Skip to content

Commit

Permalink
s3: Respect SignatureV2 flag for all credential providers
Browse files Browse the repository at this point in the history
Thanos currently only supports V2 signatures when the credentials are
statically specified in its configuration. This change supports
requesting signature V2 on other credential sources.

Signed-off-by: Christian Simon <simon@swine.de>
  • Loading branch information
simonswine committed Nov 24, 2020
1 parent 47a25a4 commit b6a2568
Show file tree
Hide file tree
Showing 2 changed files with 32 additions and 14 deletions.
2 changes: 1 addition & 1 deletion CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ We use _breaking :warning:_ to mark changes that are not backward compatible (re

### Changed

-
- [#3496](https://github.com/thanos-io/thanos/pull/3496) s3: Respect SignatureV2 flag for all credential providers.

## [v0.17.0](https://github.com/thanos-io/thanos/releases/tag/v0.17.0) - 2020.11.18

Expand Down
44 changes: 31 additions & 13 deletions pkg/objstore/s3/s3.go
Original file line number Diff line number Diff line change
Expand Up @@ -161,36 +161,54 @@ func NewBucket(logger log.Logger, conf []byte, component string) (*Bucket, error
return NewBucketWithConfig(logger, config, component)
}

type overrideSignerType struct {
credentials.Provider
signerType credentials.SignatureType
}

func (s *overrideSignerType) Retrieve() (credentials.Value, error) {
v, err := s.Provider.Retrieve()
if err != nil {
return v, err
}
if !v.SignerType.IsAnonymous() {
v.SignerType = s.signerType
}
return v, nil
}

// NewBucketWithConfig returns a new Bucket using the provided s3 config values.
func NewBucketWithConfig(logger log.Logger, config Config, component string) (*Bucket, error) {
var chain []credentials.Provider

// TODO(bwplotka): Don't do flags as they won't scale, use actual params like v2, v4 instead
wrapCredentialsProvider := func(p credentials.Provider) credentials.Provider { return p }
if config.SignatureV2 {
wrapCredentialsProvider = func(p credentials.Provider) credentials.Provider {
return &overrideSignerType{Provider: p, signerType: credentials.SignatureV2}
}
}

if err := validate(config); err != nil {
return nil, err
}
if config.AccessKey != "" {
signature := credentials.SignatureV4
// TODO(bwplotka): Don't do flags, use actual v2, v4 params.
if config.SignatureV2 {
signature = credentials.SignatureV2
}

chain = []credentials.Provider{&credentials.Static{
chain = []credentials.Provider{wrapCredentialsProvider(&credentials.Static{
Value: credentials.Value{
AccessKeyID: config.AccessKey,
SecretAccessKey: config.SecretKey,
SignerType: signature,
SignerType: credentials.SignatureV4,
},
}}
})}
} else {
chain = []credentials.Provider{
&credentials.EnvAWS{},
&credentials.FileAWSCredentials{},
&credentials.IAM{
wrapCredentialsProvider(&credentials.EnvAWS{}),
wrapCredentialsProvider(&credentials.FileAWSCredentials{}),
wrapCredentialsProvider(&credentials.IAM{
Client: &http.Client{
Transport: http.DefaultTransport,
},
},
}),
}
}

Expand Down

0 comments on commit b6a2568

Please sign in to comment.