Skip to content

feat(objectstore): enable objectstore auth if key is configured #5525

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
matt-codecov wants to merge 1 commit into
base: master
Choose a base branch
from
+230 −9
Open

feat(objectstore): enable objectstore auth if key is configured #5525

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
186 changes: 182 additions & 4 deletions Cargo.lock
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -351,6 +351,12 @@ dependencies = [
"windows-targets 0.52.6",
]

[[package]]
name = "base16ct"
version = "0.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "4c7f02d4ea65f2c1853089ffd8d2787bdbc63de2f0d29dedbcf8ccdfa0ccd4cf"

[[package]]
name = "base64"
version = "0.13.1"
Expand Down Expand Up @@ -947,6 +953,18 @@ version = "0.2.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "7a81dae078cea95a014a339291cec439d2f232ebe854a9d672b796c6afafa9b7"

[[package]]
name = "crypto-bigint"
version = "0.5.5"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "0dc92fb57ca44df6db8059111ab3af99a63d5d0f8375d9972e319a379c6bab76"
dependencies = [
"generic-array",
"rand_core 0.6.4",
"subtle",
"zeroize",
]

[[package]]
name = "crypto-common"
version = "0.1.6"
Expand Down Expand Up @@ -1184,6 +1202,20 @@ dependencies = [
"thiserror 1.0.69",
]

[[package]]
name = "ecdsa"
version = "0.16.9"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "ee27f32b5c5292967d2d4a9d7f1e0b0aed2c15daded5a60300e4abb9d8020bca"
dependencies = [
"der",
"digest",
"elliptic-curve",
"rfc6979",
"signature",
"spki",
]

[[package]]
name = "ed25519"
version = "2.2.3"
Expand Down Expand Up @@ -1227,6 +1259,27 @@ dependencies = [
"string_cache",
]

[[package]]
name = "elliptic-curve"
version = "0.13.8"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "b5e6043086bf7973472e0c7dff2142ea0b680d30e18d9cc40f267efbf222bd47"
dependencies = [
"base16ct",
"crypto-bigint",
"digest",
"ff",
"generic-array",
"group",
"hkdf",
"pem-rfc7468",
"pkcs8",
"rand_core 0.6.4",
"sec1",
"subtle",
"zeroize",
]

[[package]]
name = "encode_unicode"
version = "1.0.0"
Expand Down Expand Up @@ -1354,6 +1407,16 @@ version = "2.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "486f806e73c5707928240ddc295403b1b93c96a02038563881c4a2fd84b81ac4"

[[package]]
name = "ff"
version = "0.13.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c0b50bfb653653f9ca9095b427bed08ab8d75a137839d9ad64eb11810d5b6393"
dependencies = [
"rand_core 0.6.4",
"subtle",
]

[[package]]
name = "fiat-crypto"
version = "0.2.9"
Expand Down Expand Up @@ -1577,6 +1640,7 @@ checksum = "85649ca51fd72272d7821adaf274ad91c288277713d9c18820d8499a7ff69e9a"
dependencies = [
"typenum",
"version_check",
"zeroize",
]

[[package]]
Expand Down Expand Up @@ -1640,6 +1704,17 @@ dependencies = [
"scroll",
]

[[package]]
name = "group"
version = "0.13.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f0f9ef7462f7c099f518d754361858f86d8a07af53ba9af0fe635bbccb151a63"
dependencies = [
"ff",
"rand_core 0.6.4",
"subtle",
]

[[package]]
name = "h2"
version = "0.4.7"
Expand Down Expand Up @@ -2321,6 +2396,29 @@ dependencies = [
"uuid",
]

[[package]]
name = "jsonwebtoken"
version = "10.2.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c76e1c7d7df3e34443b3621b459b066a7b79644f059fc8b2db7070c825fd417e"
dependencies = [
"base64 0.22.1",
"ed25519-dalek",
"getrandom 0.2.15",
"hmac",
"js-sys",
"p256",
"p384",
"pem",
"rand 0.8.5",
"rsa",
"serde",
"serde_json",
"sha2",
"signature",
"simple_asn1",
]

[[package]]
name = "jwalk"
version = "0.8.1"
Expand Down Expand Up @@ -2977,14 +3075,15 @@ dependencies = [

[[package]]
name = "objectstore-client"
version = "0.0.14"
version = "0.0.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "260ccf94ed55dc83c0a5b470a4d9404d9f15e4b975d6c6e734e89296eef75b59"
checksum = "84e3b79fb455eaf034e809ebf57a4b1896d84c1eb457c3af319bf7fb3c4a32b8"
dependencies = [
"async-compression",
"bytes",
"futures-util",
"infer",
"jsonwebtoken",
"objectstore-types",
"reqwest",
"sentry-core",
Expand All @@ -2997,9 +3096,9 @@ dependencies = [

[[package]]
name = "objectstore-types"
version = "0.0.14"
version = "0.0.15"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "da8b79e6156554da409ff350f06dea1b5ea0b1f863ca753fe9222a74e917592b"
checksum = "a537dd2aad24fc95bd6dd90f986ef35d4261e02adb190807df4f6438136ad2ac"
dependencies = [
"http",
"humantime",
Expand Down Expand Up @@ -3140,6 +3239,30 @@ dependencies = [
"windows-sys 0.52.0",
]

[[package]]
name = "p256"
version = "0.13.2"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "c9863ad85fa8f4460f9c48cb909d38a0d689dba1f6f6988a5e3e0d31071bcd4b"
dependencies = [
"ecdsa",
"elliptic-curve",
"primeorder",
"sha2",
]

[[package]]
name = "p384"
version = "0.13.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "fe42f1670a52a47d448f14b6a5c61dd78fce51856e68edaa38f7ae3a46b8d6b6"
dependencies = [
"ecdsa",
"elliptic-curve",
"primeorder",
"sha2",
]

[[package]]
name = "papaya"
version = "0.2.3"
Expand Down Expand Up @@ -3191,6 +3314,16 @@ version = "0.2.1"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1e91099d4268b0e11973f036e885d652fb0b21fedcf69738c627f94db6a44f42"

[[package]]
name = "pem"
version = "3.0.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "1d30c53c26bc5b31a98cd02d20f25a7c8567146caf63ed593a9d87b2775291be"
dependencies = [
"base64 0.22.1",
"serde_core",
]

[[package]]
name = "pem-rfc7468"
version = "0.7.0"
Expand Down Expand Up @@ -3447,6 +3580,15 @@ dependencies = [
"syn",
]

[[package]]
name = "primeorder"
version = "0.13.6"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "353e1ca18966c16d9deb1c69278edbc5f194139612772bd9537af60ac231e1e6"
dependencies = [
"elliptic-curve",
]

[[package]]
name = "priority-queue"
version = "2.7.0"
Expand Down Expand Up @@ -4633,6 +4775,16 @@ dependencies = [
"quick-error",
]

[[package]]
name = "rfc6979"
version = "0.4.0"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "f8dd2a808d456c4a54e300a23e9f5a67e122c3024119acbfd73e3bf664491cb2"
dependencies = [
"hmac",
"subtle",
]

[[package]]
name = "ring"
version = "0.17.14"
Expand Down Expand Up @@ -4889,6 +5041,20 @@ dependencies = [
"serde_json",
]

[[package]]
name = "sec1"
version = "0.7.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "d3e97a565f76233a6003f9f5c54be1d9c5bdfa3eccfb189469f11ec4901c47dc"
dependencies = [
"base16ct",
"der",
"generic-array",
"pkcs8",
"subtle",
"zeroize",
]

[[package]]
name = "security-framework"
version = "2.11.1"
Expand Down Expand Up @@ -5307,6 +5473,18 @@ dependencies = [
"similar",
]

[[package]]
name = "simple_asn1"
version = "0.6.3"
source = "registry+https://github.com/rust-lang/crates.io-index"
checksum = "297f631f50729c8c99b84667867963997ec0b50f32b2a7dbcab828ef0541e8bb"
dependencies = [
"num-bigint",
"num-traits",
"thiserror 2.0.17",
"time",
]

[[package]]
name = "siphasher"
version = "0.3.11"
Expand Down
2 changes: 1 addition & 1 deletion Cargo.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -144,7 +144,7 @@ minidump = "0.26.0"
multer = "3.1.0"
num-traits = "0.2.19"
num_cpus = "1.17.0"
objectstore-client = "0.0.14"
objectstore-client = "0.0.15"
opentelemetry-semantic-conventions = { version = "0.31.0" }
opentelemetry-proto = { version = "0.30.0", default-features = false }
papaya = "0.2.3"
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,7 +25,7 @@ dev = [
"flask>=3.0.3",
"msgpack>=1.1.0",
"mypy>=1.10.0",
"objectstore-client==0.0.14",
"objectstore-client==0.0.15",
"opentelemetry-proto>=1.32.1",
"pre-commit>=4.2.0",
"pytest>=7.4.3",
Expand Down
25 changes: 24 additions & 1 deletion relay-config/src/config.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,4 +1,4 @@
use std::collections::{BTreeMap, HashMap};
use std::collections::{BTreeMap, HashMap, HashSet};
use std::error::Error;
use std::io::Write;
use std::net::{IpAddr, SocketAddr, ToSocketAddrs};
Expand Down Expand Up @@ -1268,6 +1268,25 @@ impl Default for OutcomeAggregatorConfig {
}
}

/// Configuration values for attachment upload auth.
#[derive(Serialize, Deserialize, Debug, Default)]
#[serde(default)]
pub struct UploadServiceAuthConfig {
/// JWT private key ID that Objectstore must use to load a corresponding public key.
pub kid: String,
Copy link
Member

@Dav1dde Dav1dde Jan 9, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is kid something objectstore uses a lot? If not for consistency I'd prefer key_id, key_file, key_{...}.

Copy link
Author

@matt-codecov matt-codecov Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

it's the name of the JWT header field. key_id is probably clearer in code, you're right


/// A file where the JWT private key content is located, in EdDSA PEM form.
Copy link
Member

@jjbayer jjbayer Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
/// A file where the JWT private key content is located, in EdDSA PEM form.
/// Path of the JWT private key file, in EdDSA PEM form.

pub key_file: String,
Copy link
Member

@jjbayer jjbayer Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
pub key_file: String,
pub key_file: PathBuf,


/// The number of seconds that an Objectstore JWT should be valid for.
pub expiry_seconds: Option<u64>,

/// The permissions a token signed by this client should have.
///
/// TODO: Expose `Permission` type in `objectstore_client`
pub permissions: Option<HashSet<String>>,
Copy link
Member

@jjbayer jjbayer Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is there a difference between None and the empty set here? I.e. None means all permissions, empty set means no permissions at all? If not, we could remove the option.

Copy link
Member

@jjbayer jjbayer Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Come to think of it, should the permissions of this client really be configurable? I assume that Relay would always need the same set of permissions to function correctly, so I would hard-code them instead of putting them in the config.

Copy link
Author

@matt-codecov matt-codecov Jan 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

None is taken to mean "we don't set it, use the client default" whereas empty set means "create tokens with no permissions"

you are right that relay will generally use a single set of permissions, and if that changes it might be something that is overridden when creating a session. either way i need to expose the Permission type for y'all to reference, but if y'all are fine with hardcoding i can remove this permission config

Copy link
Member

@jjbayer jjbayer Jan 14, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes I'm fine with removing the config.

Copy link
Member

@jjbayer jjbayer Jan 9, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: https://develop.sentry.dev/ingestion/relay/relay-best-practices/#data-structures

Suggested change
pub permissions: Option<HashSet<String>>,
pub permissions: Option<BTreeSet<String>>,

}

/// Configuration values for attachment uploads.
#[derive(Serialize, Deserialize, Debug)]
#[serde(default)]
Expand All @@ -1283,6 +1302,9 @@ pub struct UploadServiceConfig {

/// Maximum duration of an attachment upload in seconds. Uploads that take longer are discarded.
pub timeout: u64,

/// Configuration values for upload auth.
pub auth: Option<UploadServiceAuthConfig>,
}

impl Default for UploadServiceConfig {
Expand All @@ -1291,6 +1313,7 @@ impl Default for UploadServiceConfig {
objectstore_url: None,
max_concurrent_requests: 10,
timeout: 60,
auth: None,
}
}
}
Expand Down
Loading
Loading