From 62d073251ed53ee838d5eb83dc6a06b1ff98d3ca Mon Sep 17 00:00:00 2001 From: Alan Protasio Date: Wed, 16 Aug 2023 10:58:52 -0700 Subject: [PATCH 1/3] Fix 5xx when customer key error when fetching the bucket index Signed-off-by: Alan Protasio --- pkg/storegateway/bucket_stores.go | 57 +++++++++++++++----------- pkg/storegateway/bucket_stores_test.go | 8 +++- 2 files changed, 38 insertions(+), 27 deletions(-) diff --git a/pkg/storegateway/bucket_stores.go b/pkg/storegateway/bucket_stores.go index 1a3b791445..7c8ee46abe 100644 --- a/pkg/storegateway/bucket_stores.go +++ b/pkg/storegateway/bucket_stores.go @@ -235,7 +235,7 @@ func (u *BucketStores) syncUsersBlocks(ctx context.Context, f func(context.Conte if err := f(ctx, job.store); err != nil { if errors.Is(err, bucket.ErrCustomerManagedKeyAccessDenied) { u.storesErrorsMu.Lock() - u.storesErrors[job.userID] = err + u.storesErrors[job.userID] = httpgrpc.Errorf(int(codes.PermissionDenied), "store error: %s", err) u.storesErrorsMu.Unlock() } else { errsMx.Lock() @@ -298,16 +298,19 @@ func (u *BucketStores) Series(req *storepb.SeriesRequest, srv storepb.Store_Seri return fmt.Errorf("no userID") } - store := u.getStore(userID) + err := u.getStoreError(userID) userBkt := bucket.NewUserBucketClient(userID, u.bucket, u.limits) - if store == nil { - return nil - } + if err != nil { + if cortex_errors.ErrorIs(err, userBkt.IsCustomerManagedKeyError) { + return httpgrpc.Errorf(int(codes.PermissionDenied), "store error: %s", err) + } - err := u.getStoreError(userID) + return err + } - if err != nil && cortex_errors.ErrorIs(err, userBkt.IsCustomerManagedKeyError) { - return httpgrpc.Errorf(int(codes.PermissionDenied), "store error: %s", err) + store := u.getStore(userID) + if store == nil { + return nil } err = store.Series(req, spanSeriesServer{ @@ -328,16 +331,19 @@ func (u *BucketStores) LabelNames(ctx context.Context, req *storepb.LabelNamesRe return nil, fmt.Errorf("no userID") } - store := u.getStore(userID) + err := u.getStoreError(userID) userBkt := bucket.NewUserBucketClient(userID, u.bucket, u.limits) - if store == nil { - return &storepb.LabelNamesResponse{}, nil - } + if err != nil { + if cortex_errors.ErrorIs(err, userBkt.IsCustomerManagedKeyError) { + return nil, httpgrpc.Errorf(int(codes.PermissionDenied), "store error: %s", err) + } - err := u.getStoreError(userID) + return nil, err + } - if err != nil && cortex_errors.ErrorIs(err, userBkt.IsCustomerManagedKeyError) { - return nil, httpgrpc.Errorf(int(codes.PermissionDenied), "store error: %s", err) + store := u.getStore(userID) + if store == nil { + return &storepb.LabelNamesResponse{}, nil } resp, err := store.LabelNames(ctx, req) @@ -355,21 +361,22 @@ func (u *BucketStores) LabelValues(ctx context.Context, req *storepb.LabelValues return nil, fmt.Errorf("no userID") } - store := u.getStore(userID) - userBkt := bucket.NewUserBucketClient(userID, u.bucket, u.limits) - if store == nil { - return &storepb.LabelValuesResponse{}, nil - } - err := u.getStoreError(userID) + userBkt := bucket.NewUserBucketClient(userID, u.bucket, u.limits) + if err != nil { + if cortex_errors.ErrorIs(err, userBkt.IsCustomerManagedKeyError) { + return nil, httpgrpc.Errorf(int(codes.PermissionDenied), "store error: %s", err) + } - if err != nil && cortex_errors.ErrorIs(err, userBkt.IsCustomerManagedKeyError) { - return nil, httpgrpc.Errorf(int(codes.PermissionDenied), "store error: %s", err) + return nil, err } - resp, err := store.LabelValues(ctx, req) + store := u.getStore(userID) + if store == nil { + return &storepb.LabelValuesResponse{}, nil + } - return resp, err + return store.LabelValues(ctx, req) } // scanUsers in the bucket and return the list of found users. If an error occurs while diff --git a/pkg/storegateway/bucket_stores_test.go b/pkg/storegateway/bucket_stores_test.go index 4e82b88525..7cb3188e74 100644 --- a/pkg/storegateway/bucket_stores_test.go +++ b/pkg/storegateway/bucket_stores_test.go @@ -132,12 +132,16 @@ func TestBucketStores_CustomerKeyError(t *testing.T) { // Should set the error on user-1 require.NoError(t, stores.InitialSync(ctx)) if tc.mockInitialSync { - require.ErrorIs(t, stores.storesErrors["user-1"], bucket.ErrCustomerManagedKeyAccessDenied) + s, ok := status.FromError(stores.storesErrors["user-1"]) + require.True(t, ok) + require.Equal(t, s.Code(), codes.PermissionDenied) require.ErrorIs(t, stores.storesErrors["user-2"], nil) } require.NoError(t, stores.SyncBlocks(context.Background())) if tc.mockInitialSync { - require.ErrorIs(t, stores.storesErrors["user-1"], bucket.ErrCustomerManagedKeyAccessDenied) + s, ok := status.FromError(stores.storesErrors["user-1"]) + require.True(t, ok) + require.Equal(t, s.Code(), codes.PermissionDenied) require.ErrorIs(t, stores.storesErrors["user-2"], nil) } From 01795c8cc7ae08b4b52ffe1cc3549cc5dacc2a4b Mon Sep 17 00:00:00 2001 From: Alan Protasio Date: Wed, 16 Aug 2023 11:46:14 -0700 Subject: [PATCH 2/3] update thanos obs store Signed-off-by: Alan Protasio --- go.mod | 2 +- go.sum | 4 ++-- pkg/storage/bucket/client_mock.go | 4 ++-- pkg/storage/bucket/prefixed_bucket_client.go | 6 +++--- pkg/storage/bucket/s3/bucket_client.go | 6 +++--- pkg/storage/bucket/s3/bucket_client_test.go | 4 ++-- pkg/storage/bucket/sse_bucket_client.go | 12 ++++++------ pkg/storage/bucket/sse_bucket_client_test.go | 2 +- .../tsdb/bucketindex/markers_bucket_client.go | 6 +++--- pkg/storage/tsdb/bucketindex/storage.go | 4 ++-- pkg/storage/tsdb/bucketindex/updater.go | 4 ++-- pkg/storage/tsdb/testutil/objstore.go | 2 +- pkg/storegateway/bucket_stores.go | 6 +++--- vendor/github.com/thanos-io/objstore/CHANGELOG.md | 2 +- vendor/github.com/thanos-io/objstore/README.md | 3 ++- vendor/github.com/thanos-io/objstore/inmem.go | 4 ++-- vendor/github.com/thanos-io/objstore/objstore.go | 8 ++++---- .../github.com/thanos-io/objstore/prefixed_bucket.go | 6 +++--- .../thanos-io/objstore/providers/azure/azure.go | 9 ++++++--- .../objstore/providers/filesystem/filesystem.go | 4 ++-- .../thanos-io/objstore/providers/gcs/gcs.go | 9 +++++++-- .../github.com/thanos-io/objstore/providers/s3/s3.go | 10 +++------- .../thanos-io/objstore/providers/swift/swift.go | 6 +++--- vendor/github.com/thanos-io/objstore/testing.go | 4 ++-- .../objstore/tracing/opentracing/opentracing.go | 4 ++-- vendor/modules.txt | 2 +- 26 files changed, 69 insertions(+), 64 deletions(-) diff --git a/go.mod b/go.mod index 2c47290951..3d1c19c267 100644 --- a/go.mod +++ b/go.mod @@ -51,7 +51,7 @@ require ( github.com/sony/gobreaker v0.5.0 github.com/spf13/afero v1.9.5 github.com/stretchr/testify v1.8.4 - github.com/thanos-io/objstore v0.0.0-20230804084840-c042a6a16c58 + github.com/thanos-io/objstore v0.0.0-20230816175749-20395bffdf26 github.com/thanos-io/promql-engine v0.0.0-20230816062837-c64fc7b373db github.com/thanos-io/thanos v0.0.0-20230816172224-2b4f2a7061f9 github.com/uber/jaeger-client-go v2.30.0+incompatible diff --git a/go.sum b/go.sum index 98ddc1df01..c127af2365 100644 --- a/go.sum +++ b/go.sum @@ -1206,8 +1206,8 @@ github.com/subosito/gotenv v1.4.1/go.mod h1:ayKnFf/c6rvx/2iiLrJUk1e6plDbT3edrFNG github.com/tencentyun/cos-go-sdk-v5 v0.7.40 h1:W6vDGKCHe4wBACI1d2UgE6+50sJFhRWU4O8IB2ozzxM= github.com/thanos-community/galaxycache v0.0.0-20211122094458-3a32041a1f1e h1:f1Zsv7OAU9iQhZwigp50Yl38W10g/vd5NC8Rdk1Jzng= github.com/thanos-community/galaxycache v0.0.0-20211122094458-3a32041a1f1e/go.mod h1:jXcofnrSln/cLI6/dhlBxPQZEEQHVPCcFaH75M+nSzM= -github.com/thanos-io/objstore v0.0.0-20230804084840-c042a6a16c58 h1:4cDXsvm3mb1NvW1B1qJ9/fy6h+OOYit0h8oVA957hLM= -github.com/thanos-io/objstore v0.0.0-20230804084840-c042a6a16c58/go.mod h1:oJ82xgcBDzGJrEgUsjlTj6n01+ZWUMMUR8BlZzX5xDE= +github.com/thanos-io/objstore v0.0.0-20230816175749-20395bffdf26 h1:q1lin/af0lw+I3sS79ccHs2CLjFOPc190J9saeQ5qQ4= +github.com/thanos-io/objstore v0.0.0-20230816175749-20395bffdf26/go.mod h1:oJ82xgcBDzGJrEgUsjlTj6n01+ZWUMMUR8BlZzX5xDE= github.com/thanos-io/promql-engine v0.0.0-20230816062837-c64fc7b373db h1:05Tp4pfeTTJlRnwLtgvXCJvKYeZCRBoxwDFC+uYqGyM= github.com/thanos-io/promql-engine v0.0.0-20230816062837-c64fc7b373db/go.mod h1:eIgPaXWgOhNAv6CPPrgu09r0AtT7byBTZy+7WkX0D18= github.com/thanos-io/thanos v0.0.0-20230816172224-2b4f2a7061f9 h1:KuVECxBG1Q8WoYWlY8dk1wi3OtPSSxv+tWPV9S9qGFk= diff --git a/pkg/storage/bucket/client_mock.go b/pkg/storage/bucket/client_mock.go index 76e24af13f..55ab7f7dc1 100644 --- a/pkg/storage/bucket/client_mock.go +++ b/pkg/storage/bucket/client_mock.go @@ -178,8 +178,8 @@ func (m *ClientMock) IsObjNotFoundErr(err error) bool { return err == errObjectDoesNotExist } -// IsCustomerManagedKeyError mocks objstore.Bucket.IsCustomerManagedKeyError() -func (m *ClientMock) IsCustomerManagedKeyError(err error) bool { +// IsAccessDeniedErr mocks objstore.Bucket.IsAccessDeniedErr() +func (m *ClientMock) IsAccessDeniedErr(err error) bool { return err == errKeyPermissionDenied } diff --git a/pkg/storage/bucket/prefixed_bucket_client.go b/pkg/storage/bucket/prefixed_bucket_client.go index 6486751e12..5cce5d0159 100644 --- a/pkg/storage/bucket/prefixed_bucket_client.go +++ b/pkg/storage/bucket/prefixed_bucket_client.go @@ -73,9 +73,9 @@ func (b *PrefixedBucketClient) IsObjNotFoundErr(err error) bool { return b.bucket.IsObjNotFoundErr(err) } -// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked. -func (b *PrefixedBucketClient) IsCustomerManagedKeyError(err error) bool { - return b.bucket.IsCustomerManagedKeyError(err) +// IsAccessDeniedErr returns true if the permissions for key used to encrypt the object was revoked. +func (b *PrefixedBucketClient) IsAccessDeniedErr(err error) bool { + return b.bucket.IsAccessDeniedErr(err) } // Attributes returns attributes of the specified object. diff --git a/pkg/storage/bucket/s3/bucket_client.go b/pkg/storage/bucket/s3/bucket_client.go index d7a0d1d963..b252035579 100644 --- a/pkg/storage/bucket/s3/bucket_client.go +++ b/pkg/storage/bucket/s3/bucket_client.go @@ -126,7 +126,7 @@ func (b *BucketWithRetries) retry(ctx context.Context, f func() error, operation if lastErr == nil { return nil } - if b.bucket.IsObjNotFoundErr(lastErr) || b.bucket.IsCustomerManagedKeyError(lastErr) { + if b.bucket.IsObjNotFoundErr(lastErr) || b.bucket.IsAccessDeniedErr(lastErr) { return lastErr } retries.Wait() @@ -209,8 +209,8 @@ func (b *BucketWithRetries) IsObjNotFoundErr(err error) bool { return b.bucket.IsObjNotFoundErr(err) } -func (b *BucketWithRetries) IsCustomerManagedKeyError(err error) bool { - return b.bucket.IsCustomerManagedKeyError(err) +func (b *BucketWithRetries) IsAccessDeniedErr(err error) bool { + return b.bucket.IsAccessDeniedErr(err) } func (b *BucketWithRetries) Close() error { diff --git a/pkg/storage/bucket/s3/bucket_client_test.go b/pkg/storage/bucket/s3/bucket_client_test.go index 663fb4999c..2de42c8857 100644 --- a/pkg/storage/bucket/s3/bucket_client_test.go +++ b/pkg/storage/bucket/s3/bucket_client_test.go @@ -226,8 +226,8 @@ func (m *mockBucket) IsObjNotFoundErr(err error) bool { return err == errNotFound } -// IsCustomerManagedKeyError mocks objstore.Bucket.IsCustomerManagedKeyError() -func (m *mockBucket) IsCustomerManagedKeyError(err error) bool { +// IsAccessDeniedErr mocks objstore.Bucket.IsAccessDeniedErr() +func (m *mockBucket) IsAccessDeniedErr(err error) bool { return err == errKeyDenied } diff --git a/pkg/storage/bucket/sse_bucket_client.go b/pkg/storage/bucket/sse_bucket_client.go index 613756a787..b88e25e39c 100644 --- a/pkg/storage/bucket/sse_bucket_client.go +++ b/pkg/storage/bucket/sse_bucket_client.go @@ -107,7 +107,7 @@ func (b *SSEBucketClient) Iter(ctx context.Context, dir string, f func(string) e func (b *SSEBucketClient) Get(ctx context.Context, name string) (io.ReadCloser, error) { r, err := b.bucket.Get(ctx, name) - if err != nil && b.IsCustomerManagedKeyError(err) { + if err != nil && b.IsAccessDeniedErr(err) { // Store gateway will return the status if the returned error is an `status.Error` return nil, cortex_errors.WithCause(err, status.Error(codes.PermissionDenied, err.Error())) } @@ -118,7 +118,7 @@ func (b *SSEBucketClient) Get(ctx context.Context, name string) (io.ReadCloser, // GetRange implements objstore.Bucket. func (b *SSEBucketClient) GetRange(ctx context.Context, name string, off, length int64) (io.ReadCloser, error) { r, err := b.bucket.GetRange(ctx, name, off, length) - if err != nil && b.IsCustomerManagedKeyError(err) { + if err != nil && b.IsAccessDeniedErr(err) { return nil, cortex_errors.WithCause(err, status.Error(codes.PermissionDenied, err.Error())) } @@ -135,13 +135,13 @@ func (b *SSEBucketClient) IsObjNotFoundErr(err error) bool { return b.bucket.IsObjNotFoundErr(err) } -// IsCustomerManagedKeyError implements objstore.Bucket. -func (b *SSEBucketClient) IsCustomerManagedKeyError(err error) bool { +// IsAccessDeniedErr implements objstore.Bucket. +func (b *SSEBucketClient) IsAccessDeniedErr(err error) bool { // unwrap error if se, ok := err.(interface{ Err() error }); ok { - return b.bucket.IsCustomerManagedKeyError(se.Err()) || b.bucket.IsCustomerManagedKeyError(err) + return b.bucket.IsAccessDeniedErr(se.Err()) || b.bucket.IsAccessDeniedErr(err) } - return b.bucket.IsCustomerManagedKeyError(err) + return b.bucket.IsAccessDeniedErr(err) } // Attributes implements objstore.Bucket. diff --git a/pkg/storage/bucket/sse_bucket_client_test.go b/pkg/storage/bucket/sse_bucket_client_test.go index 45431dce8a..91f5ba21e0 100644 --- a/pkg/storage/bucket/sse_bucket_client_test.go +++ b/pkg/storage/bucket/sse_bucket_client_test.go @@ -116,7 +116,7 @@ func Test_shouldWrapSSeErrors(t *testing.T) { sseBkt := NewSSEBucketClient("user-1", bkt, cfgProvider) _, err := sseBkt.Get(context.Background(), "Test") - require.True(t, sseBkt.IsCustomerManagedKeyError(err)) + require.True(t, sseBkt.IsAccessDeniedErr(err)) } type mockTenantConfigProvider struct { diff --git a/pkg/storage/tsdb/bucketindex/markers_bucket_client.go b/pkg/storage/tsdb/bucketindex/markers_bucket_client.go index da51eced84..ee71e49085 100644 --- a/pkg/storage/tsdb/bucketindex/markers_bucket_client.go +++ b/pkg/storage/tsdb/bucketindex/markers_bucket_client.go @@ -100,9 +100,9 @@ func (b *globalMarkersBucket) IsObjNotFoundErr(err error) bool { return b.parent.IsObjNotFoundErr(err) } -// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked. -func (b *globalMarkersBucket) IsCustomerManagedKeyError(err error) bool { - return b.parent.IsCustomerManagedKeyError(err) +// IsAccessDeniedErr returns true if the permissions for key used to encrypt the object was revoked. +func (b *globalMarkersBucket) IsAccessDeniedErr(err error) bool { + return b.parent.IsAccessDeniedErr(err) } // Attributes implements objstore.Bucket. diff --git a/pkg/storage/tsdb/bucketindex/storage.go b/pkg/storage/tsdb/bucketindex/storage.go index aeff2f8f63..25b3f8913a 100644 --- a/pkg/storage/tsdb/bucketindex/storage.go +++ b/pkg/storage/tsdb/bucketindex/storage.go @@ -71,13 +71,13 @@ func ReadIndex(ctx context.Context, bkt objstore.Bucket, userID string, cfgProvi userBkt := bucket.NewUserBucketClient(userID, bkt, cfgProvider) // Get the bucket index. - reader, err := userBkt.WithExpectedErrs(tsdb.IsOneOfTheExpectedErrors(userBkt.IsCustomerManagedKeyError, userBkt.IsObjNotFoundErr)).Get(ctx, IndexCompressedFilename) + reader, err := userBkt.WithExpectedErrs(tsdb.IsOneOfTheExpectedErrors(userBkt.IsAccessDeniedErr, userBkt.IsObjNotFoundErr)).Get(ctx, IndexCompressedFilename) if err != nil { if userBkt.IsObjNotFoundErr(err) { return nil, ErrIndexNotFound } - if userBkt.IsCustomerManagedKeyError(err) { + if userBkt.IsAccessDeniedErr(err) { return nil, cortex_errors.WithCause(bucket.ErrCustomerManagedKeyAccessDenied, err) } diff --git a/pkg/storage/tsdb/bucketindex/updater.go b/pkg/storage/tsdb/bucketindex/updater.go index f9eea9b899..cee3e6e3bf 100644 --- a/pkg/storage/tsdb/bucketindex/updater.go +++ b/pkg/storage/tsdb/bucketindex/updater.go @@ -137,11 +137,11 @@ func (w *Updater) updateBlockIndexEntry(ctx context.Context, id ulid.ULID) (*Blo metaFile := path.Join(id.String(), block.MetaFilename) // Get the block's meta.json file. - r, err := w.bkt.ReaderWithExpectedErrs(tsdb.IsOneOfTheExpectedErrors(w.bkt.IsObjNotFoundErr, w.bkt.IsCustomerManagedKeyError)).Get(ctx, metaFile) + r, err := w.bkt.ReaderWithExpectedErrs(tsdb.IsOneOfTheExpectedErrors(w.bkt.IsObjNotFoundErr, w.bkt.IsAccessDeniedErr)).Get(ctx, metaFile) if w.bkt.IsObjNotFoundErr(err) { return nil, ErrBlockMetaNotFound } - if w.bkt.IsCustomerManagedKeyError(err) { + if w.bkt.IsAccessDeniedErr(err) { return nil, errBlockMetaKeyAccessDeniedErr } if err != nil { diff --git a/pkg/storage/tsdb/testutil/objstore.go b/pkg/storage/tsdb/testutil/objstore.go index f224b7dec8..f9d5e67a72 100644 --- a/pkg/storage/tsdb/testutil/objstore.go +++ b/pkg/storage/tsdb/testutil/objstore.go @@ -109,6 +109,6 @@ func (m *MockBucketFailure) ReaderWithExpectedErrs(expectedFunc objstore.IsOpFai return m } -func (m *MockBucketFailure) IsCustomerManagedKeyError(err error) bool { +func (m *MockBucketFailure) IsAccessDeniedErr(err error) bool { return ErrKeyAccessDeniedError == err } diff --git a/pkg/storegateway/bucket_stores.go b/pkg/storegateway/bucket_stores.go index 7c8ee46abe..cc5cb5a527 100644 --- a/pkg/storegateway/bucket_stores.go +++ b/pkg/storegateway/bucket_stores.go @@ -301,7 +301,7 @@ func (u *BucketStores) Series(req *storepb.SeriesRequest, srv storepb.Store_Seri err := u.getStoreError(userID) userBkt := bucket.NewUserBucketClient(userID, u.bucket, u.limits) if err != nil { - if cortex_errors.ErrorIs(err, userBkt.IsCustomerManagedKeyError) { + if cortex_errors.ErrorIs(err, userBkt.IsAccessDeniedErr) { return httpgrpc.Errorf(int(codes.PermissionDenied), "store error: %s", err) } @@ -334,7 +334,7 @@ func (u *BucketStores) LabelNames(ctx context.Context, req *storepb.LabelNamesRe err := u.getStoreError(userID) userBkt := bucket.NewUserBucketClient(userID, u.bucket, u.limits) if err != nil { - if cortex_errors.ErrorIs(err, userBkt.IsCustomerManagedKeyError) { + if cortex_errors.ErrorIs(err, userBkt.IsAccessDeniedErr) { return nil, httpgrpc.Errorf(int(codes.PermissionDenied), "store error: %s", err) } @@ -364,7 +364,7 @@ func (u *BucketStores) LabelValues(ctx context.Context, req *storepb.LabelValues err := u.getStoreError(userID) userBkt := bucket.NewUserBucketClient(userID, u.bucket, u.limits) if err != nil { - if cortex_errors.ErrorIs(err, userBkt.IsCustomerManagedKeyError) { + if cortex_errors.ErrorIs(err, userBkt.IsAccessDeniedErr) { return nil, httpgrpc.Errorf(int(codes.PermissionDenied), "store error: %s", err) } diff --git a/vendor/github.com/thanos-io/objstore/CHANGELOG.md b/vendor/github.com/thanos-io/objstore/CHANGELOG.md index 84b2cccd27..23e92b8c16 100644 --- a/vendor/github.com/thanos-io/objstore/CHANGELOG.md +++ b/vendor/github.com/thanos-io/objstore/CHANGELOG.md @@ -35,5 +35,5 @@ We use *breaking :warning:* to mark changes that are not backward compatible (re - [#35](https://github.com/thanos-io/objstore/pull/35) Azure: Update Azure SDK and fix breaking changes. - [#65](https://github.com/thanos-io/objstore/pull/65) *: Upgrade minio-go version to `v7.0.61`. - [#70](https://github.com/thanos-io/objstore/pull/70) GCS: Update cloud.google.com/go/storage version to `v1.27.0`. - +- [#71](https://github.com/thanos-io/objstore/pull/71) Replace method `IsCustomerManagedKeyError` for a more generic `IsAccessDeniedErr` on the bucket interface. ### Removed diff --git a/vendor/github.com/thanos-io/objstore/README.md b/vendor/github.com/thanos-io/objstore/README.md index 11b773a48a..c9dbe34d55 100644 --- a/vendor/github.com/thanos-io/objstore/README.md +++ b/vendor/github.com/thanos-io/objstore/README.md @@ -88,7 +88,8 @@ type BucketReader interface { // IsObjNotFoundErr returns true if error means that object is not found. Relevant to Get operations. IsObjNotFoundErr(err error) bool - // IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked. + // IsAccessDeniedErr returns true if access to object is denied. + IsAccessDeniedErr(err error) bool ``` Those interfaces represent the object storage operations your code can use from `objstore` clients. diff --git a/vendor/github.com/thanos-io/objstore/inmem.go b/vendor/github.com/thanos-io/objstore/inmem.go index aee4aec6cf..3f6f35e94e 100644 --- a/vendor/github.com/thanos-io/objstore/inmem.go +++ b/vendor/github.com/thanos-io/objstore/inmem.go @@ -207,8 +207,8 @@ func (b *InMemBucket) IsObjNotFoundErr(err error) bool { return errors.Is(err, errNotFound) } -// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked. -func (b *InMemBucket) IsCustomerManagedKeyError(_ error) bool { +// IsAccessDeniedErr returns true if access to object is denied. +func (b *InMemBucket) IsAccessDeniedErr(err error) bool { return false } diff --git a/vendor/github.com/thanos-io/objstore/objstore.go b/vendor/github.com/thanos-io/objstore/objstore.go index 61e3dfb4ff..b9b56bf4fa 100644 --- a/vendor/github.com/thanos-io/objstore/objstore.go +++ b/vendor/github.com/thanos-io/objstore/objstore.go @@ -85,8 +85,8 @@ type BucketReader interface { // IsObjNotFoundErr returns true if error means that object is not found. Relevant to Get operations. IsObjNotFoundErr(err error) bool - // IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked. - IsCustomerManagedKeyError(err error) bool + // IsAccessDeniedErr returns true if acces to object is denied. + IsAccessDeniedErr(err error) bool // Attributes returns information about the specified object. Attributes(ctx context.Context, name string) (ObjectAttributes, error) @@ -624,8 +624,8 @@ func (b *metricBucket) IsObjNotFoundErr(err error) bool { return b.bkt.IsObjNotFoundErr(err) } -func (b *metricBucket) IsCustomerManagedKeyError(err error) bool { - return b.bkt.IsCustomerManagedKeyError(err) +func (b *metricBucket) IsAccessDeniedErr(err error) bool { + return b.bkt.IsAccessDeniedErr(err) } func (b *metricBucket) Close() error { diff --git a/vendor/github.com/thanos-io/objstore/prefixed_bucket.go b/vendor/github.com/thanos-io/objstore/prefixed_bucket.go index 4144801172..f2b7143468 100644 --- a/vendor/github.com/thanos-io/objstore/prefixed_bucket.go +++ b/vendor/github.com/thanos-io/objstore/prefixed_bucket.go @@ -74,9 +74,9 @@ func (p *PrefixedBucket) IsObjNotFoundErr(err error) bool { return p.bkt.IsObjNotFoundErr(err) } -// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked. -func (p *PrefixedBucket) IsCustomerManagedKeyError(err error) bool { - return p.bkt.IsCustomerManagedKeyError(err) +// IsAccessDeniedErr returns true if access to object is denied. +func (p *PrefixedBucket) IsAccessDeniedErr(err error) bool { + return p.bkt.IsAccessDeniedErr(err) } // Attributes returns information about the specified object. diff --git a/vendor/github.com/thanos-io/objstore/providers/azure/azure.go b/vendor/github.com/thanos-io/objstore/providers/azure/azure.go index a5f41ed176..376fb6290f 100644 --- a/vendor/github.com/thanos-io/objstore/providers/azure/azure.go +++ b/vendor/github.com/thanos-io/objstore/providers/azure/azure.go @@ -235,9 +235,12 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool { return bloberror.HasCode(err, bloberror.BlobNotFound) || bloberror.HasCode(err, bloberror.InvalidURI) } -// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked. -func (b *Bucket) IsCustomerManagedKeyError(_ error) bool { - return false +// IsAccessDeniedErr returns true if access to object is denied. +func (b *Bucket) IsAccessDeniedErr(err error) bool { + if err == nil { + return false + } + return bloberror.HasCode(err, bloberror.AuthorizationPermissionMismatch) || bloberror.HasCode(err, bloberror.InsufficientAccountPermissions) } func (b *Bucket) getBlobReader(ctx context.Context, name string, httpRange blob.HTTPRange) (io.ReadCloser, error) { diff --git a/vendor/github.com/thanos-io/objstore/providers/filesystem/filesystem.go b/vendor/github.com/thanos-io/objstore/providers/filesystem/filesystem.go index 8ccd33b10f..21c7048505 100644 --- a/vendor/github.com/thanos-io/objstore/providers/filesystem/filesystem.go +++ b/vendor/github.com/thanos-io/objstore/providers/filesystem/filesystem.go @@ -258,8 +258,8 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool { return os.IsNotExist(errors.Cause(err)) } -// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked. -func (b *Bucket) IsCustomerManagedKeyError(_ error) bool { +// IsAccessDeniedErr returns true if access to object is denied. +func (b *Bucket) IsAccessDeniedErr(_ error) bool { return false } diff --git a/vendor/github.com/thanos-io/objstore/providers/gcs/gcs.go b/vendor/github.com/thanos-io/objstore/providers/gcs/gcs.go index 8b107c83d8..5ea45c7e97 100644 --- a/vendor/github.com/thanos-io/objstore/providers/gcs/gcs.go +++ b/vendor/github.com/thanos-io/objstore/providers/gcs/gcs.go @@ -19,6 +19,8 @@ import ( "golang.org/x/oauth2/google" "google.golang.org/api/iterator" "google.golang.org/api/option" + "google.golang.org/grpc/codes" + "google.golang.org/grpc/status" "gopkg.in/yaml.v2" "github.com/thanos-io/objstore" @@ -188,8 +190,11 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool { return errors.Is(err, storage.ErrObjectNotExist) } -// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked. -func (b *Bucket) IsCustomerManagedKeyError(_ error) bool { +// IsAccessDeniedErr returns true if access to object is denied. +func (b *Bucket) IsAccessDeniedErr(err error) bool { + if s, ok := status.FromError(err); ok && s.Code() == codes.PermissionDenied { + return true + } return false } diff --git a/vendor/github.com/thanos-io/objstore/providers/s3/s3.go b/vendor/github.com/thanos-io/objstore/providers/s3/s3.go index 337bd0d812..f92d397398 100644 --- a/vendor/github.com/thanos-io/objstore/providers/s3/s3.go +++ b/vendor/github.com/thanos-io/objstore/providers/s3/s3.go @@ -98,9 +98,6 @@ const ( // Storage class header. amzStorageClass = "X-Amz-Storage-Class" - - // amzKmsKeyAccessDeniedErrorMessage is the error message returned by s3 when the permissions to the KMS key is revoked. - amzKmsKeyAccessDeniedErrorMessage = "The ciphertext refers to a customer master key that does not exist, does not exist in this region, or you are not allowed to access." ) var DefaultConfig = Config{ @@ -541,10 +538,9 @@ func (b *Bucket) IsObjNotFoundErr(err error) bool { return minio.ToErrorResponse(errors.Cause(err)).Code == "NoSuchKey" } -// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked. -func (b *Bucket) IsCustomerManagedKeyError(err error) bool { - errResponse := minio.ToErrorResponse(errors.Cause(err)) - return errResponse.Code == "AccessDenied" && errResponse.Message == amzKmsKeyAccessDeniedErrorMessage +// IsAccessDeniedErr returns true if access to object is denied. +func (b *Bucket) IsAccessDeniedErr(err error) bool { + return minio.ToErrorResponse(errors.Cause(err)).Code == "AccessDenied" } func (b *Bucket) Close() error { return nil } diff --git a/vendor/github.com/thanos-io/objstore/providers/swift/swift.go b/vendor/github.com/thanos-io/objstore/providers/swift/swift.go index c24d03fd2d..9bfa3cf851 100644 --- a/vendor/github.com/thanos-io/objstore/providers/swift/swift.go +++ b/vendor/github.com/thanos-io/objstore/providers/swift/swift.go @@ -290,9 +290,9 @@ func (c *Container) IsObjNotFoundErr(err error) bool { return errors.Is(err, swift.ObjectNotFound) } -// IsCustomerManagedKeyError returns true if the permissions for key used to encrypt the object was revoked. -func (b *Container) IsCustomerManagedKeyError(_ error) bool { - return false +// IsAccessDeniedErr returns true if access to object is denied. +func (c *Container) IsAccessDeniedErr(err error) bool { + return errors.Is(err, swift.Forbidden) } // Upload writes the contents of the reader as an object into the container. diff --git a/vendor/github.com/thanos-io/objstore/testing.go b/vendor/github.com/thanos-io/objstore/testing.go index 4e41b27882..b8e3744cb8 100644 --- a/vendor/github.com/thanos-io/objstore/testing.go +++ b/vendor/github.com/thanos-io/objstore/testing.go @@ -309,6 +309,6 @@ func (d *delayingBucket) IsObjNotFoundErr(err error) bool { return d.bkt.IsObjNotFoundErr(err) } -func (d *delayingBucket) IsCustomerManagedKeyError(err error) bool { - return d.bkt.IsCustomerManagedKeyError(err) +func (d *delayingBucket) IsAccessDeniedErr(err error) bool { + return d.bkt.IsAccessDeniedErr(err) } diff --git a/vendor/github.com/thanos-io/objstore/tracing/opentracing/opentracing.go b/vendor/github.com/thanos-io/objstore/tracing/opentracing/opentracing.go index 8174afb142..8b99e304dd 100644 --- a/vendor/github.com/thanos-io/objstore/tracing/opentracing/opentracing.go +++ b/vendor/github.com/thanos-io/objstore/tracing/opentracing/opentracing.go @@ -124,8 +124,8 @@ func (t TracingBucket) IsObjNotFoundErr(err error) bool { return t.bkt.IsObjNotFoundErr(err) } -func (t TracingBucket) IsCustomerManagedKeyError(err error) bool { - return t.bkt.IsCustomerManagedKeyError(err) +func (t TracingBucket) IsAccessDeniedErr(err error) bool { + return t.bkt.IsAccessDeniedErr(err) } func (t TracingBucket) WithExpectedErrs(expectedFunc objstore.IsOpFailureExpectedFunc) objstore.Bucket { diff --git a/vendor/modules.txt b/vendor/modules.txt index ea29fb2bc5..932e091cf9 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -841,7 +841,7 @@ github.com/stretchr/objx github.com/stretchr/testify/assert github.com/stretchr/testify/mock github.com/stretchr/testify/require -# github.com/thanos-io/objstore v0.0.0-20230804084840-c042a6a16c58 +# github.com/thanos-io/objstore v0.0.0-20230816175749-20395bffdf26 ## explicit; go 1.18 github.com/thanos-io/objstore github.com/thanos-io/objstore/exthttp From 63403237d9b2c1f02afaee8f255d5bcc1b83112d Mon Sep 17 00:00:00 2001 From: Alan Protasio Date: Wed, 16 Aug 2023 12:30:47 -0700 Subject: [PATCH 3/3] Update comments Signed-off-by: Alan Protasio --- pkg/storage/bucket/prefixed_bucket_client.go | 2 +- pkg/storage/tsdb/bucketindex/markers_bucket_client.go | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/pkg/storage/bucket/prefixed_bucket_client.go b/pkg/storage/bucket/prefixed_bucket_client.go index 5cce5d0159..f6606e654d 100644 --- a/pkg/storage/bucket/prefixed_bucket_client.go +++ b/pkg/storage/bucket/prefixed_bucket_client.go @@ -73,7 +73,7 @@ func (b *PrefixedBucketClient) IsObjNotFoundErr(err error) bool { return b.bucket.IsObjNotFoundErr(err) } -// IsAccessDeniedErr returns true if the permissions for key used to encrypt the object was revoked. +// IsAccessDeniedErr returns true if access to object is denied. func (b *PrefixedBucketClient) IsAccessDeniedErr(err error) bool { return b.bucket.IsAccessDeniedErr(err) } diff --git a/pkg/storage/tsdb/bucketindex/markers_bucket_client.go b/pkg/storage/tsdb/bucketindex/markers_bucket_client.go index ee71e49085..4585d842ad 100644 --- a/pkg/storage/tsdb/bucketindex/markers_bucket_client.go +++ b/pkg/storage/tsdb/bucketindex/markers_bucket_client.go @@ -100,7 +100,7 @@ func (b *globalMarkersBucket) IsObjNotFoundErr(err error) bool { return b.parent.IsObjNotFoundErr(err) } -// IsAccessDeniedErr returns true if the permissions for key used to encrypt the object was revoked. +// IsAccessDeniedErr returns true if access to object is denied. func (b *globalMarkersBucket) IsAccessDeniedErr(err error) bool { return b.parent.IsAccessDeniedErr(err) }