
+- **`s3:GetBucketAccelerate`** — MinIO returns 200 + `<AccelerateConfiguration/>` with no `<Status>` child (AWS clients default-interpret as `Suspended`). SeaweedFS returns the same empty XML but with an explicit `<Status>Suspended</Status>` element.
+
 ## IAM API Comparison
 
 SeaweedFS implements IAM actions as standard AWS IAM API calls (same endpoint as S3). MinIO uses a proprietary admin API (`/minio/admin/v3/`) accessible via `mc admin` CLI and `madmin-go` SDK.
@@ -153,7 +163,7 @@ For group management specifically, MinIO supports broadly similar administration
 | `iam:GetServiceAccount` | ✅ | ⚠️ Proprietary | MinIO: `mc admin user svcacct info` |
 | `iam:ListServiceAccounts` | ✅ | ⚠️ Proprietary | MinIO: `mc admin user svcacct ls` |
 | `iam:UpdateServiceAccount` | ✅ | ⚠️ Proprietary | MinIO: `mc admin user svcacct edit` |
+| `iam:TagUser` | ✅ | ❌ | Add tags to a user; AWS limits (50 tags, key 1-128, value 0-256) enforced |
+| `iam:UntagUser` | ✅ | ❌ | Remove tags from a user |
+| `iam:ListUserTags` | ✅ | ❌ | List tags on a user |
 | `iam:GetAccessKeyLastUsed` | 📋 Planned | ❌ | Return when an access key was last used |
-| `iam:TagUser` | 📋 Planned | ❌ | Add tags to a user |
-| `iam:UntagUser` | 📋 Planned | ❌ | Remove tags from a user |
-| `iam:ListUserTags` | 📋 Planned | ❌ | List tags on a user |