feat: add option to S3 backend for V2 signatures

Currently we don't expose any ability to select the signature version used for our S3 backend. Signed-off-by: Christian Simon <simon@swine.de>
grafana · Nov 23, 2020 · 5bb63c2 · 5bb63c2
1 parent 9b6edac
commit 5bb63c2
Show file tree

Hide file tree

Showing 2 changed files with 40 additions and 8 deletions.
diff --git a/tempodb/backend/s3/config.go b/tempodb/backend/s3/config.go
@@ -8,4 +8,6 @@ type Config struct {
 	SecretKey string `yaml:"secret_key"`
 	Insecure  bool   `yaml:"insecure"`
 	PartSize  uint64 `yaml:"part_size"`
+	// SignatureV2 configures the object storage to use V2 signing instead of V4
+	SignatureV2 bool `yaml:"signature_v2"`
 }
diff --git a/tempodb/backend/s3/s3.go b/tempodb/backend/s3/s3.go
@@ -32,24 +32,54 @@ type readerWriter struct {
 	core   *minio.Core
 }
 
+type overrideSignatureVersion struct {
+	useV2    bool
+	upstream credentials.Provider
+}
+
+func (s *overrideSignatureVersion) Retrieve() (credentials.Value, error) {
+	v, err := s.upstream.Retrieve()
+	if err != nil {
+		return v, err
+	}
+
+	if s.useV2 && !v.SignerType.IsAnonymous() {
+		v.SignerType = credentials.SignatureV2
+	}
+
+	return v, nil
+}
+
+func (s *overrideSignatureVersion) IsExpired() bool {
+	return s.upstream.IsExpired()
+}
+
 func New(cfg *Config) (backend.Reader, backend.Writer, backend.Compactor, error) {
 	l := log_util.Logger
+
+	wrapCredentialsProvider := func(p credentials.Provider) credentials.Provider {
+		if cfg.SignatureV2 {
+			return &overrideSignatureVersion{useV2: cfg.SignatureV2, upstream: p}
+		}
+		return p
+	}
+
 	creds := credentials.NewChainCredentials([]credentials.Provider{
-		&credentials.EnvAWS{},
-		&credentials.Static{
+		wrapCredentialsProvider(&credentials.EnvAWS{}),
+		wrapCredentialsProvider(&credentials.Static{
 			Value: credentials.Value{
 				AccessKeyID:     cfg.AccessKey,
 				SecretAccessKey: cfg.SecretKey,
 			},
-		},
-		&credentials.EnvMinio{},
-		&credentials.FileAWSCredentials{},
-		&credentials.FileMinioClient{},
-		&credentials.IAM{
+		}),
+		wrapCredentialsProvider(&credentials.EnvMinio{}),
+		wrapCredentialsProvider(&credentials.FileAWSCredentials{}),
+		wrapCredentialsProvider(&credentials.FileMinioClient{}),
+		wrapCredentialsProvider(&credentials.IAM{
 			Client: &http.Client{
 				Transport: http.DefaultTransport,
 			},
-		},
+		}),
 	})
 	opts := &minio.Options{
 		Secure: !cfg.Insecure,