feat: add option to S3 backend for V2 signatures

Currently we don't expose any ability to select the signature version used for our S3 backend. Signed-off-by: Christian Simon <[email protected]>
grafana · Nov 23, 2020 · 8a15717 · 8a15717
1 parent 9b6edac
commit 8a15717
Show file tree

Hide file tree

Showing 3 changed files with 41 additions and 8 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,7 @@
 * [CHANGE] Compact more than 2 blocks at a time [#348](https://github.com/grafana/tempo/pull/348)
 * [ENHANCEMENT] Add tempodb_compaction_objects_combined metric. [#339](https://github.com/grafana/tempo/pull/339)
 * [ENHANCEMENT] Added OpenMetrics exemplar support. [#359](https://github.com/grafana/tempo/pull/359)
+* [ENHANCEMENT] Add support for S3 V2 signatures. [#352](https://github.com/grafana/tempo/pull/352)
 * [BUGFIX] Frequent errors logged by compactor regarding meta not found [#327](https://github.com/grafana/tempo/pull/327)
 * [BUGFIX] Fix distributors panicking on rollout [#343](https://github.com/grafana/tempo/pull/343)
 

diff --git a/tempodb/backend/s3/config.go b/tempodb/backend/s3/config.go
@@ -8,4 +8,6 @@ type Config struct {
 	SecretKey string `yaml:"secret_key"`
 	Insecure  bool   `yaml:"insecure"`
 	PartSize  uint64 `yaml:"part_size"`
+	// SignatureV2 configures the object storage to use V2 signing instead of V4
+	SignatureV2 bool `yaml:"signature_v2"`
 }
diff --git a/tempodb/backend/s3/s3.go b/tempodb/backend/s3/s3.go
@@ -32,24 +32,54 @@ type readerWriter struct {
 	core   *minio.Core
 }
 
+type overrideSignatureVersion struct {
+	useV2    bool
+	upstream credentials.Provider
+}
+
+func (s *overrideSignatureVersion) Retrieve() (credentials.Value, error) {
+	v, err := s.upstream.Retrieve()
+	if err != nil {
+		return v, err
+	}
+
+	if s.useV2 && !v.SignerType.IsAnonymous() {
+		v.SignerType = credentials.SignatureV2
+	}
+
+	return v, nil
+}
+
+func (s *overrideSignatureVersion) IsExpired() bool {
+	return s.upstream.IsExpired()
+}
+
 func New(cfg *Config) (backend.Reader, backend.Writer, backend.Compactor, error) {
 	l := log_util.Logger
+
+	wrapCredentialsProvider := func(p credentials.Provider) credentials.Provider {
+		if cfg.SignatureV2 {
+			return &overrideSignatureVersion{useV2: cfg.SignatureV2, upstream: p}
+		}
+		return p
+	}
+
 	creds := credentials.NewChainCredentials([]credentials.Provider{
-		&credentials.EnvAWS{},
-		&credentials.Static{
+		wrapCredentialsProvider(&credentials.EnvAWS{}),
+		wrapCredentialsProvider(&credentials.Static{
 			Value: credentials.Value{
 				AccessKeyID:     cfg.AccessKey,
 				SecretAccessKey: cfg.SecretKey,
 			},
-		},
-		&credentials.EnvMinio{},
-		&credentials.FileAWSCredentials{},
-		&credentials.FileMinioClient{},
-		&credentials.IAM{
+		}),
+		wrapCredentialsProvider(&credentials.EnvMinio{}),
+		wrapCredentialsProvider(&credentials.FileAWSCredentials{}),
+		wrapCredentialsProvider(&credentials.FileMinioClient{}),
+		wrapCredentialsProvider(&credentials.IAM{
 			Client: &http.Client{
 				Transport: http.DefaultTransport,
 			},
-		},
+		}),
 	})
 	opts := &minio.Options{
 		Secure: !cfg.Insecure,