[#498 ] Update frostfs-observability version

The new version of frostfs-observability has improved the detail of tracing low-level rpc calls by adding send and receive events. Signed-off-by: Roman Loginov <r.loginov@yadro.com>
[#498 ] middleware: Add spans to detail the trace
2025-02-21 11:25:11 +03:00 · 2025-02-21 11:25:08 +03:00 · 2025-02-18 18:28:23 +03:00 · 2025-02-18 18:14:22 +03:00 · 2025-02-18 18:14:22 +03:00 · 2025-02-18 18:14:11 +03:00
47 changed files with 1064 additions and 351 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@ -4,6 +4,39 @@ This document outlines major changes between releases.

 ## [Unreleased]

+## [0.32.10] - 2025-02-14
+
+### Fixed
+- Chunk streaming empty body (#642)
+
+## [0.32.9] - 2025-02-12
+
+### Fixed
+- Make `Content-Md5` header check optional (#612)
+
+## [0.32.8] - 2025-02-11
+
+### Fixed
+- Return 404 instead of 500 when object is missing in object storage and available in the tree (#626)
+
+### Added
+- `tree_stream_timeout` configuration parameter (#627)
+
+## [0.32.7] - 2025-02-06
+
+### Fixed
+- Correct passing copies number during multipart upload (#623)
+
+## [0.32.6] - 2025-02-05
+
+### Fixed
+- Connection leak when `feature.tree_pool_netmap_support` is enabled (#622)
+
+## [0.32.5] - 2025-02-04
+
+### Fixed
+- Support trailing headers signature during aws-chunk upload (#607)
+
 ## [0.32.4] - 2025-02-03

 ### Fixed
@ -419,4 +452,10 @@ To see CHANGELOG for older versions, refer to https://github.com/nspcc-dev/neofs
 [0.32.2]: https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/compare/v0.32.1...v0.32.2
 [0.32.3]: https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/compare/v0.32.2...v0.32.3
 [0.32.4]: https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/compare/v0.32.3...v0.32.4
-[Unreleased]: https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/compare/v0.32.4...master
+[0.32.5]: https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/compare/v0.32.4...v0.32.5
+[0.32.6]: https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/compare/v0.32.5...v0.32.6
+[0.32.7]: https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/compare/v0.32.6...v0.32.7
+[0.32.8]: https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/compare/v0.32.7...v0.32.8
+[0.32.9]: https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/compare/v0.32.8...v0.32.9
+[0.32.10]: https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/compare/v0.32.9...v0.32.10
+[Unreleased]: https://git.frostfs.info/TrueCloudLab/frostfs-s3-gw/compare/v0.32.10...master
--- a/2
+++ b/2
@ -1 +1 @@
-v0.32.4
+v0.32.10
--- a/api/auth/center.go
+++ b/api/auth/center.go
@ -33,8 +33,8 @@ var (
 	// AuthorizationFieldRegexp -- is regexp for credentials with Base58 encoded cid and oid and '0' (zero) as delimiter.
 	AuthorizationFieldRegexp = regexp.MustCompile(`AWS4-HMAC-SHA256 Credential=(?P<access_key_id>[^/]+)/(?P<date>[^/]+)/(?P<region>[^/]*)/(?P<service>[^/]+)/aws4_request,\s*SignedHeaders=(?P<signed_header_fields>.+),\s*Signature=(?P<v4_signature>.+)`)

-	// authorizationFieldV4aRegexp -- is regexp for credentials with Base58 encoded cid and oid and '0' (zero) as delimiter.
-	authorizationFieldV4aRegexp = regexp.MustCompile(`AWS4-ECDSA-P256-SHA256 Credential=(?P<access_key_id>[^/]+)/(?P<date>[^/]+)/(?P<service>[^/]+)/aws4_request,\s*SignedHeaders=(?P<signed_header_fields>.+),\s*Signature=(?P<v4_signature>.+)`)
+	// AuthorizationFieldV4aRegexp -- is regexp for credentials with Base58 encoded cid and oid and '0' (zero) as delimiter.
+	AuthorizationFieldV4aRegexp = regexp.MustCompile(`AWS4-ECDSA-P256-SHA256 Credential=(?P<access_key_id>[^/]+)/(?P<date>[^/]+)/(?P<service>[^/]+)/aws4_request,\s*SignedHeaders=(?P<signed_header_fields>.+),\s*Signature=(?P<v4_signature>.+)`)

 	// postPolicyCredentialRegexp -- is regexp for credentials when uploading file using POST with policy.
 	postPolicyCredentialRegexp = regexp.MustCompile(`(?P<access_key_id>[^/]+)/(?P<date>[^/]+)/(?P<region>[^/]*)/(?P<service>[^/]+)/aws4_request`)
@ -107,7 +107,7 @@ func New(creds tokens.Credentials, prefixes []string, settings CenterSettings) *
 	return &Center{
 		cli:                        creds,
 		reg:                        NewRegexpMatcher(AuthorizationFieldRegexp),
-		regV4a:                     NewRegexpMatcher(authorizationFieldV4aRegexp),
+		regV4a:                     NewRegexpMatcher(AuthorizationFieldV4aRegexp),
 		postReg:                    NewRegexpMatcher(postPolicyCredentialRegexp),
 		allowedAccessKeyIDPrefixes: prefixes,
 		settings:                   settings,
@ -115,8 +115,8 @@ func New(creds tokens.Credentials, prefixes []string, settings CenterSettings) *
 }

 const (
-	signaturePreambleSigV4  = "AWS4-HMAC-SHA256"
-	signaturePreambleSigV4A = "AWS4-ECDSA-P256-SHA256"
+	SignaturePreambleSigV4  = "AWS4-HMAC-SHA256"
+	SignaturePreambleSigV4A = "AWS4-ECDSA-P256-SHA256"
 )

 func (c *Center) parseAuthHeader(authHeader string, headers http.Header) (*AuthHeader, error) {
@ -128,13 +128,13 @@ func (c *Center) parseAuthHeader(authHeader string, headers http.Header) (*AuthH
 	)

 	switch preamble {
-	case signaturePreambleSigV4:
+	case SignaturePreambleSigV4:
 		submatches = c.reg.GetSubmatches(authHeader)
 		if len(submatches) != authHeaderPartsNum {
 			return nil, fmt.Errorf("%w: %s", apierr.GetAPIError(apierr.ErrAuthorizationHeaderMalformed), authHeader)
 		}
 		region = submatches["region"]
-	case signaturePreambleSigV4A:
+	case SignaturePreambleSigV4A:
 		submatches = c.regV4a.GetSubmatches(authHeader)
 		if len(submatches) != authHeaderV4aPartsNum {
 			return nil, fmt.Errorf("%w: %s", apierr.GetAPIError(apierr.ErrAuthorizationHeaderMalformed), authHeader)
@ -161,7 +161,7 @@ func IsStandardContentSHA256(key string) bool {
 	return ok
 }

-func (c *Center) Authenticate(r *http.Request) (*middleware.Box, error) {
+func (c *Center) Authenticate(ctx context.Context, r *http.Request) (*middleware.Box, error) {
 	var (
 		err                  error
 		authHdr              *AuthHeader
@ -170,7 +170,7 @@ func (c *Center) Authenticate(r *http.Request) (*middleware.Box, error) {
 	)

 	queryValues := r.URL.Query()
-	if queryValues.Get(AmzAlgorithm) == signaturePreambleSigV4 {
+	if queryValues.Get(AmzAlgorithm) == SignaturePreambleSigV4 {
 		creds := strings.Split(queryValues.Get(AmzCredential), "/")
 		if len(creds) != 5 || creds[4] != "aws4_request" {
 			return nil, fmt.Errorf("bad X-Amz-Credential")
@ -183,7 +183,7 @@ func (c *Center) Authenticate(r *http.Request) (*middleware.Box, error) {
 			SignedFields: strings.Split(queryValues.Get(AmzSignedHeaders), ";"),
 			Date:         creds[1],
 			IsPresigned:  true,
-			Preamble:     signaturePreambleSigV4,
+			Preamble:     SignaturePreambleSigV4,
 			PayloadHash:  r.Header.Get(AmzContentSHA256),
 		}
 		authHdr.Expiration, err = time.ParseDuration(queryValues.Get(AmzExpires) + "s")
@ -191,7 +191,7 @@ func (c *Center) Authenticate(r *http.Request) (*middleware.Box, error) {
 			return nil, fmt.Errorf("%w: couldn't parse X-Amz-Expires %v", apierr.GetAPIError(apierr.ErrMalformedExpires), err)
 		}
 		signatureDateTimeStr = queryValues.Get(AmzDate)
-	} else if queryValues.Get(AmzAlgorithm) == signaturePreambleSigV4A {
+	} else if queryValues.Get(AmzAlgorithm) == SignaturePreambleSigV4A {
 		creds := strings.Split(queryValues.Get(AmzCredential), "/")
 		if len(creds) != 4 || creds[3] != "aws4_request" {
 			return nil, fmt.Errorf("bad X-Amz-Credential")
@ -204,7 +204,7 @@ func (c *Center) Authenticate(r *http.Request) (*middleware.Box, error) {
 			SignedFields: strings.Split(queryValues.Get(AmzSignedHeaders), ";"),
 			Date:         creds[1],
 			IsPresigned:  true,
-			Preamble:     signaturePreambleSigV4A,
+			Preamble:     SignaturePreambleSigV4A,
 			PayloadHash:  r.Header.Get(AmzContentSHA256),
 		}
 		authHdr.Expiration, err = time.ParseDuration(queryValues.Get(AmzExpires) + "s")
@ -216,7 +216,7 @@ func (c *Center) Authenticate(r *http.Request) (*middleware.Box, error) {
 		authHeaderField := r.Header[AuthorizationHdr]
 		if len(authHeaderField) != 1 {
 			if strings.HasPrefix(r.Header.Get(ContentTypeHdr), "multipart/form-data") {
-				return c.checkFormData(r)
+				return c.checkFormData(ctx, r)
 			}
 			return nil, fmt.Errorf("%w: %v", middleware.ErrNoAuthorizationHeader, authHeaderField)
 		}
@ -242,7 +242,7 @@ func (c *Center) Authenticate(r *http.Request) (*middleware.Box, error) {
 		return nil, err
 	}

-	box, attrs, err := c.cli.GetBox(r.Context(), cnrID, authHdr.AccessKeyID)
+	box, attrs, err := c.cli.GetBox(ctx, cnrID, authHdr.AccessKeyID)
 	if err != nil {
 		return nil, fmt.Errorf("get box by access key '%s': %w", authHdr.AccessKeyID, err)
 	}
@ -315,7 +315,7 @@ func (c Center) checkAccessKeyID(accessKeyID string) error {
 	return fmt.Errorf("%w: accesskeyID prefix isn't allowed", apierr.GetAPIError(apierr.ErrAccessDenied))
 }

-func (c *Center) checkFormData(r *http.Request) (*middleware.Box, error) {
+func (c *Center) checkFormData(ctx context.Context, r *http.Request) (*middleware.Box, error) {
 	if err := r.ParseMultipartForm(maxFormSizeMemory); err != nil {
 		return nil, fmt.Errorf("%w: parse multipart form with max size %d", apierr.GetAPIError(apierr.ErrInvalidArgument), maxFormSizeMemory)
 	}
@ -347,7 +347,7 @@ func (c *Center) checkFormData(r *http.Request) (*middleware.Box, error) {
 		return nil, err
 	}

-	box, attrs, err := c.cli.GetBox(r.Context(), cnrID, accessKeyID)
+	box, attrs, err := c.cli.GetBox(ctx, cnrID, accessKeyID)
 	if err != nil {
 		return nil, fmt.Errorf("get box by accessKeyID '%s': %w", accessKeyID, err)
 	}
@ -402,7 +402,7 @@ func (c *Center) checkSign(ctx context.Context, authHeader *AuthHeader, box *acc
 	}

 	switch authHeader.Preamble {
-	case signaturePreambleSigV4:
+	case SignaturePreambleSigV4:
 		creds := aws.Credentials{
 			AccessKeyID:     authHeader.AccessKeyID,
 			SecretAccessKey: box.Gate.SecretKey,
@ -437,7 +437,7 @@ func (c *Center) checkSign(ctx context.Context, authHeader *AuthHeader, box *acc
 				authHeader.Signature, signature, authHeader.SignedFields)
 		}

-	case signaturePreambleSigV4A:
+	case SignaturePreambleSigV4A:
 		signer := v4a.NewSigner(func(options *v4a.SignerOptions) {
 			options.DisableURIPathEscaping = true
 		})
--- a/api/auth/center_test.go
+++ b/api/auth/center_test.go
@ -69,7 +69,7 @@ func TestAuthHeaderParse(t *testing.T) {
 				Signature:    "2811ccb9e242f41426738fb1f",
 				SignedFields: []string{"host", "x-amz-content-sha256", "x-amz-date"},
 				Date:         "20210809",
-				Preamble:     signaturePreambleSigV4,
+				Preamble:     SignaturePreambleSigV4,
 			},
 		},
 		{
@ -567,7 +567,7 @@ func TestAuthenticate(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			creds := tokens.New(bigConfig)
 			cntr := New(creds, tc.prefixes, &centerSettingsMock{})
-			box, err := cntr.Authenticate(tc.request)
+			box, err := cntr.Authenticate(ctx, tc.request)

 			if tc.err {
 				require.Error(t, err)
@ -600,6 +600,7 @@ func TestHTTPPostAuthenticate(t *testing.T) {
 		region           = "default"
 	)

+	ctx := context.Background()
 	key, err := keys.NewPrivateKey()
 	require.NoError(t, err)

@ -751,7 +752,7 @@ func TestHTTPPostAuthenticate(t *testing.T) {
 		t.Run(tc.name, func(t *testing.T) {
 			creds := tokens.New(bigConfig)
 			cntr := New(creds, tc.prefixes, &centerSettingsMock{})
-			box, err := cntr.Authenticate(tc.request)
+			box, err := cntr.Authenticate(ctx, tc.request)

 			if tc.err {
 				require.Error(t, err)
--- a/api/auth/presign_test.go
+++ b/api/auth/presign_test.go
@ -99,12 +99,14 @@ func TestCheckSign(t *testing.T) {
 		postReg:  NewRegexpMatcher(postPolicyCredentialRegexp),
 		settings: &centerSettingsMock{},
 	}
-	box, err := c.Authenticate(req)
+	box, err := c.Authenticate(ctx, req)
 	require.NoError(t, err)
 	require.EqualValues(t, expBox, box.AccessBox)
 }

 func TestCheckSignV4a(t *testing.T) {
+	ctx := context.Background()
+
 	var accessKeyAddr oid.Address
 	err := accessKeyAddr.DecodeString("8N7CYBY74kxZXoyvA5UNdmovaXqFpwNfvEPsqaN81es2/3tDwq5tR8fByrJcyJwyiuYX7Dae8tyDT7pd8oaL1MBto")
 	require.NoError(t, err)
@ -145,10 +147,10 @@ func TestCheckSignV4a(t *testing.T) {

 	c := &Center{
 		cli:     mock,
-		regV4a:  NewRegexpMatcher(authorizationFieldV4aRegexp),
+		regV4a:  NewRegexpMatcher(AuthorizationFieldV4aRegexp),
 		postReg: NewRegexpMatcher(postPolicyCredentialRegexp),
 	}
-	box, err := c.Authenticate(req)
+	box, err := c.Authenticate(ctx, req)
 	require.NoError(t, err)
 	require.EqualValues(t, expBox, box.AccessBox)
 }
--- a/api/errors/errors.go
+++ b/api/errors/errors.go
@ -60,7 +60,6 @@ const (
 	ErrMalformedACL
 	ErrMalformedXML
 	ErrMissingContentLength
-	ErrMissingContentMD5
 	ErrMissingRequestBodyError
 	ErrMissingSecurityHeader
 	ErrNoSuchBucket
@ -478,12 +477,6 @@ var errorCodes = errorCodeMap{
 		Description:    "You must provide the Content-Length HTTP header.",
 		HTTPStatusCode: http.StatusLengthRequired,
 	},
-	ErrMissingContentMD5: {
-		ErrCode:        ErrMissingContentMD5,
-		Code:           "MissingContentMD5",
-		Description:    "Missing required header for this request: Content-Md5.",
-		HTTPStatusCode: http.StatusBadRequest,
-	},
 	ErrMissingSecurityHeader: {
 		ErrCode:        ErrMissingSecurityHeader,
 		Code:           "MissingSecurityHeader",
--- a/api/handler/acl.go
+++ b/api/handler/acl.go
@ -11,6 +11,7 @@ import (
 	"net/http"
 	"strings"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
@ -47,7 +48,9 @@ const (
 )

 func (h *handler) GetBucketACLHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.GetBucketACL")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -127,7 +130,9 @@ func getTokenIssuerKey(box *accessbox.Box) (*keys.PublicKey, error) {
 }

 func (h *handler) PutBucketACLHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.PutBucketACL")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -194,7 +199,9 @@ func (h *handler) putBucketACLAPEHandler(w http.ResponseWriter, r *http.Request,
 }

 func (h *handler) GetObjectACLHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.GetObjectACL")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -216,7 +223,9 @@ func (h *handler) GetObjectACLHandler(w http.ResponseWriter, r *http.Request) {
 }

 func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.PutObjectACL")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	if _, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName); err != nil {
@ -228,7 +237,9 @@ func (h *handler) PutObjectACLHandler(w http.ResponseWriter, r *http.Request) {
 }

 func (h *handler) GetBucketPolicyStatusHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.GetBucketPolicyStatus")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -271,7 +282,9 @@ func (h *handler) GetBucketPolicyStatusHandler(w http.ResponseWriter, r *http.Re
 }

 func (h *handler) GetBucketPolicyHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.GetBucketPolicy")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -298,7 +311,9 @@ func (h *handler) GetBucketPolicyHandler(w http.ResponseWriter, r *http.Request)
 }

 func (h *handler) DeleteBucketPolicyHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.DeleteBucketPolicy")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -328,7 +343,9 @@ func checkOwner(info *data.BucketInfo, owner string) error {
 }

 func (h *handler) PutBucketPolicyHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.PutBucketPolicy")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
--- a/api/handler/attributes.go
+++ b/api/handler/attributes.go
@ -8,6 +8,7 @@ import (
 	"strconv"
 	"strings"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
@ -70,7 +71,9 @@ var validAttributes = map[string]struct{}{
 }

 func (h *handler) GetObjectAttributesHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.GetObjectAttributes")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	params, err := parseGetObjectAttributeArgs(r, h.reqLogger(ctx))
--- a/api/handler/bucket_list.go
+++ b/api/handler/bucket_list.go
@ -5,6 +5,7 @@ import (
 	"strconv"
 	"time"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/middleware"
@ -14,7 +15,9 @@ const maxBucketList = 10000

 // ListBucketsHandler handles bucket listing requests.
 func (h *handler) ListBucketsHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.ListBuckets")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	params, err := parseListBucketParams(r)
--- a/api/handler/copy.go
+++ b/api/handler/copy.go
@ -6,6 +6,7 @@ import (
 	"regexp"
 	"time"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/auth"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
@ -40,18 +41,19 @@ func path2BucketObject(path string) (string, string, error) {
 }

 func (h *handler) CopyObjectHandler(w http.ResponseWriter, r *http.Request) {
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.CopyObject")
+	defer span.End()
+
 	var (
 		err       error
 		versionID string
 		metadata  map[string]string
 		tagSet    map[string]string
-
-		ctx     = r.Context()
-		reqInfo = middleware.GetReqInfo(ctx)
-
-		cannedACLStatus = aclHeadersStatus(r)
 	)

+	reqInfo := middleware.GetReqInfo(ctx)
+	cannedACLStatus := aclHeadersStatus(r)
+
 	src := r.Header.Get(api.AmzCopySource)
 	// Check https://docs.aws.amazon.com/AmazonS3/latest/dev/ObjectVersioning.html
 	// Regardless of whether you have enabled versioning, each object in your bucket
--- a/api/handler/cors.go
+++ b/api/handler/cors.go
@ -5,6 +5,7 @@ import (
 	"strconv"
 	"strings"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer"
@ -20,7 +21,9 @@ const (
 )

 func (h *handler) GetBucketCorsHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.GetBucketCors")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -42,7 +45,9 @@ func (h *handler) GetBucketCorsHandler(w http.ResponseWriter, r *http.Request) {
 }

 func (h *handler) PutBucketCorsHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.PutBucketCors")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -76,7 +81,9 @@ func (h *handler) PutBucketCorsHandler(w http.ResponseWriter, r *http.Request) {
 }

 func (h *handler) DeleteBucketCorsHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.DeleteBucketCors")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -93,6 +100,9 @@ func (h *handler) DeleteBucketCorsHandler(w http.ResponseWriter, r *http.Request
 }

 func (h *handler) AppendCORSHeaders(w http.ResponseWriter, r *http.Request) {
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.AppendCORSHeaders")
+	defer span.End()
+
 	if r.Method == http.MethodOptions {
 		return
 	}
@ -101,7 +111,6 @@ func (h *handler) AppendCORSHeaders(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	ctx := r.Context()
 	reqInfo := middleware.GetReqInfo(ctx)
 	if reqInfo.BucketName == "" {
 		return
@ -153,7 +162,9 @@ func (h *handler) AppendCORSHeaders(w http.ResponseWriter, r *http.Request) {
 }

 func (h *handler) Preflight(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.Preflight")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)
 	bktInfo, err := h.getBucketInfo(ctx, reqInfo.BucketName)
 	if err != nil {
--- a/api/handler/delete.go
+++ b/api/handler/delete.go
@ -7,6 +7,7 @@ import (
 	"strconv"
 	"strings"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer"
@ -61,7 +62,9 @@ type DeleteObjectsResponse struct {
 }

 func (h *handler) DeleteObjectHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.DeleteObject")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)
 	versionID := reqInfo.URL.Query().Get(api.QueryVersionID)
 	versionedObject := []*layer.VersionedObject{{
@ -128,15 +131,10 @@ func isErrObjectLocked(err error) bool {

 // DeleteMultipleObjectsHandler handles multiple delete requests.
 func (h *handler) DeleteMultipleObjectsHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
-	reqInfo := middleware.GetReqInfo(ctx)
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.DeleteMultipleObjects")
+	defer span.End()

-	// Content-Md5 is required and should be set
-	// http://docs.aws.amazon.com/AmazonS3/latest/API/multiobjectdeleteapi.html
-	if _, ok := r.Header[api.ContentMD5]; !ok {
-		h.logAndSendError(ctx, w, "missing Content-MD5", reqInfo, errors.GetAPIError(errors.ErrMissingContentMD5))
-		return
-	}
+	reqInfo := middleware.GetReqInfo(ctx)

 	// Content-Length is required and should be non-zero
 	// http://docs.aws.amazon.com/AmazonS3/latest/API/multiobjectdeleteapi.html
@ -237,7 +235,9 @@ func (h *handler) DeleteMultipleObjectsHandler(w http.ResponseWriter, r *http.Re
 }

 func (h *handler) DeleteBucketHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.DeleteBucket")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)
 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
 	if err != nil {
--- a/api/handler/delete_test.go
+++ b/api/handler/delete_test.go
@ -542,7 +542,6 @@ func deleteObjectsBase(hc *handlerContext, bktName string, objVersions [][2]stri
 	}

 	w, r := prepareTestRequest(hc, bktName, "", req)
-	r.Header.Set(api.ContentMD5, "")
 	hc.Handler().DeleteMultipleObjectsHandler(w, r)
 	assertStatus(hc.t, w, http.StatusOK)

--- a/api/handler/get.go
+++ b/api/handler/get.go
@ -8,6 +8,7 @@ import (
 	"strings"
 	"time"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
@ -148,12 +149,11 @@ func writeHeaders(h http.Header, requestHeader http.Header, extendedInfo *data.E
 }

 func (h *handler) GetObjectHandler(w http.ResponseWriter, r *http.Request) {
-	var (
-		params *layer.RangeParams
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.GetObject")
+	defer span.End()

-		ctx     = r.Context()
-		reqInfo = middleware.GetReqInfo(ctx)
-	)
+	var params *layer.RangeParams
+	reqInfo := middleware.GetReqInfo(ctx)

 	conditional := parseConditionalHeaders(r.Header, h.reqLogger(ctx))

--- a/api/handler/head.go
+++ b/api/handler/head.go
@ -4,6 +4,7 @@ import (
 	"io"
 	"net/http"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
@ -27,7 +28,9 @@ func getRangeToDetectContentType(maxSize uint64) *layer.RangeParams {
 }

 func (h *handler) HeadObjectHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.HeadObject")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -123,7 +126,9 @@ func (h *handler) HeadObjectHandler(w http.ResponseWriter, r *http.Request) {
 }

 func (h *handler) HeadBucketHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.HeadBucket")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
--- a/api/handler/info.go
+++ b/api/handler/info.go
@ -3,11 +3,14 @@ package handler
 import (
 	"net/http"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/middleware"
 )

 func (h *handler) GetBucketLocationHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.GetBucketLocation")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
--- a/api/handler/lifecycle.go
+++ b/api/handler/lifecycle.go
@ -10,6 +10,7 @@ import (
 	"net/http"
 	"time"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	apierr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
@ -27,7 +28,9 @@ const (
 )

 func (h *handler) GetBucketLifecycleHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.GetBucketLifecycle")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -49,40 +52,37 @@ func (h *handler) GetBucketLifecycleHandler(w http.ResponseWriter, r *http.Reque
 }

 func (h *handler) PutBucketLifecycleHandler(w http.ResponseWriter, r *http.Request) {
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.PutBucketLifecycle")
+	defer span.End()
+
 	var buf bytes.Buffer

 	tee := io.TeeReader(r.Body, &buf)
-	ctx := r.Context()
 	reqInfo := middleware.GetReqInfo(ctx)

-	// Content-Md5 is required and should be set
-	// https://docs.aws.amazon.com/AmazonS3/latest/API/API_PutBucketLifecycleConfiguration.html
-	if _, ok := r.Header[api.ContentMD5]; !ok {
-		h.logAndSendError(ctx, w, "missing Content-MD5", reqInfo, apierr.GetAPIError(apierr.ErrMissingContentMD5))
-		return
-	}
-
-	headerMD5, err := base64.StdEncoding.DecodeString(r.Header.Get(api.ContentMD5))
-	if err != nil {
-		h.logAndSendError(ctx, w, "invalid Content-MD5", reqInfo, apierr.GetAPIError(apierr.ErrInvalidDigest))
-		return
-	}
-
 	cfg := new(data.LifecycleConfiguration)
-	if err = h.cfg.NewXMLDecoder(tee, r.UserAgent()).Decode(cfg); err != nil {
+	if err := h.cfg.NewXMLDecoder(tee, r.UserAgent()).Decode(cfg); err != nil {
 		h.logAndSendError(ctx, w, "could not decode body", reqInfo, fmt.Errorf("%w: %s", apierr.GetAPIError(apierr.ErrMalformedXML), err.Error()))
 		return
 	}

-	bodyMD5, err := getContentMD5(&buf)
-	if err != nil {
-		h.logAndSendError(ctx, w, "could not get content md5", reqInfo, err)
-		return
-	}
+	if _, ok := r.Header[api.ContentMD5]; ok {
+		headerMD5, err := base64.StdEncoding.DecodeString(r.Header.Get(api.ContentMD5))
+		if err != nil {
+			h.logAndSendError(ctx, w, "invalid Content-MD5", reqInfo, apierr.GetAPIError(apierr.ErrInvalidDigest))
+			return
+		}

-	if !bytes.Equal(headerMD5, bodyMD5) {
-		h.logAndSendError(ctx, w, "Content-MD5 does not match", reqInfo, apierr.GetAPIError(apierr.ErrInvalidDigest))
-		return
+		bodyMD5, err := getContentMD5(&buf)
+		if err != nil {
+			h.logAndSendError(ctx, w, "could not get content md5", reqInfo, err)
+			return
+		}
+
+		if !bytes.Equal(headerMD5, bodyMD5) {
+			h.logAndSendError(ctx, w, "Content-MD5 does not match", reqInfo, apierr.GetAPIError(apierr.ErrInvalidDigest))
+			return
+		}
 	}

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -120,7 +120,9 @@ func (h *handler) PutBucketLifecycleHandler(w http.ResponseWriter, r *http.Reque
 }

 func (h *handler) DeleteBucketLifecycleHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.DeleteBucketLifecycle")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
--- a/api/handler/lifecycle_test.go
+++ b/api/handler/lifecycle_test.go
@ -29,6 +29,8 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 	for _, tc := range []struct {
 		name      string
 		body      *data.LifecycleConfiguration
+		headers   map[string]string
+		addMD5    bool
 		errorCode apierr.ErrorCode
 	}{
 		{
@ -70,6 +72,22 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 				},
 			},
 		},
+		{
+
+			name: "correct Content-Md5 header",
+			body: &data.LifecycleConfiguration{
+				Rules: []data.LifecycleRule{
+					{
+						ID:     "rule",
+						Status: data.LifecycleStatusEnabled,
+						Expiration: &data.LifecycleExpiration{
+							Days: ptr(21),
+						},
+					},
+				},
+			},
+			addMD5: true,
+		},
 		{
 			name: "too many rules",
 			body: func() *data.LifecycleConfiguration {
@ -407,14 +425,44 @@ func TestPutBucketLifecycleConfiguration(t *testing.T) {
 			},
 			errorCode: apierr.ErrInvalidRequest,
 		},
+		{
+			name: "invalid Content-Md5 header",
+			body: &data.LifecycleConfiguration{
+				Rules: []data.LifecycleRule{
+					{
+						Status: data.LifecycleStatusEnabled,
+						Expiration: &data.LifecycleExpiration{
+							Days: ptr(21),
+						},
+					},
+				},
+			},
+			headers:   map[string]string{api.ContentMD5: "invalid"},
+			errorCode: apierr.ErrInvalidDigest,
+		},
+		{
+			name: "Content-Md5 header does not match body md5 hash",
+			body: &data.LifecycleConfiguration{
+				Rules: []data.LifecycleRule{
+					{
+						Status: data.LifecycleStatusEnabled,
+						Expiration: &data.LifecycleExpiration{
+							Days: ptr(21),
+						},
+					},
+				},
+			},
+			headers:   map[string]string{api.ContentMD5: base64.StdEncoding.EncodeToString([]byte("some-hash"))},
+			errorCode: apierr.ErrInvalidDigest,
+		},
 	} {
 		t.Run(tc.name, func(t *testing.T) {
 			if tc.errorCode > 0 {
-				putBucketLifecycleConfigurationErr(hc, bktName, tc.body, apierr.GetAPIError(tc.errorCode))
+				putBucketLifecycleConfigurationErr(hc, bktName, tc.body, tc.headers, apierr.GetAPIError(tc.errorCode))
 				return
 			}

-			putBucketLifecycleConfiguration(hc, bktName, tc.body)
+			putBucketLifecycleConfiguration(hc, bktName, tc.body, tc.headers, tc.addMD5)

 			cfg := getBucketLifecycleConfiguration(hc, bktName)
 			require.Equal(t, tc.body.Rules, cfg.Rules)
@ -448,45 +496,13 @@ func TestPutBucketLifecycleIDGeneration(t *testing.T) {
 		},
 	}

-	putBucketLifecycleConfiguration(hc, bktName, lifecycle)
+	putBucketLifecycleConfiguration(hc, bktName, lifecycle, nil, false)
 	cfg := getBucketLifecycleConfiguration(hc, bktName)
 	require.Len(t, cfg.Rules, 2)
 	require.NotEmpty(t, cfg.Rules[0].ID)
 	require.NotEmpty(t, cfg.Rules[1].ID)
 }

-func TestPutBucketLifecycleInvalidMD5(t *testing.T) {
-	hc := prepareHandlerContext(t)
-
-	bktName := "bucket-lifecycle-md5"
-	createBucket(hc, bktName)
-
-	lifecycle := &data.LifecycleConfiguration{
-		Rules: []data.LifecycleRule{
-			{
-				Status: data.LifecycleStatusEnabled,
-				Expiration: &data.LifecycleExpiration{
-					Days: ptr(21),
-				},
-			},
-		},
-	}
-
-	w, r := prepareTestRequest(hc, bktName, "", lifecycle)
-	hc.Handler().PutBucketLifecycleHandler(w, r)
-	assertS3Error(hc.t, w, apierr.GetAPIError(apierr.ErrMissingContentMD5))
-
-	w, r = prepareTestRequest(hc, bktName, "", lifecycle)
-	r.Header.Set(api.ContentMD5, "")
-	hc.Handler().PutBucketLifecycleHandler(w, r)
-	assertS3Error(hc.t, w, apierr.GetAPIError(apierr.ErrInvalidDigest))
-
-	w, r = prepareTestRequest(hc, bktName, "", lifecycle)
-	r.Header.Set(api.ContentMD5, "some-hash")
-	hc.Handler().PutBucketLifecycleHandler(w, r)
-	assertS3Error(hc.t, w, apierr.GetAPIError(apierr.ErrInvalidDigest))
-}
-
 func TestPutBucketLifecycleInvalidXML(t *testing.T) {
 	hc := prepareHandlerContext(t)

@ -505,25 +521,32 @@ func TestPutBucketLifecycleInvalidXML(t *testing.T) {
 	assertS3Error(hc.t, w, apierr.GetAPIError(apierr.ErrMalformedXML))
 }

-func putBucketLifecycleConfiguration(hc *handlerContext, bktName string, cfg *data.LifecycleConfiguration) {
-	w := putBucketLifecycleConfigurationBase(hc, bktName, cfg)
+func putBucketLifecycleConfiguration(hc *handlerContext, bktName string, cfg *data.LifecycleConfiguration, headers map[string]string, addMD5 bool) {
+	w := putBucketLifecycleConfigurationBase(hc, bktName, cfg, headers, addMD5)
 	assertStatus(hc.t, w, http.StatusOK)
 }

-func putBucketLifecycleConfigurationErr(hc *handlerContext, bktName string, cfg *data.LifecycleConfiguration, err apierr.Error) {
-	w := putBucketLifecycleConfigurationBase(hc, bktName, cfg)
+func putBucketLifecycleConfigurationErr(hc *handlerContext, bktName string, cfg *data.LifecycleConfiguration, headers map[string]string, err apierr.Error) {
+	w := putBucketLifecycleConfigurationBase(hc, bktName, cfg, headers, false)
 	assertS3Error(hc.t, w, err)
 }

-func putBucketLifecycleConfigurationBase(hc *handlerContext, bktName string, cfg *data.LifecycleConfiguration) *httptest.ResponseRecorder {
+func putBucketLifecycleConfigurationBase(hc *handlerContext, bktName string, cfg *data.LifecycleConfiguration, headers map[string]string, addMD5 bool) *httptest.ResponseRecorder {
 	w, r := prepareTestRequest(hc, bktName, "", cfg)

-	rawBody, err := xml.Marshal(cfg)
-	require.NoError(hc.t, err)
+	for k, v := range headers {
+		r.Header.Set(k, v)
+	}
+
+	if addMD5 {
+		rawBody, err := xml.Marshal(cfg)
+		require.NoError(hc.t, err)
+
+		hash := md5.New()
+		hash.Write(rawBody)
+		r.Header.Set(api.ContentMD5, base64.StdEncoding.EncodeToString(hash.Sum(nil)))
+	}

-	hash := md5.New()
-	hash.Write(rawBody)
-	r.Header.Set(api.ContentMD5, base64.StdEncoding.EncodeToString(hash.Sum(nil)))
 	hc.Handler().PutBucketLifecycleHandler(w, r)
 	return w
 }
--- a/api/handler/locking.go
+++ b/api/handler/locking.go
@ -7,6 +7,7 @@ import (
 	"strconv"
 	"time"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	apierr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
@ -26,7 +27,9 @@ const (
 )

 func (h *handler) PutBucketObjectLockConfigHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.PutBucketObjectLockConfig")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -74,7 +77,9 @@ func (h *handler) PutBucketObjectLockConfigHandler(w http.ResponseWriter, r *htt
 }

 func (h *handler) GetBucketObjectLockConfigHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.GetBucketObjectLockConfig")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -108,7 +113,9 @@ func (h *handler) GetBucketObjectLockConfigHandler(w http.ResponseWriter, r *htt
 }

 func (h *handler) PutObjectLegalHoldHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.PutObjectLegalHold")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -161,7 +168,9 @@ func (h *handler) PutObjectLegalHoldHandler(w http.ResponseWriter, r *http.Reque
 }

 func (h *handler) GetObjectLegalHoldHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.GetObjectLegalHold")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -199,7 +208,9 @@ func (h *handler) GetObjectLegalHoldHandler(w http.ResponseWriter, r *http.Reque
 }

 func (h *handler) PutObjectRetentionHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.PutObjectRetention")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -247,7 +258,9 @@ func (h *handler) PutObjectRetentionHandler(w http.ResponseWriter, r *http.Reque
 }

 func (h *handler) GetObjectRetentionHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.GetObjectRetention")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
--- a/api/handler/multipart_upload.go
+++ b/api/handler/multipart_upload.go
@ -10,6 +10,7 @@ import (
 	"strings"
 	"time"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
@ -104,7 +105,9 @@ const (
 )

 func (h *handler) CreateMultipartUploadHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.CreateMultipartUpload")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)
 	uploadID := uuid.New()
 	cannedACLStatus := aclHeadersStatus(r)
@ -174,7 +177,9 @@ func (h *handler) CreateMultipartUploadHandler(w http.ResponseWriter, r *http.Re
 }

 func (h *handler) UploadPartHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.UploadPart")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -247,15 +252,16 @@ func (h *handler) UploadPartHandler(w http.ResponseWriter, r *http.Request) {
 }

 func (h *handler) UploadPartCopy(w http.ResponseWriter, r *http.Request) {
-	var (
-		versionID   string
-		ctx         = r.Context()
-		reqInfo     = middleware.GetReqInfo(ctx)
-		queryValues = reqInfo.URL.Query()
-		uploadID    = queryValues.Get(uploadIDHeaderName)
-		partNumStr  = queryValues.Get(partNumberHeaderName)
-		additional  = []zap.Field{zap.String("uploadID", uploadID), zap.String("partNumber", partNumStr)}
-	)
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.UploadPartCopy")
+	defer span.End()
+
+	var versionID string
+
+	reqInfo := middleware.GetReqInfo(ctx)
+	queryValues := reqInfo.URL.Query()
+	uploadID := queryValues.Get(uploadIDHeaderName)
+	partNumStr := queryValues.Get(partNumberHeaderName)
+	additional := []zap.Field{zap.String("uploadID", uploadID), zap.String("partNumber", partNumStr)}

 	partNumber, err := strconv.Atoi(partNumStr)
 	if err != nil || partNumber < layer.UploadMinPartNumber || partNumber > layer.UploadMaxPartNumber {
@ -381,7 +387,9 @@ func (h *handler) UploadPartCopy(w http.ResponseWriter, r *http.Request) {
 }

 func (h *handler) CompleteMultipartUploadHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.CompleteMultipartUpload")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -508,7 +516,9 @@ func (h *handler) completeMultipartUpload(r *http.Request, c *layer.CompleteMult
 }

 func (h *handler) ListMultipartUploadsHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.ListMultipartUploads")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -559,7 +569,9 @@ func (h *handler) ListMultipartUploadsHandler(w http.ResponseWriter, r *http.Req
 }

 func (h *handler) ListPartsHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.ListParts")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -623,7 +635,9 @@ func (h *handler) ListPartsHandler(w http.ResponseWriter, r *http.Request) {
 }

 func (h *handler) AbortMultipartUploadHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.AbortMultipartUpload")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
--- a/api/handler/object_list.go
+++ b/api/handler/object_list.go
@ -7,6 +7,7 @@ import (
 	"strings"
 	"time"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
@ -19,7 +20,9 @@ const maxObjectList = 1000 // Limit number of objects in a listObjectsResponse/l

 // ListObjectsV1Handler handles objects listing requests for API version 1.
 func (h *handler) ListObjectsV1Handler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.ListObjectsV1")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)
 	params, err := parseListObjectsArgsV1(reqInfo)
 	if err != nil {
@ -64,7 +67,9 @@ func (h *handler) encodeV1(p *layer.ListObjectsParamsV1, list *layer.ListObjects

 // ListObjectsV2Handler handles objects listing requests for API version 2.
 func (h *handler) ListObjectsV2Handler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.ListObjectsV2")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)
 	params, err := parseListObjectsArgsV2(reqInfo)
 	if err != nil {
@ -223,7 +228,9 @@ func fillContents(src []*data.ExtendedNodeVersion, encode string, fetchOwner, md
 }

 func (h *handler) ListBucketObjectVersionsHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.ListBucketObjectVersions")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)
 	p, err := parseListObjectVersionsRequest(reqInfo)
 	if err != nil {
--- a/api/handler/patch.go
+++ b/api/handler/patch.go
@ -7,6 +7,7 @@ import (
 	"strings"
 	"time"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
@ -19,7 +20,9 @@ import (
 const maxPatchSize = 5 * 1024 * 1024 * 1024 // 5GB

 func (h *handler) PatchObjectHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.PatchObject")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	if _, ok := r.Header[api.ContentRange]; !ok {
--- a/api/handler/put.go
+++ b/api/handler/put.go
@ -18,6 +18,7 @@ import (
 	"strings"
 	"time"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/auth"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
@ -54,17 +55,29 @@ func (p *postPolicy) condition(key string) *policyCondition {
 	return nil
 }

-func (p *postPolicy) CheckContentLength(size uint64) bool {
+func (p *postPolicy) CheckContentLength(size uint64) error {
 	if p.empty {
-		return true
+		return nil
 	}
 	for _, condition := range p.Conditions {
 		if condition.Matching == "content-length-range" {
-			length := strconv.FormatUint(size, 10)
-			return condition.Key <= length && length <= condition.Value
+			start, err := strconv.ParseUint(condition.Key, 10, 64)
+			if err != nil {
+				return errInvalidCondition
+			}
+
+			end, err := strconv.ParseUint(condition.Value, 10, 64)
+			if err != nil {
+				return errInvalidCondition
+			}
+
+			if start <= size && size <= end {
+				return nil
+			}
+			return fmt.Errorf("length of the content did not fall within the range specified in the condition")
 		}
 	}
-	return true
+	return nil
 }

 func (p *policyCondition) match(value string) bool {
@ -184,12 +197,13 @@ type createBucketParams struct {
 }

 func (h *handler) PutObjectHandler(w http.ResponseWriter, r *http.Request) {
-	var (
-		err             error
-		cannedACLStatus = aclHeadersStatus(r)
-		ctx             = r.Context()
-		reqInfo         = middleware.GetReqInfo(ctx)
-	)
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.PutObject")
+	defer span.End()
+
+	var err error
+
+	cannedACLStatus := aclHeadersStatus(r)
+	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
 	if err != nil {
@ -474,12 +488,13 @@ func (h *handler) isTLSCheckRequired(r *http.Request) bool {
 }

 func (h *handler) PostObject(w http.ResponseWriter, r *http.Request) {
-	var (
-		tagSet   map[string]string
-		ctx      = r.Context()
-		reqInfo  = middleware.GetReqInfo(ctx)
-		metadata = make(map[string]string)
-	)
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.PostObject")
+	defer span.End()
+
+	var tagSet map[string]string
+
+	reqInfo := middleware.GetReqInfo(ctx)
+	metadata := make(map[string]string)

 	policy, err := checkPostPolicy(r, reqInfo, metadata)
 	if err != nil {
@ -560,8 +575,8 @@ func (h *handler) PostObject(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if !policy.CheckContentLength(size) {
-		h.logAndSendError(ctx, w, "invalid content-length", reqInfo, apierr.GetAPIError(apierr.ErrInvalidArgument))
+	if err := policy.CheckContentLength(size); err != nil {
+		h.logAndSendError(ctx, w, err.Error(), reqInfo, apierr.GetAPIError(apierr.ErrPostPolicyConditionInvalidFormat))
 		return
 	}

@ -764,7 +779,10 @@ func parseCannedACL(header http.Header) (string, error) {
 }

 func (h *handler) CreateBucketHandler(w http.ResponseWriter, r *http.Request) {
-	h.createBucketHandlerPolicy(w, r)
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.CreateBucket")
+	defer span.End()
+
+	h.createBucketHandlerPolicy(w, r.WithContext(ctx))
 }

 func (h *handler) parseCommonCreateBucketParams(reqInfo *middleware.ReqInfo, boxData *accessbox.Box, r *http.Request) (*keys.PublicKey, *layer.CreateBucketParams, error) {
--- a/api/handler/put_test.go
+++ b/api/handler/put_test.go
@ -10,6 +10,8 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"errors"
+	"fmt"
+	"hash/crc32"
 	"io"
 	"mime/multipart"
 	"net/http"
@ -426,7 +428,7 @@ func TestPutObjectWithStreamBodyAWSExampleTrailing(t *testing.T) {
 	createTestBucket(hc, bktName)

 	t.Run("valid trailer signature", func(t *testing.T) {
-		w, req, chunk := getChunkedRequestTrailing(hc.context, t, bktName, objName)
+		w, req, chunk := getChunkedRequestAWSExampleTrailing(t, bktName, objName)
 		hc.Handler().PutObjectHandler(w, req)
 		assertStatus(t, w, http.StatusOK)

@ -440,7 +442,7 @@ func TestPutObjectWithStreamBodyAWSExampleTrailing(t *testing.T) {
 	})

 	t.Run("invalid trailer signature", func(t *testing.T) {
-		w, req, _ := getChunkedRequestTrailing(hc.context, t, bktName, objName)
+		w, req, _ := getChunkedRequestAWSExampleTrailing(t, bktName, objName)
 		body := req.Body.(*customNopCloser)
 		body.Bytes()[body.Len()-2] = 'a'
 		hc.Handler().PutObjectHandler(w, req)
@ -454,7 +456,7 @@ func TestPutObjectWithStreamBodyAWSExample(t *testing.T) {
 	bktName, objName := "examplebucket", "chunkObject.txt"
 	createTestBucket(hc, bktName)

-	w, req, chunk := getChunkedRequest(hc.context, t, bktName, objName)
+	w, req, chunk := getChunkedRequestAWSExample(t, bktName, objName)
 	hc.Handler().PutObjectHandler(w, req)
 	assertStatus(t, w, http.StatusOK)

@ -469,13 +471,17 @@ func TestPutObjectWithStreamBodyAWSExample(t *testing.T) {
 	}
 }

-func TestPutObjectWithStreamEmptyBodyAWSExample(t *testing.T) {
+func TestPutObjectWithStreamEmptyBodyAWSExampleWithContentType(t *testing.T) {
 	hc := prepareHandlerContext(t)

 	bktName, objName := "dkirillov", "tmp"
 	createTestBucket(hc, bktName)

-	w, req := getEmptyChunkedRequest(hc.context, t, bktName, objName)
+	signTime, err := time.Parse("20060102T150405Z", "20241003T100055Z")
+	require.NoError(t, err)
+
+	extra := [2]string{api.ContentType, "text/plain; charset=UTF-8"}
+	w, req := getChunkedRequestBase(t, bktName, objName, nil, api.StreamingContentSHA256, signTime, extra)
 	hc.Handler().PutObjectHandler(w, req)
 	assertStatus(t, w, http.StatusOK)

@ -489,13 +495,94 @@ func TestPutObjectWithStreamEmptyBodyAWSExample(t *testing.T) {
 	require.Empty(t, res.Contents[0].Size)
 }

+func TestPutObjectWithStreamEmptyBody(t *testing.T) {
+	hc := prepareHandlerContext(t)
+
+	bktName := "bucket"
+	createTestBucket(hc, bktName)
+
+	signTime, err := time.Parse("20060102T150405Z", "20241003T100055Z")
+	require.NoError(t, err)
+
+	t.Run("unsigned", func(t *testing.T) {
+		t.Run("trailer", func(t *testing.T) {
+			objName := "unsigned trailer"
+
+			w, req := getEmptyChunkedRequestUnsigned(t, bktName, objName)
+			req.Header.Del(api.ContentType)
+			hc.Handler().PutObjectHandler(w, req)
+			assertStatus(t, w, http.StatusOK)
+
+			d, h := getObject(hc, bktName, objName)
+			require.Empty(t, d)
+			require.Equal(t, "0", h.Get(api.ContentLength))
+		})
+	})
+
+	t.Run("sigv4", func(t *testing.T) {
+		t.Run("trailer", func(t *testing.T) {
+			objName := "sigv4 trailer"
+
+			w, req := getChunkedRequestBase(t, bktName, objName, nil, api.StreamingContentSHA256Trailer, signTime)
+			req.Header.Del(api.ContentType)
+			hc.Handler().PutObjectHandler(w, req)
+			assertStatus(t, w, http.StatusOK)
+
+			d, h := getObject(hc, bktName, objName)
+			require.Empty(t, d)
+			require.Equal(t, "0", h.Get(api.ContentLength))
+		})
+
+		t.Run("no trailer", func(t *testing.T) {
+			objName := "sigv4 no trailer"
+
+			w, req := getChunkedRequestBase(t, bktName, objName, nil, api.StreamingContentSHA256, signTime)
+			req.Header.Del(api.ContentType)
+			hc.Handler().PutObjectHandler(w, req)
+			assertStatus(t, w, http.StatusOK)
+
+			d, h := getObject(hc, bktName, objName)
+			require.Empty(t, d)
+			require.Equal(t, "0", h.Get(api.ContentLength))
+		})
+	})
+
+	t.Run("sigv4a", func(t *testing.T) {
+		t.Run("trailer", func(t *testing.T) {
+			objName := "sigv4a trailer"
+
+			w, req := getEmptyChunkedRequestSigv4aWithTrailers(t, bktName, objName)
+			req.Header.Del(api.ContentType)
+			hc.Handler().PutObjectHandler(w, req)
+			assertStatus(t, w, http.StatusOK)
+
+			d, h := getObject(hc, bktName, objName)
+			require.Empty(t, d)
+			require.Equal(t, "0", h.Get(api.ContentLength))
+		})
+
+		t.Run("no trailer", func(t *testing.T) {
+			objName := "sigv4a no trailer"
+
+			w, req := getEmptyChunkedRequestSigv4a(t, bktName, objName)
+			req.Header.Del(api.ContentType)
+			hc.Handler().PutObjectHandler(w, req)
+			assertStatus(t, w, http.StatusOK)
+
+			d, h := getObject(hc, bktName, objName)
+			require.Empty(t, d)
+			require.Equal(t, "0", h.Get(api.ContentLength))
+		})
+	})
+}
+
 func TestPutChunkedTestContentEncoding(t *testing.T) {
 	hc := prepareHandlerContext(t)

 	bktName, objName := "examplebucket", "chunkObject.txt"
 	createTestBucket(hc, bktName)

-	w, req, _ := getChunkedRequest(hc.context, t, bktName, objName)
+	w, req, _ := getChunkedRequestAWSExample(t, bktName, objName)
 	req.Header.Set(api.ContentEncoding, api.AwsChunked+",gzip")

 	hc.Handler().PutObjectHandler(w, req)
@ -504,13 +591,13 @@ func TestPutChunkedTestContentEncoding(t *testing.T) {
 	resp := headObjectBase(hc, bktName, objName, emptyVersion)
 	require.Equal(t, "gzip", resp.Header().Get(api.ContentEncoding))

-	w, req, _ = getChunkedRequest(hc.context, t, bktName, objName)
+	w, req, _ = getChunkedRequestAWSExample(t, bktName, objName)
 	req.Header.Set(api.ContentEncoding, "gzip")
 	hc.Handler().PutObjectHandler(w, req)
 	assertS3Error(t, w, apierr.GetAPIError(apierr.ErrInvalidEncodingMethod))

 	hc.config.bypassContentEncodingInChunks = true
-	w, req, _ = getChunkedRequest(hc.context, t, bktName, objName)
+	w, req, _ = getChunkedRequestAWSExample(t, bktName, objName)
 	req.Header.Set(api.ContentEncoding, "gzip")
 	hc.Handler().PutObjectHandler(w, req)
 	assertStatus(t, w, http.StatusOK)
@ -519,9 +606,9 @@ func TestPutChunkedTestContentEncoding(t *testing.T) {
 	require.Equal(t, "gzip", resp.Header().Get(api.ContentEncoding))
 }

-// getChunkedRequest implements request example from
+// getChunkedRequestAWSExample implements request example from
 // https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming.html
-func getChunkedRequest(ctx context.Context, t *testing.T, bktName, objName string) (*httptest.ResponseRecorder, *http.Request, []byte) {
+func getChunkedRequestAWSExample(t *testing.T, bktName, objName string) (*httptest.ResponseRecorder, *http.Request, []byte) {
 	chunk := make([]byte, 65*1024)
 	for i := range chunk {
 		chunk[i] = 'a'
@ -529,12 +616,8 @@ func getChunkedRequest(ctx context.Context, t *testing.T, bktName, objName strin
 	chunk1 := chunk[:64*1024]
 	chunk2 := chunk[64*1024:]

-	AWSAccessKeyID := "AKIAIOSFODNN7EXAMPLE"
 	AWSSecretAccessKey := "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"

-	awsCreds := aws.Credentials{AccessKeyID: AWSAccessKeyID, SecretAccessKey: AWSSecretAccessKey}
-	signer := v4.NewSigner()
-
 	reqBody := bytes.NewBufferString("10000;chunk-signature=ad80c730a21e5b8d04586a2213dd63b9a0e99e0e2307b0ade35a65485a288648\r\n")
 	_, err := reqBody.Write(chunk1)
 	require.NoError(t, err)
@ -552,32 +635,14 @@ func getChunkedRequest(ctx context.Context, t *testing.T, bktName, objName strin
 	req.Header.Set("x-amz-content-sha256", api.StreamingContentSHA256)
 	req.Header.Set("x-amz-decoded-content-length", strconv.Itoa(awsChunkedRequestExampleDecodedContentLength))
 	req.Header.Set("x-amz-storage-class", "REDUCED_REDUNDANCY")
+	req.Header.Set("Authorization", "AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request,SignedHeaders=content-encoding;content-length;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length;x-amz-storage-class,Signature=4f232c4386841ef735655705268965c44a0e4690baa4adea153f7db9fa80a0a9")

 	signTime, err := time.Parse("20060102T150405Z", "20130524T000000Z")
 	require.NoError(t, err)

-	err = signer.SignHTTP(ctx, awsCreds, req, auth.UnsignedPayload, "s3", "us-east-1", signTime)
-	require.NoError(t, err)
-
 	req.Body = io.NopCloser(reqBody)

-	w := httptest.NewRecorder()
-	reqInfo := middleware.NewReqInfo(w, req, middleware.ObjectRequest{Bucket: bktName, Object: objName}, "")
-	req = req.WithContext(middleware.SetReqInfo(ctx, reqInfo))
-	req = req.WithContext(middleware.SetBox(req.Context(), &middleware.Box{
-		ClientTime: signTime,
-		AuthHeaders: &middleware.AuthHeader{
-			AccessKeyID: AWSAccessKeyID,
-			SignatureV4: "4f232c4386841ef735655705268965c44a0e4690baa4adea153f7db9fa80a0a9",
-			Region:      "us-east-1",
-		},
-		AccessBox: &accessbox.Box{
-			Gate: &accessbox.GateData{
-				SecretKey: AWSSecretAccessKey,
-			},
-		},
-	}))
-
+	w, req := prepareReqMiddlewares(req, signTime, AWSSecretAccessKey)
 	return w, req, chunk
 }

@ -589,9 +654,9 @@ func (c *customNopCloser) Close() error {
 	return nil
 }

-// getChunkedRequestTrailing implements request example from
+// getChunkedRequestAWSExampleTrailing implements request example from
 // https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-streaming-trailers.html
-func getChunkedRequestTrailing(ctx context.Context, t *testing.T, bktName, objName string) (*httptest.ResponseRecorder, *http.Request, []byte) {
+func getChunkedRequestAWSExampleTrailing(t *testing.T, bktName, objName string) (*httptest.ResponseRecorder, *http.Request, []byte) {
 	chunk := make([]byte, 65*1024)
 	for i := range chunk {
 		chunk[i] = 'a'
@ -599,12 +664,8 @@ func getChunkedRequestTrailing(ctx context.Context, t *testing.T, bktName, objNa
 	chunk1 := chunk[:64*1024]
 	chunk2 := chunk[64*1024:]

-	AWSAccessKeyID := "AKIAIOSFODNN7EXAMPLE"
 	AWSSecretAccessKey := "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY"

-	awsCreds := aws.Credentials{AccessKeyID: AWSAccessKeyID, SecretAccessKey: AWSSecretAccessKey}
-	signer := v4.NewSigner()
-
 	reqBody := bytes.NewBufferString("10000;chunk-signature=b474d8862b1487a5145d686f57f013e54db672cee1c953b3010fb58501ef5aa2\r\n")
 	_, err := reqBody.Write(chunk1)
 	require.NoError(t, err)
@ -634,32 +695,14 @@ func getChunkedRequestTrailing(ctx context.Context, t *testing.T, bktName, objNa
 	req.Header.Set("x-amz-decoded-content-length", strconv.Itoa(awsChunkedRequestExampleDecodedContentLength))
 	req.Header.Set("x-amz-storage-class", "REDUCED_REDUNDANCY")
 	req.Header.Set("x-amz-trailer", "x-amz-checksum-crc32c")
+	req.Header.Set("Authorization", "AWS4-HMAC-SHA256 Credential=AKIAIOSFODNN7EXAMPLE/20130524/us-east-1/s3/aws4_request,SignedHeaders=content-encoding;content-length;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length;x-amz-storage-class,Signature=106e2a8a18243abcf37539882f36619c00e2dfc72633413f02d3b74544bfeb8e")

 	signTime, err := time.Parse("20060102T150405Z", "20130524T000000Z")
 	require.NoError(t, err)

-	err = signer.SignHTTP(ctx, awsCreds, req, api.StreamingContentSHA256Trailer, "s3", "us-east-1", signTime)
-	require.NoError(t, err)
-
 	req.Body = &customNopCloser{Buffer: reqBody}

-	w := httptest.NewRecorder()
-	reqInfo := middleware.NewReqInfo(w, req, middleware.ObjectRequest{Bucket: bktName, Object: objName}, "")
-	req = req.WithContext(middleware.SetReqInfo(ctx, reqInfo))
-	req = req.WithContext(middleware.SetBox(req.Context(), &middleware.Box{
-		ClientTime: signTime,
-		AuthHeaders: &middleware.AuthHeader{
-			AccessKeyID: AWSAccessKeyID,
-			SignatureV4: "106e2a8a18243abcf37539882f36619c00e2dfc72633413f02d3b74544bfeb8e",
-			Region:      "us-east-1",
-		},
-		AccessBox: &accessbox.Box{
-			Gate: &accessbox.GateData{
-				SecretKey: AWSSecretAccessKey,
-			},
-		},
-	}))
-
+	w, req := prepareReqMiddlewares(req, signTime, AWSSecretAccessKey)
 	return w, req, chunk
 }

@ -668,8 +711,6 @@ func getChunkedRequestUnsignedTrailing(ctx context.Context, t *testing.T, bktNam
 	for i := range chunk {
 		chunk[i] = 'a'
 	}
-	//chunk1 := chunk[:64*1024]
-	//chunk2 := chunk[64*1024:]

 	AWSAccessKeyID := "9uEm8zMrGWsEDWiPCnVuQLKTiGtCEXpYXt8eBG7agupw0JDySJZMFuej7PTcPzRqBUyPtFowNu1RtvHULU8XHjie6"
 	AWSSecretAccessKey := "9f546428957ed7e189b7be928906ce7d1d9cb3042dd4d2d5194e28ce8c4c3b8e"
@ -686,7 +727,6 @@ func getChunkedRequestUnsignedTrailing(ctx context.Context, t *testing.T, bktNam
 	require.NoError(t, err)

 	req, err := http.NewRequest("PUT", "https://localhost:8184/"+bktName+"/"+objName, nil)
-	//req, err := http.NewRequest("PUT", "https://localhost:8184/test2/body", nil)
 	require.NoError(t, err)
 	req.Header.Set("x-amz-sdk-checksum-algorithm", "CRC64NVME")
 	req.Header.Set("content-encoding", api.AwsChunked)
@ -703,23 +743,7 @@ func getChunkedRequestUnsignedTrailing(ctx context.Context, t *testing.T, bktNam

 	req.Body = io.NopCloser(reqBody)

-	w := httptest.NewRecorder()
-	reqInfo := middleware.NewReqInfo(w, req, middleware.ObjectRequest{Bucket: bktName, Object: objName}, "")
-	req = req.WithContext(middleware.SetReqInfo(ctx, reqInfo))
-	req = req.WithContext(middleware.SetBox(req.Context(), &middleware.Box{
-		ClientTime: signTime,
-		AuthHeaders: &middleware.AuthHeader{
-			AccessKeyID: AWSAccessKeyID,
-			SignatureV4: "a075c83779d1c3c02254fbe4c9eff0a21556d15556fc6a25db69147c4838226b",
-			Region:      "ru",
-		},
-		AccessBox: &accessbox.Box{
-			Gate: &accessbox.GateData{
-				SecretKey: AWSSecretAccessKey,
-			},
-		},
-	}))
-
+	w, req := prepareReqMiddlewares(req, signTime, AWSSecretAccessKey)
 	return w, req, chunk
 }

@ -757,65 +781,183 @@ func getChunkedRequestUnsignedTrailingSmall(ctx context.Context, t *testing.T, b

 	req.Body = io.NopCloser(reqBody)

-	w := httptest.NewRecorder()
-	reqInfo := middleware.NewReqInfo(w, req, middleware.ObjectRequest{Bucket: bktName, Object: objName}, "")
-	req = req.WithContext(middleware.SetReqInfo(ctx, reqInfo))
-	req = req.WithContext(middleware.SetBox(req.Context(), &middleware.Box{
-		ClientTime: signTime,
-		AuthHeaders: &middleware.AuthHeader{
-			AccessKeyID: AWSAccessKeyID,
-			SignatureV4: "a075c83779d1c3c02254fbe4c9eff0a21556d15556fc6a25db69147c4838226b",
-			Region:      "ru",
-		},
-		AccessBox: &accessbox.Box{
-			Gate: &accessbox.GateData{
-				SecretKey: AWSSecretAccessKey,
-			},
-		},
-	}))
-
+	w, req := prepareReqMiddlewares(req, signTime, AWSSecretAccessKey)
 	return w, req, []byte(chunk)
 }

-func getEmptyChunkedRequest(ctx context.Context, t *testing.T, bktName, objName string) (*httptest.ResponseRecorder, *http.Request) {
-	AWSAccessKeyID := "48c1K4PLVb7SvmV3PjDKEuXaMh8yZMXZ8Wx9msrkKcYw06dZeaxeiPe8vyFm2WsoeVaNt7UWEjNsVkagDs8oX4XXh"
-	AWSSecretAccessKey := "09260955b4eb0279dc017ba20a1ddac909cbd226c86cbb2d868e55534c8e64b0"
+func getChunkedRequestBase(t *testing.T, bktName, objName string, chunks [][]byte, shaType string, signTime time.Time, extraHeaders ...[2]string) (*httptest.ResponseRecorder, *http.Request) {
+	creds := aws.Credentials{
+		AccessKeyID:     "48c1K4PLVb7SvmV3PjDKEuXaMh8yZMXZ8Wx9msrkKcYw06dZeaxeiPe8vyFm2WsoeVaNt7UWEjNsVkagDs8oX4XXh",
+		SecretAccessKey: "09260955b4eb0279dc017ba20a1ddac909cbd226c86cbb2d868e55534c8e64b0",
+	}
+	region := "us-east-1"
+	service := "s3"

-	reqBody := bytes.NewBufferString("0;chunk-signature=311a7142c8f3a07972c3aca65c36484b513a8fee48ab7178c7225388f2ae9894\r\n\r\n")
+	req, err := http.NewRequest("PUT", "http://localhost:8084/"+bktName+"/"+objName, nil)
+	require.NoError(t, err)
+
+	payloadLength := 0
+	for _, chunk := range chunks {
+		payloadLength += len(chunk)
+	}
+
+	for _, kv := range extraHeaders {
+		req.Header.Set(kv[0], kv[1])
+	}
+
+	req.Header.Set(api.ContentEncoding, api.AwsChunked)
+	req.Header.Set(api.AmzDecodedContentLength, strconv.Itoa(payloadLength))
+	req.Header.Set(api.AmzDate, signTime.Format("20060102T150405Z"))
+	req.Header.Set(api.AmzContentSha256, shaType)
+	if shaType == api.StreamingContentSHA256Trailer {
+		req.Header.Set(api.AmzTrailer, "x-amz-checksum-crc32")
+	}
+
+	signer := v4.NewSigner()
+	err = signer.SignHTTP(req.Context(), creds, req, shaType, service, region, signTime)
+	require.NoError(t, err)
+
+	seedSignature := strings.Split(req.Header.Get(api.Authorization), "Signature=")[1]
+	seed, err := hex.DecodeString(seedSignature)
+	require.NoError(t, err)
+
+	var reqBody bytes.Buffer
+
+	hash := crc32.NewIEEE()
+
+	newStreamSigner := v4.NewStreamSigner(creds, service, region, seed)
+	for _, chunk := range chunks {
+		_, err = hash.Write(chunk)
+		require.NoError(t, err)
+
+		signature, err := newStreamSigner.GetSignature(req.Context(), nil, chunk, signTime)
+		require.NoError(t, err)
+		reqBody.WriteString(fmt.Sprintf("%x;chunk-signature=%x\r\n", len(chunk), signature))
+		reqBody.Write(chunk)
+		reqBody.WriteString("\r\n")
+	}
+	signature, err := newStreamSigner.GetSignature(req.Context(), nil, nil, signTime)
+	require.NoError(t, err)
+	reqBody.WriteString(fmt.Sprintf("0;chunk-signature=%x\r\n", signature))
+
+	if shaType == api.StreamingContentSHA256Trailer {
+		crc32Res := hash.Sum(nil)
+		checksumStr := "x-amz-checksum-crc32:" + base64.StdEncoding.EncodeToString(crc32Res)
+		reqBody.WriteString(fmt.Sprintf("%s\r\n", checksumStr))
+		trailerSignature, err := newStreamSigner.GetTrailerSignature([]byte(checksumStr+"\n"), signTime)
+		require.NoError(t, err)
+		reqBody.WriteString(fmt.Sprintf("x-amz-trailer-signature:%x\r\n", trailerSignature))
+	}
+	reqBody.WriteString("\r\n")
+
+	req.Body = io.NopCloser(&reqBody)
+
+	return prepareReqMiddlewares(req, signTime, creds.SecretAccessKey)
+}
+
+func prepareReqMiddlewares(req *http.Request, signTime time.Time, secretAccessKey string) (*httptest.ResponseRecorder, *http.Request) {
+	authHeader := req.Header.Get(api.Authorization)
+	var parsed map[string]string
+	var region string
+	if strings.HasPrefix(authHeader, auth.SignaturePreambleSigV4) {
+		parsed = auth.NewRegexpMatcher(auth.AuthorizationFieldRegexp).GetSubmatches(authHeader)
+		region = parsed["region"]
+	} else {
+		parsed = auth.NewRegexpMatcher(auth.AuthorizationFieldV4aRegexp).GetSubmatches(authHeader)
+		region = req.Header.Get("X-Amz-Region-Set")
+	}
+
+	bktObj := strings.Split(req.URL.Path, "/")
+
+	box := &middleware.Box{
+		ClientTime: signTime,
+		AuthHeaders: &middleware.AuthHeader{
+			AccessKeyID: parsed["access_key_id"],
+			SignatureV4: parsed["v4_signature"],
+			Region:      region,
+		},
+		AccessBox: &accessbox.Box{Gate: &accessbox.GateData{SecretKey: secretAccessKey}},
+	}
+
+	w := httptest.NewRecorder()
+	reqInfo := middleware.NewReqInfo(w, req, middleware.ObjectRequest{Bucket: bktObj[1], Object: bktObj[2]}, "")
+	req = req.WithContext(middleware.SetReqInfo(req.Context(), reqInfo))
+	req = req.WithContext(middleware.SetBox(req.Context(), box))
+
+	return w, req
+}
+
+func getEmptyChunkedRequestUnsigned(t *testing.T, bktName, objName string) (*httptest.ResponseRecorder, *http.Request) {
+	AWSSecretAccessKey := "f1a0d650b650149f1a83140418e88a3c5572a0103e912e326492a91c19c4488a"
+
+	reqBody := bytes.NewBufferString("0\r\nx-amz-checksum-crc64nvme:AAAAAAAAAAA=\r\n\r\n")

 	req, err := http.NewRequest("PUT", "http://localhost:8084/"+bktName+"/"+objName, reqBody)
 	require.NoError(t, err)
-	req.Header.Set("Amz-Sdk-Invocation-Id", "8a8cd4be-aef8-8034-f08d-a6144ade41f9")
-	req.Header.Set("Amz-Sdk-Request", "attempt=1; max=2")
-	req.Header.Set(api.Authorization, "AWS4-HMAC-SHA256 Credential=48c1K4PLVb7SvmV3PjDKEuXaMh8yZMXZ8Wx9msrkKcYw06dZeaxeiPe8vyFm2WsoeVaNt7UWEjNsVkagDs8oX4XXh/20241003/us-east-1/s3/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-encoding;content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length, Signature=4b530ab4af2381f214941af591266b209968264a2c94337fa1efc048c7dff352")
-	req.Header.Set(api.ContentEncoding, "aws-chunked")
-	req.Header.Set(api.ContentLength, "86")
-	req.Header.Set(api.ContentType, "text/plain; charset=UTF-8")
-	req.Header.Set(api.AmzDate, "20241003T100055Z")
-	req.Header.Set(api.AmzContentSha256, "STREAMING-AWS4-HMAC-SHA256-PAYLOAD")
+	req.Header.Set(api.Authorization, "AWS4-HMAC-SHA256 Credential=3jNrmDtHtuj1uLcixaSMA4KNUhNYhv1EpUNdFnbTXgUP071pGdSZfHSLtoC8gzjF5HoD6sC3Scq33t1WvvEvjmPnt/20250213/ru/s3/aws4_request, SignedHeaders=content-encoding;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length;x-amz-sdk-checksum-algorithm;x-amz-trailer, Signature=1231b012c0ac313770c5a95ccf77b95b6c9b1c3760d6aa24cb8309801d56eb4a")
+	req.Header.Set(api.ContentEncoding, api.AwsChunked)
+	req.Header.Set(api.AmzDate, "20250213T124858Z")
+	req.Header.Set(api.AmzContentSha256, api.StreamingUnsignedPayloadTrailer)
 	req.Header.Set(api.AmzDecodedContentLength, "0")
+	req.Header.Set("X-Amz-Trailer", "x-amz-checksum-crc64nvme")
+	req.Header.Set("X-Amz-Sdk-Checksum-Algorithm", "CRC64NVME")

-	signTime, err := time.Parse("20060102T150405Z", "20241003T100055Z")
+	signTime, err := time.Parse("20060102T150405Z", req.Header.Get(api.AmzDate))
 	require.NoError(t, err)

-	w := httptest.NewRecorder()
-	reqInfo := middleware.NewReqInfo(w, req, middleware.ObjectRequest{Bucket: bktName, Object: objName}, "")
-	req = req.WithContext(middleware.SetReqInfo(ctx, reqInfo))
-	req = req.WithContext(middleware.SetBox(req.Context(), &middleware.Box{
-		ClientTime: signTime,
-		AuthHeaders: &middleware.AuthHeader{
-			AccessKeyID: AWSAccessKeyID,
-			SignatureV4: "4b530ab4af2381f214941af591266b209968264a2c94337fa1efc048c7dff352",
-			Region:      "us-east-1",
-		},
-		AccessBox: &accessbox.Box{
-			Gate: &accessbox.GateData{
-				SecretKey: AWSSecretAccessKey,
-			},
-		},
-	}))
+	return prepareReqMiddlewares(req, signTime, AWSSecretAccessKey)
+}

-	return w, req
+func getEmptyChunkedRequestSigv4aWithTrailers(t *testing.T, bktName, objName string) (*httptest.ResponseRecorder, *http.Request) {
+	AWSSecretAccessKey := "f1a0d650b650149f1a83140418e88a3c5572a0103e912e326492a91c19c4488a"
+
+	body := "0;chunk-signature=3046022100ab9229a80d70f4d004768992881821a441a4ad4102e18de567e68216659bf497022100ec47a7a445351683557eedf893e6ed250c97af4b0415814671770b83766d69be\r\n" +
+		"x-amz-checksum-crc32:AAAAAA==\r\n" +
+		"x-amz-trailer-signature:3046022100a0a66c1adcee8d99460b4631b23c95fbad9eb4e6c56f1afb9e255715ba141169022100b2cfc8adc8036eb985f1ab0e770b575284c5fc8ca75c226558d3142cbaab83ce\r\n\r\n"
+
+	req, err := http.NewRequest("PUT", "http://localhost:8084/"+bktName+"/"+objName, bytes.NewBufferString(body))
+	require.NoError(t, err)
+	req.Header.Set(api.Authorization, "AWS4-ECDSA-P256-SHA256 Credential=3jNrmDtHtuj1uLcixaSMA4KNUhNYhv1EpUNdFnbTXgUP071pGdSZfHSLtoC8gzjF5HoD6sC3Scq33t1WvvEvjmPnt/20250213/s3/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length;x-amz-region-set;x-amz-sdk-checksum-algorithm;x-amz-trailer, Signature=304402202e1f1efcc56c588d9a94a3d8f20368686df8bfd5e8aad01fc4eff569ff38f1800220215198e3f1ba785492fe6703c4722872909ce8a09e8c9a13da90a9230c7a24b7")
+	req.Header.Set("Amz-Sdk-Invocation-Id", "d42dc16d-7899-55fb-5b72-a654bd482f4f")
+	req.Header.Set("Amz-Sdk-Request", "attempt=1; max=2")
+	req.Header.Set(api.ContentEncoding, api.AwsChunked)
+	req.Header.Set(api.AmzDate, "20250213T132401Z")
+	req.Header.Set(api.AmzContentSha256, api.StreamingContentV4aSHA256Trailer)
+	req.Header.Set(api.AmzDecodedContentLength, "0")
+	req.Header.Set(api.ContentLength, "367")
+	req.Header.Set(api.ContentType, "text/plain: charset=UTF-8")
+	req.Header.Set("X-Amz-Region-Set", "us-east-1")
+	req.Header.Set("X-Amz-Trailer", "x-amz-checksum-crc32")
+	req.Header.Set("X-Amz-Sdk-Checksum-Algorithm", "CRC32")
+
+	signTime, err := time.Parse("20060102T150405Z", req.Header.Get(api.AmzDate))
+	require.NoError(t, err)
+
+	return prepareReqMiddlewares(req, signTime, AWSSecretAccessKey)
+}
+
+func getEmptyChunkedRequestSigv4a(t *testing.T, bktName, objName string) (*httptest.ResponseRecorder, *http.Request) {
+	AWSSecretAccessKey := "f1a0d650b650149f1a83140418e88a3c5572a0103e912e326492a91c19c4488a"
+
+	body := "0;chunk-signature=304502203f7c598a2e9a6673bf1ca30f5f6bebd0d76a4e9d3c16531448e96c2cda22d16a0221009e7ed578da0a9781366f1461a1484e64f15707f26d4310e59514db6ff9f7e0f1**\r\n\r\n"
+
+	req, err := http.NewRequest("PUT", "http://localhost:8084/"+bktName+"/"+objName, bytes.NewBufferString(body))
+	require.NoError(t, err)
+	req.Header.Set(api.Authorization, "AWS4-ECDSA-P256-SHA256 Credential=3jNrmDtHtuj1uLcixaSMA4KNUhNYhv1EpUNdFnbTXgUP071pGdSZfHSLtoC8gzjF5HoD6sC3Scq33t1WvvEvjmPnt/20250213/s3/aws4_request, SignedHeaders=amz-sdk-invocation-id;amz-sdk-request;content-length;content-type;host;x-amz-content-sha256;x-amz-date;x-amz-decoded-content-length;x-amz-region-set, Signature=3046022100dc589ea513448b996809db4b314a0b8a4a775c1165c6203c7104b2f1aae1243c0221009bf3a256e7c33415eaad20c1dbfb4e14cb00b362758bc4d2aaf94ca96a5f13f9")
+	req.Header.Set("Amz-Sdk-Invocation-Id", "f0814a40-0d74-066f-d01f-ed14f28ebfa4")
+	req.Header.Set("Amz-Sdk-Request", "attempt=1; max=2")
+	req.Header.Set(api.ContentEncoding, api.AwsChunked)
+	req.Header.Set(api.AmzDate, "20250213T135717Z")
+	req.Header.Set(api.AmzContentSha256, api.StreamingContentV4aSHA256)
+	req.Header.Set(api.AmzDecodedContentLength, "0")
+	req.Header.Set(api.ContentLength, "166")
+	req.Header.Set(api.ContentType, "text/plain: charset=UTF-8")
+	req.Header.Set("X-Amz-Region-Set", "use-east-1")
+
+	signTime, err := time.Parse("20060102T150405Z", req.Header.Get(api.AmzDate))
+	require.NoError(t, err)
+
+	return prepareReqMiddlewares(req, signTime, AWSSecretAccessKey)
 }

 func TestCreateBucket(t *testing.T) {
@ -1064,6 +1206,104 @@ func TestFormEncryptionParamsBase(t *testing.T) {
 	}
 }

+func TestCheckContentLength(t *testing.T) {
+	contentLength := "content-length-range"
+	notFallError := "length of the content did not fall within the range specified in the condition"
+	parseError := "invalid condition"
+	for _, tc := range []struct {
+		name        string
+		matching    string
+		key         string
+		value       string
+		size        uint64
+		errMsg      string
+		emptyPolicy bool
+	}{
+		{
+			name:     "valid",
+			matching: contentLength,
+			key:      "0",
+			value:    "1000",
+			size:     50,
+		},
+		{
+			name:     "valid lower limit",
+			matching: contentLength,
+			key:      "5",
+			value:    "100",
+			size:     5,
+		},
+		{
+			name:     "valid upper limit",
+			matching: contentLength,
+			key:      "5",
+			value:    "100",
+			size:     100,
+		},
+		{
+			name:     "invalid size value (too small)",
+			matching: contentLength,
+			key:      "5",
+			value:    "100",
+			size:     2,
+			errMsg:   notFallError,
+		},
+		{
+			name:     "invalid size value (to high)",
+			matching: contentLength,
+			key:      "5",
+			value:    "100",
+			size:     200,
+			errMsg:   notFallError,
+		},
+		{
+			name: "no matching",
+		},
+		{
+			name:     "invalid key type",
+			matching: contentLength,
+			key:      "invalid",
+			value:    "100",
+			size:     10,
+			errMsg:   parseError,
+		},
+		{
+			name:     "invalid value type",
+			matching: contentLength,
+			key:      "5",
+			value:    "invalid",
+			size:     10,
+			errMsg:   parseError,
+		},
+		{
+			name:        "empty policy",
+			emptyPolicy: true,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			policy := &postPolicy{
+				Conditions: []*policyCondition{
+					{
+						Matching: tc.matching,
+						Key:      tc.key,
+						Value:    tc.value,
+					},
+				},
+				empty: tc.emptyPolicy,
+			}
+
+			err := policy.CheckContentLength(tc.size)
+			if tc.errMsg != "" {
+				require.Error(t, err)
+				require.Contains(t, err.Error(), tc.errMsg)
+				return
+			}
+
+			require.NoError(t, err)
+		})
+	}
+}
+
 func prepareRequestForEncryption(hc *handlerContext, algo, key, md5, tlsTermination string, reqWithoutTLS, reqWithoutSSE, isCopySource bool) *http.Request {
 	r := httptest.NewRequest(http.MethodPost, "/", nil)

--- a/api/handler/s3reader.go
+++ b/api/handler/s3reader.go
@ -59,6 +59,10 @@ func (c *s3ChunkReader) Read(buf []byte) (num int, err error) {
 		buf = buf[num:]
 	}

+	if c.err != nil {
+		return 0, c.err
+	}
+
 	var size int
 	for {
 		b, err := c.reader.ReadByte()
--- a/api/handler/s3unsignedreader.go
+++ b/api/handler/s3unsignedreader.go
@ -31,6 +31,10 @@ func (c *s3UnsignedChunkReader) Read(buf []byte) (num int, err error) {
 		buf = buf[num:]
 	}

+	if c.err != nil {
+		return 0, c.err
+	}
+
 	var size int
 	var b byte
 	for {
--- a/api/handler/s3v4aReader.go
+++ b/api/handler/s3v4aReader.go
@ -46,6 +46,10 @@ func (c *s3v4aChunkReader) Read(buf []byte) (num int, err error) {
 		buf = buf[num:]
 	}

+	if c.err != nil {
+		return 0, c.err
+	}
+
 	var size int
 	for {
 		b, err := c.reader.ReadByte()
--- a/api/handler/tagging.go
+++ b/api/handler/tagging.go
@ -6,6 +6,7 @@ import (
 	"strings"
 	"unicode"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
@ -21,7 +22,9 @@ const (
 )

 func (h *handler) PutObjectTaggingHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.PutObjectTagging")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	tagSet, err := h.readTagSet(reqInfo.Tagging)
@ -54,7 +57,9 @@ func (h *handler) PutObjectTaggingHandler(w http.ResponseWriter, r *http.Request
 }

 func (h *handler) GetObjectTaggingHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.GetObjectTagging")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -92,7 +97,9 @@ func (h *handler) GetObjectTaggingHandler(w http.ResponseWriter, r *http.Request
 }

 func (h *handler) DeleteObjectTaggingHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.DeleteObjectTagging")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -116,7 +123,9 @@ func (h *handler) DeleteObjectTaggingHandler(w http.ResponseWriter, r *http.Requ
 }

 func (h *handler) PutBucketTaggingHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.PutBucketTagging")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	tagSet, err := h.readTagSet(reqInfo.Tagging)
@ -138,7 +147,9 @@ func (h *handler) PutBucketTaggingHandler(w http.ResponseWriter, r *http.Request
 }

 func (h *handler) GetBucketTaggingHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.GetBucketTagging")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
@ -160,7 +171,9 @@ func (h *handler) GetBucketTaggingHandler(w http.ResponseWriter, r *http.Request
 }

 func (h *handler) DeleteBucketTaggingHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.DeleteBucketTagging")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
--- a/api/handler/versioning.go
+++ b/api/handler/versioning.go
@ -3,6 +3,7 @@ package handler
 import (
 	"net/http"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer"
@ -10,7 +11,9 @@ import (
 )

 func (h *handler) PutBucketVersioningHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.PutBucketVersioning")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	configuration := new(VersioningConfiguration)
@ -57,7 +60,9 @@ func (h *handler) PutBucketVersioningHandler(w http.ResponseWriter, r *http.Requ

 // GetBucketVersioningHandler implements bucket versioning getter handler.
 func (h *handler) GetBucketVersioningHandler(w http.ResponseWriter, r *http.Request) {
-	ctx := r.Context()
+	ctx, span := tracing.StartSpanFromContext(r.Context(), "handler.GetBucketVersioning")
+	defer span.End()
+
 	reqInfo := middleware.GetReqInfo(ctx)

 	bktInfo, err := h.getBucketAndCheckOwner(r, reqInfo.BucketName)
--- a/api/headers.go
+++ b/api/headers.go
@ -63,6 +63,7 @@ const (
 	AmzPartNumberMarker          = "X-Amz-Part-Number-Marker"
 	AmzStorageClass              = "X-Amz-Storage-Class"
 	AmzForceBucketDelete         = "X-Amz-Force-Delete-Bucket"
+	AmzTrailer                   = "X-Amz-Trailer"

 	AmzServerSideEncryptionCustomerAlgorithm = "x-amz-server-side-encryption-customer-algorithm"
 	AmzServerSideEncryptionCustomerKey       = "x-amz-server-side-encryption-customer-key"
--- a/api/layer/compound.go
+++ b/api/layer/compound.go
@ -5,12 +5,16 @@ import (
 	"errors"
 	"fmt"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	apierr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer/tree"
 )

 func (n *Layer) GetObjectTaggingAndLock(ctx context.Context, objVersion *data.ObjectVersion, nodeVersion *data.NodeVersion) (map[string]string, data.LockInfo, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.GetObjectTaggingAndLock")
+	defer span.End()
+
 	var err error
 	owner := n.BearerOwner(ctx)

--- a/api/layer/cors.go
+++ b/api/layer/cors.go
@ -8,6 +8,7 @@ import (
 	"fmt"
 	"io"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	apierr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer/frostfs"
@ -23,6 +24,9 @@ const wildcard = "*"
 var supportedMethods = map[string]struct{}{"GET": {}, "HEAD": {}, "POST": {}, "PUT": {}, "DELETE": {}}

 func (n *Layer) PutBucketCORS(ctx context.Context, p *PutCORSParams) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.PutBucketCORS")
+	defer span.End()
+
 	var (
 		buf  bytes.Buffer
 		tee  = io.TeeReader(p.Reader, &buf)
@ -98,6 +102,9 @@ func (n *Layer) deleteCORSObject(ctx context.Context, bktInfo *data.BucketInfo,
 }

 func (n *Layer) GetBucketCORS(ctx context.Context, bktInfo *data.BucketInfo, decoder func(io.Reader, string) *xml.Decoder) (*data.CORSConfiguration, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.GetBucketCORS")
+	defer span.End()
+
 	cors, err := n.getCORS(ctx, bktInfo, decoder)
 	if err != nil {
 		return nil, err
@ -107,6 +114,9 @@ func (n *Layer) GetBucketCORS(ctx context.Context, bktInfo *data.BucketInfo, dec
 }

 func (n *Layer) DeleteBucketCORS(ctx context.Context, bktInfo *data.BucketInfo) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.DeleteBucketCORS")
+	defer span.End()
+
 	objs, err := n.treeService.DeleteBucketCORS(ctx, bktInfo)
 	objNotFound := errors.Is(err, tree.ErrNoNodeToRemove)
 	if err != nil && !objNotFound {
--- a/api/layer/layer.go
+++ b/api/layer/layer.go
@ -15,6 +15,7 @@ import (
 	"strings"
 	"time"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	apierr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
@ -336,6 +337,9 @@ func (n *Layer) prepareAuthParameters(ctx context.Context, prm *frostfs.PrmAuth,

 // GetBucketInfo returns bucket info by name.
 func (n *Layer) GetBucketInfo(ctx context.Context, name string) (*data.BucketInfo, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.GetBucketInfo")
+	defer span.End()
+
 	name, err := url.QueryUnescape(name)
 	if err != nil {
 		return nil, fmt.Errorf("unescape bucket name: %w", err)
@ -384,6 +388,9 @@ func (n *Layer) ResolveCID(ctx context.Context, name string) (cid.ID, error) {
 // ListBuckets returns all user containers. The name of the bucket is a container
 // id. Timestamp is omitted since it is not saved in frostfs container.
 func (n *Layer) ListBuckets(ctx context.Context, params ListBucketsParams) (ListBucketsResult, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.ListBuckets")
+	defer span.End()
+
 	var result ListBucketsResult
 	var err error

@ -405,6 +412,9 @@ func (n *Layer) ListBuckets(ctx context.Context, params ListBucketsParams) (List

 // GetObject from storage.
 func (n *Layer) GetObject(ctx context.Context, p *GetObjectParams) (*ObjectPayload, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.GetObject")
+	defer span.End()
+
 	var params getParams

 	params.objInfo = p.ObjectInfo
@ -519,6 +529,9 @@ func getDecrypter(p *GetObjectParams) (*encryption.Decrypter, error) {

 // GetObjectInfo returns meta information about the object.
 func (n *Layer) GetObjectInfo(ctx context.Context, p *HeadObjectParams) (*data.ObjectInfo, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.GetObjectInfo")
+	defer span.End()
+
 	extendedObjectInfo, err := n.GetExtendedObjectInfo(ctx, p)
 	if err != nil {
 		return nil, err
@ -529,8 +542,13 @@ func (n *Layer) GetObjectInfo(ctx context.Context, p *HeadObjectParams) (*data.O

 // GetExtendedObjectInfo returns meta information and corresponding info from the tree service about the object.
 func (n *Layer) GetExtendedObjectInfo(ctx context.Context, p *HeadObjectParams) (*data.ExtendedObjectInfo, error) {
-	var objInfo *data.ExtendedObjectInfo
-	var err error
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.GetExtendedObjectInfo")
+	defer span.End()
+
+	var (
+		objInfo *data.ExtendedObjectInfo
+		err     error
+	)

 	if p.Versioned() {
 		objInfo, err = n.headVersion(ctx, p.BktInfo, p)
@ -552,6 +570,9 @@ func (n *Layer) GetExtendedObjectInfo(ctx context.Context, p *HeadObjectParams)

 // CopyObject from one bucket into another bucket.
 func (n *Layer) CopyObject(ctx context.Context, p *CopyObjectParams) (*data.ExtendedObjectInfo, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.CopyObject")
+	defer span.End()
+
 	objPayload, err := n.GetObject(ctx, &GetObjectParams{
 		ObjectInfo: p.SrcObject,
 		Versioned:  p.SrcVersioned,
@ -820,6 +841,9 @@ func (n *Layer) removeCombinedObject(ctx context.Context, bkt *data.BucketInfo,

 // DeleteObjects from the storage.
 func (n *Layer) DeleteObjects(ctx context.Context, p *DeleteObjectParams) []*VersionedObject {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.DeleteObjects")
+	defer span.End()
+
 	for i, obj := range p.Objects {
 		p.Objects[i] = n.deleteObject(ctx, p.BktInfo, p.Settings, obj, p.NetworkInfo)
 		if p.IsMultiple && p.Objects[i].Error != nil {
@ -831,6 +855,9 @@ func (n *Layer) DeleteObjects(ctx context.Context, p *DeleteObjectParams) []*Ver
 }

 func (n *Layer) CreateBucket(ctx context.Context, p *CreateBucketParams) (*data.BucketInfo, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.CreateBucket")
+	defer span.End()
+
 	bktInfo, err := n.GetBucketInfo(ctx, p.Name)
 	if err != nil {
 		if apierr.IsS3Error(err, apierr.ErrNoSuchBucket) {
@ -860,6 +887,9 @@ func (n *Layer) ResolveBucket(ctx context.Context, zone, name string) (cid.ID, e
 }

 func (n *Layer) DeleteBucket(ctx context.Context, p *DeleteBucketParams) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.DeleteBucket")
+	defer span.End()
+
 	if !p.SkipCheck {
 		res, _, err := n.getAllObjectsVersions(ctx, commonVersionsListingParams{
 			BktInfo: p.BktInfo,
@ -903,6 +933,9 @@ func (n *Layer) DeleteBucket(ctx context.Context, p *DeleteBucketParams) error {
 }

 func (n *Layer) DeleteContainer(ctx context.Context, p *DeleteBucketParams) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.DeleteContainer")
+	defer span.End()
+
 	n.cache.DeleteBucket(p.BktInfo)
 	if err := n.frostFS.DeleteContainer(ctx, p.BktInfo.CID, p.SessionToken); err != nil {
 		return fmt.Errorf("delete container: %w", err)
@ -911,6 +944,9 @@ func (n *Layer) DeleteContainer(ctx context.Context, p *DeleteBucketParams) erro
 }

 func (n *Layer) GetNetworkInfo(ctx context.Context) (netmap.NetworkInfo, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.GetNetworkInfo")
+	defer span.End()
+
 	cachedInfo := n.cache.GetNetworkInfo()
 	if cachedInfo != nil {
 		return *cachedInfo, nil
--- a/api/layer/lifecycle.go
+++ b/api/layer/lifecycle.go
@ -7,6 +7,7 @@ import (
 	"errors"
 	"fmt"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	apierr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer/frostfs"
@ -23,6 +24,9 @@ type PutBucketLifecycleParams struct {
 }

 func (n *Layer) PutBucketLifecycleConfiguration(ctx context.Context, p *PutBucketLifecycleParams) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.PutBucketLifecycleConfiguration")
+	defer span.End()
+
 	cfgBytes, err := xml.Marshal(p.LifecycleCfg)
 	if err != nil {
 		return fmt.Errorf("marshal lifecycle configuration: %w", err)
@ -86,6 +90,9 @@ func (n *Layer) deleteLifecycleObject(ctx context.Context, bktInfo *data.BucketI
 }

 func (n *Layer) GetBucketLifecycleConfiguration(ctx context.Context, bktInfo *data.BucketInfo) (*data.LifecycleConfiguration, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.GetBucketLifecycleConfiguration")
+	defer span.End()
+
 	owner := n.BearerOwner(ctx)
 	if cfg := n.cache.GetLifecycleConfiguration(owner, bktInfo); cfg != nil {
 		return cfg, nil
@ -131,6 +138,9 @@ func (n *Layer) GetBucketLifecycleConfiguration(ctx context.Context, bktInfo *da
 }

 func (n *Layer) DeleteBucketLifecycleConfiguration(ctx context.Context, bktInfo *data.BucketInfo) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.DeleteBucketLifecycleConfiguration")
+	defer span.End()
+
 	objs, err := n.treeService.DeleteBucketLifecycleConfiguration(ctx, bktInfo)
 	objsNotFound := errors.Is(err, tree.ErrNoNodeToRemove)
 	if err != nil && !objsNotFound {
--- a/api/layer/listing.go
+++ b/api/layer/listing.go
@ -9,6 +9,7 @@ import (
 	"strings"
 	"sync"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/cache"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	apierr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
@ -97,6 +98,9 @@ const (

 // ListObjectsV1 returns objects in a bucket for requests of Version 1.
 func (n *Layer) ListObjectsV1(ctx context.Context, p *ListObjectsParamsV1) (*ListObjectsInfoV1, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.ListObjectsV1")
+	defer span.End()
+
 	var result ListObjectsInfoV1

 	prm := commonLatestVersionsListingParams{
@ -128,6 +132,9 @@ func (n *Layer) ListObjectsV1(ctx context.Context, p *ListObjectsParamsV1) (*Lis

 // ListObjectsV2 returns objects in a bucket for requests of Version 2.
 func (n *Layer) ListObjectsV2(ctx context.Context, p *ListObjectsParamsV2) (*ListObjectsInfoV2, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.ListObjectsV2")
+	defer span.End()
+
 	var result ListObjectsInfoV2

 	prm := commonLatestVersionsListingParams{
@ -158,6 +165,9 @@ func (n *Layer) ListObjectsV2(ctx context.Context, p *ListObjectsParamsV2) (*Lis
 }

 func (n *Layer) ListObjectVersions(ctx context.Context, p *ListObjectVersionsParams) (*ListObjectVersionsInfo, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.ListObjectVersions")
+	defer span.End()
+
 	prm := commonVersionsListingParams{
 		BktInfo:   p.BktInfo,
 		Delimiter: p.Delimiter,
--- a/api/layer/multipart_upload.go
+++ b/api/layer/multipart_upload.go
@ -15,6 +15,7 @@ import (
 	"strings"
 	"time"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/auth"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	apierr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
@ -151,6 +152,9 @@ type (
 )

 func (n *Layer) CreateMultipartUpload(ctx context.Context, p *CreateMultipartParams) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.CreateMultipartUpload")
+	defer span.End()
+
 	metaSize := len(p.Header)
 	if p.Data != nil {
 		metaSize += len(p.Data.TagSet)
@ -190,6 +194,9 @@ func (n *Layer) CreateMultipartUpload(ctx context.Context, p *CreateMultipartPar
 }

 func (n *Layer) UploadPart(ctx context.Context, p *UploadPartParams) (string, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.UploadPart")
+	defer span.End()
+
 	multipartInfo, err := n.treeService.GetMultipartUpload(ctx, p.Info.Bkt, p.Info.Key, p.Info.UploadID)
 	if err != nil {
 		if errors.Is(err, tree.ErrNodeNotFound) {
@ -342,6 +349,9 @@ func (n *Layer) uploadPart(ctx context.Context, multipartInfo *data.MultipartInf
 }

 func (n *Layer) UploadPartCopy(ctx context.Context, p *UploadCopyParams) (*data.ObjectInfo, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.UploadPartCopy")
+	defer span.End()
+
 	multipartInfo, err := n.treeService.GetMultipartUpload(ctx, p.Info.Bkt, p.Info.Key, p.Info.UploadID)
 	if err != nil {
 		if errors.Is(err, tree.ErrNodeNotFound) {
@ -391,6 +401,9 @@ func (n *Layer) UploadPartCopy(ctx context.Context, p *UploadCopyParams) (*data.
 }

 func (n *Layer) CompleteMultipartUpload(ctx context.Context, p *CompleteMultipartParams) (*UploadData, *data.ExtendedObjectInfo, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.CompleteMultipartUpload")
+	defer span.End()
+
 	for i := 1; i < len(p.Parts); i++ {
 		if p.Parts[i].PartNumber <= p.Parts[i-1].PartNumber {
 			return nil, nil, apierr.GetAPIError(apierr.ErrInvalidPartOrder)
@ -513,6 +526,9 @@ func (n *Layer) CompleteMultipartUpload(ctx context.Context, p *CompleteMultipar
 }

 func (n *Layer) ListMultipartUploads(ctx context.Context, p *ListMultipartUploadsParams) (*ListMultipartUploadsInfo, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.ListMultipartUploads")
+	defer span.End()
+
 	var result ListMultipartUploadsInfo
 	if p.MaxUploads == 0 {
 		return &result, nil
@ -573,6 +589,9 @@ func (n *Layer) ListMultipartUploads(ctx context.Context, p *ListMultipartUpload
 }

 func (n *Layer) AbortMultipartUpload(ctx context.Context, p *UploadInfoParams) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.AbortMultipartUpload")
+	defer span.End()
+
 	multipartInfo, parts, err := n.getUploadParts(ctx, p)
 	if err != nil {
 		return err
@ -610,6 +629,9 @@ func (n *Layer) deleteUploadedParts(ctx context.Context, bkt *data.BucketInfo, p
 }

 func (n *Layer) ListParts(ctx context.Context, p *ListPartsParams) (*ListPartsInfo, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.ListParts")
+	defer span.End()
+
 	var res ListPartsInfo
 	multipartInfo, partsInfo, err := n.getUploadParts(ctx, p.Info)
 	if err != nil {
--- a/api/layer/object.go
+++ b/api/layer/object.go
@ -17,6 +17,7 @@ import (
 	"strconv"
 	"strings"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/auth"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
@ -227,6 +228,9 @@ func ParseCompletedPartHeader(hdr string) (*Part, error) {

 // PutObject stores object into FrostFS, took payload from io.Reader.
 func (n *Layer) PutObject(ctx context.Context, p *PutObjectParams) (*data.ExtendedObjectInfo, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.PutObject")
+	defer span.End()
+
 	bktSettings, err := n.GetBucketSettings(ctx, p.BktInfo)
 	if err != nil {
 		return nil, fmt.Errorf("couldn't get versioning settings object: %w", err)
--- a/api/layer/patch.go
+++ b/api/layer/patch.go
@ -10,6 +10,7 @@ import (
 	"strconv"
 	"strings"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer/frostfs"
@ -25,6 +26,9 @@ type PatchObjectParams struct {
 }

 func (n *Layer) PatchObject(ctx context.Context, p *PatchObjectParams) (*data.ExtendedObjectInfo, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.PatchObject")
+	defer span.End()
+
 	if p.Object.ObjectInfo.Headers[AttributeDecryptedSize] != "" {
 		return nil, fmt.Errorf("patch encrypted object")
 	}
--- a/api/layer/system_object.go
+++ b/api/layer/system_object.go
@ -10,6 +10,7 @@ import (
 	"strconv"
 	"time"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	apierr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer/frostfs"
@ -32,6 +33,9 @@ type PutLockInfoParams struct {
 }

 func (n *Layer) PutLockInfo(ctx context.Context, p *PutLockInfoParams) (err error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.PutLockInfo")
+	defer span.End()
+
 	newLock := p.NewLock
 	versionNode := p.NodeVersion
 	// sometimes node version can be provided from executing context
@ -139,6 +143,9 @@ func (n *Layer) putLockObject(ctx context.Context, bktInfo *data.BucketInfo, obj
 }

 func (n *Layer) GetLockInfo(ctx context.Context, objVersion *data.ObjectVersion) (*data.LockInfo, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.GetLockInfo")
+	defer span.End()
+
 	owner := n.BearerOwner(ctx)
 	if lockInfo := n.cache.GetLockInfo(owner, lockObjectKey(objVersion)); lockInfo != nil {
 		return lockInfo, nil
@ -206,6 +213,9 @@ func lockObjectKey(objVersion *data.ObjectVersion) string {
 }

 func (n *Layer) GetBucketSettings(ctx context.Context, bktInfo *data.BucketInfo) (*data.BucketSettings, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.GetBucketSettings")
+	defer span.End()
+
 	owner := n.BearerOwner(ctx)
 	if settings := n.cache.GetSettings(owner, bktInfo); settings != nil {
 		return settings, nil
@ -226,6 +236,9 @@ func (n *Layer) GetBucketSettings(ctx context.Context, bktInfo *data.BucketInfo)
 }

 func (n *Layer) PutBucketSettings(ctx context.Context, p *PutSettingsParams) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.PutBucketSettings")
+	defer span.End()
+
 	if err := n.treeService.PutSettingsNode(ctx, p.BktInfo, p.Settings); err != nil {
 		return fmt.Errorf("failed to get settings node: %w", err)
 	}
--- a/api/layer/tagging.go
+++ b/api/layer/tagging.go
@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	apierr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer/tree"
@ -16,6 +17,9 @@ import (
 )

 func (n *Layer) GetObjectTagging(ctx context.Context, p *data.GetObjectTaggingParams) (string, map[string]string, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.GetObjectTagging")
+	defer span.End()
+
 	var err error
 	owner := n.BearerOwner(ctx)

@ -52,6 +56,9 @@ func (n *Layer) GetObjectTagging(ctx context.Context, p *data.GetObjectTaggingPa
 }

 func (n *Layer) PutObjectTagging(ctx context.Context, p *data.PutObjectTaggingParams) (err error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.PutObjectTagging")
+	defer span.End()
+
 	nodeVersion := p.NodeVersion
 	if nodeVersion == nil {
 		nodeVersion, err = n.getNodeVersionFromCacheOrFrostfs(ctx, p.ObjectVersion)
@ -75,6 +82,9 @@ func (n *Layer) PutObjectTagging(ctx context.Context, p *data.PutObjectTaggingPa
 }

 func (n *Layer) DeleteObjectTagging(ctx context.Context, p *data.ObjectVersion) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.DeleteObjectTagging")
+	defer span.End()
+
 	version, err := n.getNodeVersion(ctx, p)
 	if err != nil {
 		return err
@ -96,6 +106,9 @@ func (n *Layer) DeleteObjectTagging(ctx context.Context, p *data.ObjectVersion)
 }

 func (n *Layer) GetBucketTagging(ctx context.Context, bktInfo *data.BucketInfo) (map[string]string, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.GetBucketTagging")
+	defer span.End()
+
 	owner := n.BearerOwner(ctx)

 	if tags := n.cache.GetTagging(owner, bucketTaggingCacheKey(bktInfo.CID)); tags != nil {
@ -113,6 +126,9 @@ func (n *Layer) GetBucketTagging(ctx context.Context, bktInfo *data.BucketInfo)
 }

 func (n *Layer) PutBucketTagging(ctx context.Context, bktInfo *data.BucketInfo, tagSet map[string]string) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.PutBucketTagging")
+	defer span.End()
+
 	if err := n.treeService.PutBucketTagging(ctx, bktInfo, tagSet); err != nil {
 		return err
 	}
@ -123,6 +139,9 @@ func (n *Layer) PutBucketTagging(ctx context.Context, bktInfo *data.BucketInfo,
 }

 func (n *Layer) DeleteBucketTagging(ctx context.Context, bktInfo *data.BucketInfo) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "layer.DeleteBucketTagging")
+	defer span.End()
+
 	n.cache.DeleteTagging(bucketTaggingCacheKey(bktInfo.CID))

 	return n.treeService.DeleteBucketTagging(ctx, bktInfo)
--- a/api/middleware/auth.go
+++ b/api/middleware/auth.go
@ -1,12 +1,14 @@
 package middleware

 import (
+	"context"
 	"crypto/elliptic"
 	"errors"
 	"fmt"
 	"net/http"
 	"time"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	apierr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/creds/accessbox"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/logs"
@ -30,7 +32,9 @@ type (
 	Center interface {
 		// Authenticate validate and authenticate request.
 		// Must return ErrNoAuthorizationHeader if auth header is missed.
-		Authenticate(request *http.Request) (*Box, error)
+		// Authenticate uses a separate context so that the authorization
+		// span middleware does not contain all subsequent spans.
+		Authenticate(ctx context.Context, request *http.Request) (*Box, error)
 	}

 	//nolint:revive
@ -47,34 +51,38 @@ var ErrNoAuthorizationHeader = errors.New("no authorization header")
 func Auth(center Center, log *zap.Logger) Func {
 	return func(h http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			ctx := r.Context()
-			reqInfo := GetReqInfo(ctx)
+			reqCtx := r.Context()
+			ctx, span := tracing.StartSpanFromContext(reqCtx, "middleware.Auth")
+
+			reqInfo := GetReqInfo(reqCtx)
 			reqInfo.User = "anon"
-			box, err := center.Authenticate(r)
+			box, err := center.Authenticate(ctx, r)
 			if err != nil {
 				if errors.Is(err, ErrNoAuthorizationHeader) {
-					reqLogOrDefault(ctx, log).Debug(logs.CouldntReceiveAccessBoxForGateKeyRandomKeyWillBeUsed, zap.Error(err), logs.TagField(logs.TagDatapath))
+					reqLogOrDefault(reqCtx, log).Debug(logs.CouldntReceiveAccessBoxForGateKeyRandomKeyWillBeUsed, zap.Error(err), logs.TagField(logs.TagDatapath))
 				} else {
-					reqLogOrDefault(ctx, log).Error(logs.FailedToPassAuthentication, zap.Error(err), logs.TagField(logs.TagDatapath))
+					reqLogOrDefault(reqCtx, log).Error(logs.FailedToPassAuthentication, zap.Error(err), logs.TagField(logs.TagDatapath))
 					err = apierr.TransformToS3Error(err)
 					if err.(apierr.Error).ErrCode == apierr.ErrInternalError {
 						err = apierr.GetAPIError(apierr.ErrAccessDenied)
 					}
 					if _, wrErr := WriteErrorResponse(w, GetReqInfo(r.Context()), err); wrErr != nil {
-						reqLogOrDefault(ctx, log).Error(logs.FailedToWriteResponse, zap.Error(wrErr), logs.TagField(logs.TagDatapath))
+						reqLogOrDefault(reqCtx, log).Error(logs.FailedToWriteResponse, zap.Error(wrErr), logs.TagField(logs.TagDatapath))
 					}
+					span.End()
 					return
 				}
 			} else {
-				ctx = SetBox(ctx, box)
+				reqCtx = SetBox(reqCtx, box)

 				if box.AccessBox.Gate.BearerToken != nil {
 					reqInfo.User = bearer.ResolveIssuer(*box.AccessBox.Gate.BearerToken).String()
 				}
-				reqLogOrDefault(ctx, log).Debug(logs.SuccessfulAuth, zap.String("accessKeyID", box.AuthHeaders.AccessKeyID), logs.TagField(logs.TagDatapath))
+				reqLogOrDefault(reqCtx, log).Debug(logs.SuccessfulAuth, zap.String("accessKeyID", box.AuthHeaders.AccessKeyID), logs.TagField(logs.TagDatapath))
 			}

-			h.ServeHTTP(w, r.WithContext(ctx))
+			span.End()
+			h.ServeHTTP(w, r.WithContext(reqCtx))
 		})
 	}
 }
@ -86,22 +94,26 @@ type FrostFSIDValidator interface {
 func FrostfsIDValidation(frostfsID FrostFSIDValidator, log *zap.Logger) Func {
 	return func(h http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			ctx := r.Context()
+			ctx, span := tracing.StartSpanFromContext(r.Context(), "middleware.FrostfsIDValidation")
+
 			bd, err := GetBoxData(ctx)
 			if err != nil || bd.Gate.BearerToken == nil {
 				reqLogOrDefault(ctx, log).Debug(logs.AnonRequestSkipFrostfsIDValidation, logs.TagField(logs.TagDatapath))
+				span.End()
 				h.ServeHTTP(w, r)
 				return
 			}

 			if err = validateBearerToken(frostfsID, bd.Gate.BearerToken); err != nil {
 				reqLogOrDefault(ctx, log).Error(logs.FrostfsIDValidationFailed, zap.Error(err), logs.TagField(logs.TagDatapath))
-				if _, wrErr := WriteErrorResponse(w, GetReqInfo(r.Context()), err); wrErr != nil {
+				if _, wrErr := WriteErrorResponse(w, GetReqInfo(ctx), err); wrErr != nil {
 					reqLogOrDefault(ctx, log).Error(logs.FailedToWriteResponse, zap.Error(wrErr), logs.TagField(logs.TagDatapath))
 				}
+				span.End()
 				return
 			}

+			span.End()
 			h.ServeHTTP(w, r)
 		})
 	}
--- a/api/middleware/policy.go
+++ b/api/middleware/policy.go
@ -10,6 +10,7 @@ import (
 	"net/url"
 	"strings"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	apierr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/errors"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/logs"
@ -88,32 +89,35 @@ type PolicyConfig struct {
 func PolicyCheck(cfg PolicyConfig) Func {
 	return func(h http.Handler) http.Handler {
 		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-			ctx := r.Context()
-			if err := policyCheck(r, cfg); err != nil {
+			ctx, span := tracing.StartSpanFromContext(r.Context(), "middleware.PolicyCheck")
+
+			if err := policyCheck(ctx, r, cfg); err != nil {
 				reqLogOrDefault(ctx, cfg.Log).Error(logs.PolicyValidationFailed, zap.Error(err), logs.TagField(logs.TagDatapath))
 				err = apierr.TransformToS3Error(err)
 				if _, wrErr := WriteErrorResponse(w, GetReqInfo(ctx), err); wrErr != nil {
 					reqLogOrDefault(ctx, cfg.Log).Error(logs.FailedToWriteResponse, zap.Error(wrErr), logs.TagField(logs.TagDatapath))
 				}
+				span.End()
 				return
 			}

+			span.End()
 			h.ServeHTTP(w, r)
 		})
 	}
 }

-func policyCheck(r *http.Request, cfg PolicyConfig) error {
-	reqInfo := GetReqInfo(r.Context())
+func policyCheck(ctx context.Context, r *http.Request, cfg PolicyConfig) error {
+	reqInfo := GetReqInfo(ctx)

-	req, userKey, userGroups, err := getPolicyRequest(r, cfg, reqInfo.RequestType, reqInfo.BucketName, reqInfo.ObjectName)
+	req, userKey, userGroups, err := getPolicyRequest(ctx, r, cfg, reqInfo.RequestType, reqInfo.BucketName, reqInfo.ObjectName)
 	if err != nil {
 		return err
 	}

 	var bktInfo *data.BucketInfo
 	if reqInfo.RequestType != noneType && !strings.HasSuffix(req.Operation(), CreateBucketOperation) {
-		bktInfo, err = cfg.BucketResolver(r.Context(), reqInfo.BucketName)
+		bktInfo, err = cfg.BucketResolver(ctx, reqInfo.BucketName)
 		if err != nil {
 			return err
 		}
@ -161,7 +165,7 @@ func policyCheck(r *http.Request, cfg PolicyConfig) error {
 	return nil
 }

-func getPolicyRequest(r *http.Request, cfg PolicyConfig, reqType ReqType, bktName string, objName string) (*testutil.Request, *keys.PublicKey, []string, error) {
+func getPolicyRequest(ctx context.Context, r *http.Request, cfg PolicyConfig, reqType ReqType, bktName string, objName string) (*testutil.Request, *keys.PublicKey, []string, error) {
 	var (
 		owner  string
 		groups []string
@ -169,7 +173,6 @@ func getPolicyRequest(r *http.Request, cfg PolicyConfig, reqType ReqType, bktNam
 		pk     *keys.PublicKey
 	)

-	ctx := r.Context()
 	bd, err := GetBoxData(ctx)
 	if err == nil && bd.Gate.BearerToken != nil {
 		pk, err = keys.NewPublicKeyFromBytes(bd.Gate.BearerToken.SigningKeyBytes(), elliptic.P256())
@ -193,7 +196,7 @@ func getPolicyRequest(r *http.Request, cfg PolicyConfig, reqType ReqType, bktNam
 		res = fmt.Sprintf(s3.ResourceFormatS3Bucket, bktName)
 	}

-	requestProps, resourceProps, err := determineProperties(r, cfg.Decoder, cfg.BucketResolver, cfg.Tagging, reqType, op, bktName, objName, owner, groups, tags)
+	requestProps, resourceProps, err := determineProperties(ctx, r, cfg.Decoder, cfg.BucketResolver, cfg.Tagging, reqType, op, bktName, objName, owner, groups, tags)
 	if err != nil {
 		return nil, nil, nil, fmt.Errorf("determine properties: %w", err)
 	}
@ -420,7 +423,7 @@ func determineGeneralOperation(r *http.Request) string {
 	return "UnmatchedOperation"
 }

-func determineProperties(r *http.Request, decoder XMLDecoder, resolver BucketResolveFunc, tagging ResourceTagging, reqType ReqType,
+func determineProperties(ctx context.Context, r *http.Request, decoder XMLDecoder, resolver BucketResolveFunc, tagging ResourceTagging, reqType ReqType,
 	op, bktName, objName, owner string, groups []string, userClaims map[string]string) (requestProperties map[string]string, resourceProperties map[string]string, err error) {
 	requestProperties = map[string]string{
 		s3.PropertyKeyOwner:                owner,
@ -468,7 +471,7 @@ func determineProperties(r *http.Request, decoder XMLDecoder, resolver BucketRes
 		requestProperties[k] = v
 	}

-	resourceProperties, err = determineResourceTags(r.Context(), reqType, op, bktName, objName, queries.Get(QueryVersionID), resolver, tagging)
+	resourceProperties, err = determineResourceTags(ctx, reqType, op, bktName, objName, queries.Get(QueryVersionID), resolver, tagging)
 	if err != nil {
 		return nil, nil, fmt.Errorf("determine resource tags: %w", err)
 	}
--- a/api/router_mock_test.go
+++ b/api/router_mock_test.go
@ -45,7 +45,7 @@ type centerMock struct {
 	key          *keys.PrivateKey
 }

-func (c *centerMock) Authenticate(*http.Request) (*middleware.Box, error) {
+func (c *centerMock) Authenticate(context.Context, *http.Request) (*middleware.Box, error) {
 	if c.noAuthHeader {
 		return nil, middleware.ErrNoAuthorizationHeader
 	}
--- a/go.mod
+++ b/go.mod
@ -4,7 +4,7 @@ go 1.22

 require (
 	git.frostfs.info/TrueCloudLab/frostfs-contract v0.20.1-0.20241022094040-5f956751d48b
-	git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20241112082307-f17779933e88
+	git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20241125133852-37bd75821121
 	git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20250130095343-593dd77d841a
 	git.frostfs.info/TrueCloudLab/multinet v0.0.0-20241015075604-6cb0d80e0972
 	git.frostfs.info/TrueCloudLab/policy-engine v0.0.0-20240822104152-a3bc3099bd5b
--- a/go.sum
+++ b/go.sum
@ -40,10 +40,10 @@ git.frostfs.info/TrueCloudLab/frostfs-contract v0.20.1-0.20241022094040-5f956751
 git.frostfs.info/TrueCloudLab/frostfs-contract v0.20.1-0.20241022094040-5f956751d48b/go.mod h1:5fSm/l5xSjGWqsPUffSdboiGFUHa7y/1S0fvxzQowN8=
 git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0 h1:FxqFDhQYYgpe41qsIHVOcdzSVCB8JNSfPG7Uk4r2oSk=
 git.frostfs.info/TrueCloudLab/frostfs-crypto v0.6.0/go.mod h1:RUIKZATQLJ+TaYQa60X2fTDwfuhMfm8Ar60bQ5fr+vU=
-git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20241112082307-f17779933e88 h1:9bvBDLApbbO5sXBKdODpE9tzy3HV99nXxkDWNn22rdI=
-git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20241112082307-f17779933e88/go.mod h1:kbwB4v2o6RyOfCo9kEFeUDZIX3LKhmS0yXPrtvzkQ1g=
 git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20250130095343-593dd77d841a h1:Ud+3zz4WP9HPxEQxDPJZPpiPdm30nDNSKucsWP9L54M=
 git.frostfs.info/TrueCloudLab/frostfs-sdk-go v0.0.0-20250130095343-593dd77d841a/go.mod h1:aQpPWfG8oyfJ2X+FenPTJpSRWZjwcP5/RAtkW+/VEX8=
+git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20241125133852-37bd75821121 h1:/Z8DfbLZXp7exUQWUKoG/9tbFdI9d5lV1qSReaYoG8I=
+git.frostfs.info/TrueCloudLab/frostfs-observability v0.0.0-20241125133852-37bd75821121/go.mod h1:kbwB4v2o6RyOfCo9kEFeUDZIX3LKhmS0yXPrtvzkQ1g=
 git.frostfs.info/TrueCloudLab/hrw v1.2.1 h1:ccBRK21rFvY5R1WotI6LNoPlizk7qSvdfD8lNIRudVc=
 git.frostfs.info/TrueCloudLab/hrw v1.2.1/go.mod h1:C1Ygde2n843yTZEQ0FP69jYiuaYV0kriLvP4zm8JuvM=
 git.frostfs.info/TrueCloudLab/multinet v0.0.0-20241015075604-6cb0d80e0972 h1:/960fWeyn2AFHwQUwDsWB3sbP6lTEnFnMzLMM6tx6N8=
--- a/internal/frostfs/frostfs.go
+++ b/internal/frostfs/frostfs.go
@ -9,6 +9,7 @@ import (
 	"strings"
 	"time"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer/frostfs"
 	frosterr "git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/errors"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/internal/frostfs/util"
@ -57,6 +58,9 @@ func NewFrostFS(p *pool.Pool, key *keys.PrivateKey) *FrostFS {

 // TimeToEpoch implements layer.FrostFS interface method.
 func (x *FrostFS) TimeToEpoch(ctx context.Context, now, futureTime time.Time) (uint64, uint64, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.TimeToEpoch")
+	defer span.End()
+
 	if futureTime.Before(now) {
 		return 0, 0, fmt.Errorf("time '%s' must be in the future (after %s)",
 			futureTime.Format(time.RFC3339), now.Format(time.RFC3339))
@ -77,6 +81,9 @@ func (x *FrostFS) TimeToEpoch(ctx context.Context, now, futureTime time.Time) (u

 // Container implements layer.FrostFS interface method.
 func (x *FrostFS) Container(ctx context.Context, layerPrm frostfs.PrmContainer) (*container.Container, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.Container")
+	defer span.End()
+
 	prm := pool.PrmContainerGet{
 		ContainerID: layerPrm.ContainerID,
 		Session:     layerPrm.SessionToken,
@ -92,6 +99,9 @@ func (x *FrostFS) Container(ctx context.Context, layerPrm frostfs.PrmContainer)

 // CreateContainer implements layer.FrostFS interface method.
 func (x *FrostFS) CreateContainer(ctx context.Context, prm frostfs.PrmContainerCreate) (*frostfs.ContainerCreateResult, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.CreateContainer")
+	defer span.End()
+
 	var cnr container.Container
 	cnr.Init()
 	cnr.SetPlacementPolicy(prm.Policy)
@ -139,6 +149,9 @@ func (x *FrostFS) CreateContainer(ctx context.Context, prm frostfs.PrmContainerC

 // AddContainerPolicyChain implements frostfs.FrostFS interface method.
 func (x *FrostFS) AddContainerPolicyChain(ctx context.Context, prm frostfs.PrmAddContainerPolicyChain) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.AddContainerPolicyChain")
+	defer span.End()
+
 	data, err := prm.Chain.MarshalBinary()
 	if err != nil {
 		return err
@ -158,6 +171,9 @@ func (x *FrostFS) AddContainerPolicyChain(ctx context.Context, prm frostfs.PrmAd

 // UserContainers implements layer.FrostFS interface method.
 func (x *FrostFS) UserContainers(ctx context.Context, layerPrm frostfs.PrmUserContainers) ([]cid.ID, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.UserContainers")
+	defer span.End()
+
 	prm := pool.PrmContainerList{
 		OwnerID: layerPrm.UserID,
 		Session: layerPrm.SessionToken,
@ -169,6 +185,9 @@ func (x *FrostFS) UserContainers(ctx context.Context, layerPrm frostfs.PrmUserCo

 // DeleteContainer implements layer.FrostFS interface method.
 func (x *FrostFS) DeleteContainer(ctx context.Context, id cid.ID, token *session.Container) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.DeleteContainer")
+	defer span.End()
+
 	prm := pool.PrmContainerDelete{ContainerID: id, Session: token, WaitParams: &x.await}

 	err := x.pool.DeleteContainer(ctx, prm)
@ -177,6 +196,9 @@ func (x *FrostFS) DeleteContainer(ctx context.Context, id cid.ID, token *session

 // CreateObject implements layer.FrostFS interface method.
 func (x *FrostFS) CreateObject(ctx context.Context, prm frostfs.PrmObjectCreate) (*frostfs.CreateObjectResult, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.CreateObject")
+	defer span.End()
+
 	attrNum := len(prm.Attributes) + 1 // + creation time

 	if prm.Filepath != "" {
@ -271,6 +293,9 @@ func (x payloadReader) Read(p []byte) (int, error) {

 // HeadObject implements layer.FrostFS interface method.
 func (x *FrostFS) HeadObject(ctx context.Context, prm frostfs.PrmObjectHead) (*object.Object, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.HeadObject")
+	defer span.End()
+
 	var addr oid.Address
 	addr.SetContainer(prm.Container)
 	addr.SetObject(prm.Object)
@ -294,6 +319,9 @@ func (x *FrostFS) HeadObject(ctx context.Context, prm frostfs.PrmObjectHead) (*o

 // GetObject implements layer.FrostFS interface method.
 func (x *FrostFS) GetObject(ctx context.Context, prm frostfs.PrmObjectGet) (*frostfs.Object, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.GetObject")
+	defer span.End()
+
 	var addr oid.Address
 	addr.SetContainer(prm.Container)
 	addr.SetObject(prm.Object)
@ -320,6 +348,9 @@ func (x *FrostFS) GetObject(ctx context.Context, prm frostfs.PrmObjectGet) (*fro

 // RangeObject implements layer.FrostFS interface method.
 func (x *FrostFS) RangeObject(ctx context.Context, prm frostfs.PrmObjectRange) (io.ReadCloser, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.RangeObject")
+	defer span.End()
+
 	var addr oid.Address
 	addr.SetContainer(prm.Container)
 	addr.SetObject(prm.Object)
@ -345,6 +376,9 @@ func (x *FrostFS) RangeObject(ctx context.Context, prm frostfs.PrmObjectRange) (

 // DeleteObject implements layer.FrostFS interface method.
 func (x *FrostFS) DeleteObject(ctx context.Context, prm frostfs.PrmObjectDelete) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.DeleteObject")
+	defer span.End()
+
 	var addr oid.Address
 	addr.SetContainer(prm.Container)
 	addr.SetObject(prm.Object)
@ -364,6 +398,9 @@ func (x *FrostFS) DeleteObject(ctx context.Context, prm frostfs.PrmObjectDelete)

 // SearchObjects implements layer.FrostFS interface method.
 func (x *FrostFS) SearchObjects(ctx context.Context, prm frostfs.PrmObjectSearch) ([]oid.ID, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.SearchObjects")
+	defer span.End()
+
 	filters := object.NewSearchFilters()
 	filters.AddRootFilter()

@ -401,6 +438,9 @@ func (x *FrostFS) SearchObjects(ctx context.Context, prm frostfs.PrmObjectSearch

 // NetworkInfo implements layer.FrostFS interface method.
 func (x *FrostFS) NetworkInfo(ctx context.Context) (netmap.NetworkInfo, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.NetworkInfo")
+	defer span.End()
+
 	ni, err := x.pool.NetworkInfo(ctx)
 	if err != nil {
 		return ni, handleObjectError("get network info via connection pool", err)
@ -410,6 +450,9 @@ func (x *FrostFS) NetworkInfo(ctx context.Context) (netmap.NetworkInfo, error) {
 }

 func (x *FrostFS) NetmapSnapshot(ctx context.Context) (netmap.NetMap, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.NetmapSnapshot")
+	defer span.End()
+
 	netmapSnapshot, err := x.pool.NetMapSnapshot(ctx)
 	if err != nil {
 		return netmapSnapshot, handleObjectError("get netmap via connection pool", err)
@ -419,6 +462,9 @@ func (x *FrostFS) NetmapSnapshot(ctx context.Context) (netmap.NetMap, error) {
 }

 func (x *FrostFS) PatchObject(ctx context.Context, prm frostfs.PrmObjectPatch) (oid.ID, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.PatchObject")
+	defer span.End()
+
 	var addr oid.Address
 	addr.SetContainer(prm.Container)
 	addr.SetObject(prm.Object)
@ -467,6 +513,9 @@ func NewResolverFrostFS(p *pool.Pool) *ResolverFrostFS {

 // SystemDNS implements resolver.FrostFS interface method.
 func (x *ResolverFrostFS) SystemDNS(ctx context.Context) (string, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "frostfs.SystemDNS")
+	defer span.End()
+
 	networkInfo, err := x.pool.NetworkInfo(ctx)
 	if err != nil {
 		return "", handleObjectError("read network info via client", err)
--- a/pkg/service/tree/tree.go
+++ b/pkg/service/tree/tree.go
@ -11,6 +11,7 @@ import (
 	"strings"
 	"time"

+	"git.frostfs.info/TrueCloudLab/frostfs-observability/tracing"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/data"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer/frostfs"
 	"git.frostfs.info/TrueCloudLab/frostfs-s3-gw/api/layer/tree"
@ -493,6 +494,9 @@ func newPartInfo(node NodeResponse) (*data.PartInfoExtended, error) {
 }

 func (c *Tree) GetSettingsNode(ctx context.Context, bktInfo *data.BucketInfo) (*data.BucketSettings, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.GetSettingsNode")
+	defer span.End()
+
 	multiNode, err := c.getSystemNode(ctx, bktInfo, settingsFileName)
 	if err != nil {
 		return nil, fmt.Errorf("couldn't get node: %w", err)
@ -523,6 +527,9 @@ func (c *Tree) GetSettingsNode(ctx context.Context, bktInfo *data.BucketInfo) (*
 }

 func (c *Tree) PutSettingsNode(ctx context.Context, bktInfo *data.BucketInfo, settings *data.BucketSettings) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.PutSettingsNode")
+	defer span.End()
+
 	multiNode, err := c.getSystemNode(ctx, bktInfo, settingsFileName)
 	isErrNotFound := errors.Is(err, tree.ErrNodeNotFound)
 	if err != nil && !isErrNotFound {
@ -552,6 +559,9 @@ func (c *Tree) PutSettingsNode(ctx context.Context, bktInfo *data.BucketInfo, se
 }

 func (c *Tree) GetBucketCORS(ctx context.Context, bktInfo *data.BucketInfo) (oid.Address, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.GetBucketCORS")
+	defer span.End()
+
 	node, err := c.getSystemNode(ctx, bktInfo, corsFilename)
 	if err != nil {
 		return oid.Address{}, err
@ -561,6 +571,9 @@ func (c *Tree) GetBucketCORS(ctx context.Context, bktInfo *data.BucketInfo) (oid
 }

 func (c *Tree) PutBucketCORS(ctx context.Context, bktInfo *data.BucketInfo, addr oid.Address) ([]oid.Address, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.PutBucketCORS")
+	defer span.End()
+
 	multiNode, err := c.getSystemNode(ctx, bktInfo, corsFilename)
 	isErrNotFound := errors.Is(err, tree.ErrNodeNotFound)
 	if err != nil && !isErrNotFound {
@ -601,6 +614,9 @@ func (c *Tree) PutBucketCORS(ctx context.Context, bktInfo *data.BucketInfo, addr
 }

 func (c *Tree) DeleteBucketCORS(ctx context.Context, bktInfo *data.BucketInfo) ([]oid.Address, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.DeleteBucketCORS")
+	defer span.End()
+
 	multiNode, err := c.getSystemNode(ctx, bktInfo, corsFilename)
 	isErrNotFound := errors.Is(err, tree.ErrNodeNotFound)
 	if err != nil && !isErrNotFound {
@ -658,6 +674,9 @@ func (c *Tree) cleanOldNodes(ctx context.Context, nodes []*treeNode, bktInfo *da
 }

 func (c *Tree) GetObjectTagging(ctx context.Context, bktInfo *data.BucketInfo, objVersion *data.NodeVersion) (map[string]string, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.GetObjectTagging")
+	defer span.End()
+
 	tagNode, err := c.getTreeNode(ctx, bktInfo, objVersion.ID, isTagKV)
 	if err != nil {
 		return nil, err
@ -683,6 +702,9 @@ func getObjectTagging(tagNode *treeNode) map[string]string {
 }

 func (c *Tree) PutObjectTagging(ctx context.Context, bktInfo *data.BucketInfo, objVersion *data.NodeVersion, tagSet map[string]string) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.PutObjectTagging")
+	defer span.End()
+
 	tagNode, err := c.getTreeNode(ctx, bktInfo, objVersion.ID, isTagKV)
 	if err != nil {
 		return err
@ -709,10 +731,16 @@ func (c *Tree) PutObjectTagging(ctx context.Context, bktInfo *data.BucketInfo, o
 }

 func (c *Tree) DeleteObjectTagging(ctx context.Context, bktInfo *data.BucketInfo, objVersion *data.NodeVersion) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.DeleteObjectTagging")
+	defer span.End()
+
 	return c.PutObjectTagging(ctx, bktInfo, objVersion, nil)
 }

 func (c *Tree) GetBucketTagging(ctx context.Context, bktInfo *data.BucketInfo) (map[string]string, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.GetBucketTagging")
+	defer span.End()
+
 	multiNode, err := c.getSystemNode(ctx, bktInfo, bucketTaggingFilename)
 	if err != nil {
 		return nil, err
@ -730,6 +758,9 @@ func (c *Tree) GetBucketTagging(ctx context.Context, bktInfo *data.BucketInfo) (
 }

 func (c *Tree) PutBucketTagging(ctx context.Context, bktInfo *data.BucketInfo, tagSet map[string]string) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.PutBucketTagging")
+	defer span.End()
+
 	multiNode, err := c.getSystemNode(ctx, bktInfo, bucketTaggingFilename)
 	isErrNotFound := errors.Is(err, tree.ErrNodeNotFound)
 	if err != nil && !isErrNotFound {
@ -764,6 +795,9 @@ func (c *Tree) PutBucketTagging(ctx context.Context, bktInfo *data.BucketInfo, t
 }

 func (c *Tree) DeleteBucketTagging(ctx context.Context, bktInfo *data.BucketInfo) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.DeleteBucketTagging")
+	defer span.End()
+
 	return c.PutBucketTagging(ctx, bktInfo, nil)
 }

@ -807,10 +841,16 @@ func (c *Tree) getTreeNodes(ctx context.Context, bktInfo *data.BucketInfo, nodeI
 }

 func (c *Tree) GetVersions(ctx context.Context, bktInfo *data.BucketInfo, filepath string) ([]*data.NodeVersion, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.GetVersions")
+	defer span.End()
+
 	return c.getVersions(ctx, bktInfo, versionTree, filepath, false)
 }

 func (c *Tree) GetLatestVersion(ctx context.Context, bktInfo *data.BucketInfo, objectName string) (*data.NodeVersion, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.GetLatestVersion")
+	defer span.End()
+
 	meta := []string{oidKV, isCombinedKV, isUnversionedKV, isDeleteMarkerKV, etagKV, sizeKV, md5KV, creationEpochKV}
 	path := pathFromName(objectName)

@ -1080,6 +1120,9 @@ func (s *VersionsByPrefixStreamImpl) parseNodeResponse(node NodeResponse) (res *
 }

 func (c *Tree) InitVersionsByPrefixStream(ctx context.Context, bktInfo *data.BucketInfo, prefix string, latestOnly bool) (data.VersionsStream, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.InitVersionsByPrefixStream")
+	defer span.End()
+
 	mainStream, tailPrefix, rootID, err := c.getSubTreeByPrefixMainStream(ctx, bktInfo, versionTree, prefix)
 	if err != nil {
 		if errors.Is(err, io.EOF) {
@ -1272,6 +1315,9 @@ func formLatestNodeKey(parentID uint64, fileName string) string {
 }

 func (c *Tree) GetUnversioned(ctx context.Context, bktInfo *data.BucketInfo, filepath string) (*data.NodeVersion, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.GetUnversioned")
+	defer span.End()
+
 	return c.getUnversioned(ctx, bktInfo, versionTree, filepath)
 }

@ -1300,14 +1346,23 @@ func (c *Tree) getUnversioned(ctx context.Context, bktInfo *data.BucketInfo, tre
 }

 func (c *Tree) AddVersion(ctx context.Context, bktInfo *data.BucketInfo, version *data.NodeVersion) (uint64, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.AddVersion")
+	defer span.End()
+
 	return c.addVersion(ctx, bktInfo, versionTree, version)
 }

 func (c *Tree) RemoveVersion(ctx context.Context, bktInfo *data.BucketInfo, id uint64) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.RemoveVersion")
+	defer span.End()
+
 	return c.service.RemoveNode(ctx, bktInfo, versionTree, id)
 }

 func (c *Tree) CreateMultipartUpload(ctx context.Context, bktInfo *data.BucketInfo, info *data.MultipartInfo) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.CreateMultipartUpload")
+	defer span.End()
+
 	path := pathFromName(info.Key)
 	meta := metaFromMultipart(info, path[len(path)-1])
 	_, err := c.service.AddNodeByPath(ctx, bktInfo, systemTree, path[:len(path)-1], meta)
@ -1316,6 +1371,9 @@ func (c *Tree) CreateMultipartUpload(ctx context.Context, bktInfo *data.BucketIn
 }

 func (c *Tree) GetMultipartUploadsByPrefix(ctx context.Context, bktInfo *data.BucketInfo, prefix string) ([]*data.MultipartInfo, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.GetMultipartUploadsByPrefix")
+	defer span.End()
+
 	subTreeNodes, headPrefix, err := c.getSubTreeByPrefix(ctx, bktInfo, systemTree, prefix, false)
 	if err != nil {
 		return nil, err
@ -1396,6 +1454,9 @@ func (c *Tree) getSubTreeMultipartUploads(ctx context.Context, bktInfo *data.Buc
 }

 func (c *Tree) GetMultipartUpload(ctx context.Context, bktInfo *data.BucketInfo, objectName, uploadID string) (*data.MultipartInfo, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.GetMultipartUpload")
+	defer span.End()
+
 	path := pathFromName(objectName)
 	p := &GetNodesParams{
 		BktInfo:  bktInfo,
@ -1427,6 +1488,9 @@ func (c *Tree) GetMultipartUpload(ctx context.Context, bktInfo *data.BucketInfo,
 }

 func (c *Tree) AddPart(ctx context.Context, bktInfo *data.BucketInfo, multipartNodeID uint64, info *data.PartInfo) (oldObjIDsToDelete []oid.ID, err error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.AddPart")
+	defer span.End()
+
 	parts, err := c.service.GetSubTree(ctx, bktInfo, systemTree, []uint64{multipartNodeID}, 2, false)
 	if err != nil {
 		return nil, err
@ -1507,6 +1571,9 @@ func (c *Tree) AddPart(ctx context.Context, bktInfo *data.BucketInfo, multipartN
 }

 func (c *Tree) GetParts(ctx context.Context, bktInfo *data.BucketInfo, multipartNodeID uint64) ([]*data.PartInfoExtended, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.GetParts")
+	defer span.End()
+
 	parts, err := c.service.GetSubTree(ctx, bktInfo, systemTree, []uint64{multipartNodeID}, 2, false)
 	if err != nil {
 		return nil, err
@ -1541,6 +1608,9 @@ func (c *Tree) GetParts(ctx context.Context, bktInfo *data.BucketInfo, multipart
 }

 func (c *Tree) PutBucketLifecycleConfiguration(ctx context.Context, bktInfo *data.BucketInfo, addr oid.Address) ([]oid.Address, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.PutBucketLifecycleConfiguration")
+	defer span.End()
+
 	multiNode, err := c.getSystemNode(ctx, bktInfo, bucketLifecycleFilename)
 	isErrNotFound := errors.Is(err, tree.ErrNodeNotFound)
 	if err != nil && !isErrNotFound {
@ -1581,6 +1651,9 @@ func (c *Tree) PutBucketLifecycleConfiguration(ctx context.Context, bktInfo *dat
 }

 func (c *Tree) GetBucketLifecycleConfiguration(ctx context.Context, bktInfo *data.BucketInfo) (oid.Address, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.GetBucketLifecycleConfiguration")
+	defer span.End()
+
 	node, err := c.getSystemNode(ctx, bktInfo, bucketLifecycleFilename)
 	if err != nil {
 		return oid.Address{}, fmt.Errorf("get lifecycle node: %w", err)
@ -1590,6 +1663,9 @@ func (c *Tree) GetBucketLifecycleConfiguration(ctx context.Context, bktInfo *dat
 }

 func (c *Tree) DeleteBucketLifecycleConfiguration(ctx context.Context, bktInfo *data.BucketInfo) ([]oid.Address, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.DeleteBucketLifecycleConfiguration")
+	defer span.End()
+
 	multiNode, err := c.getSystemNode(ctx, bktInfo, bucketLifecycleFilename)
 	isErrNotFound := errors.Is(err, tree.ErrNodeNotFound)
 	if err != nil && !isErrNotFound {
@ -1609,6 +1685,9 @@ func (c *Tree) DeleteBucketLifecycleConfiguration(ctx context.Context, bktInfo *
 }

 func (c *Tree) DeleteMultipartUpload(ctx context.Context, bktInfo *data.BucketInfo, multipartInfo *data.MultipartInfo) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.DeleteMultipartUpload")
+	defer span.End()
+
 	err := c.service.RemoveNode(ctx, bktInfo, systemTree, multipartInfo.ID)
 	if err != nil {
 		return err
@ -1620,6 +1699,9 @@ func (c *Tree) DeleteMultipartUpload(ctx context.Context, bktInfo *data.BucketIn
 }

 func (c *Tree) PutLock(ctx context.Context, bktInfo *data.BucketInfo, nodeID uint64, lock *data.LockInfo) error {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.PutLock")
+	defer span.End()
+
 	meta := map[string]string{isLockKV: "true"}

 	if lock.IsLegalHoldSet() {
@ -1642,6 +1724,9 @@ func (c *Tree) PutLock(ctx context.Context, bktInfo *data.BucketInfo, nodeID uin
 }

 func (c *Tree) GetLock(ctx context.Context, bktInfo *data.BucketInfo, nodeID uint64) (*data.LockInfo, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.GetLock")
+	defer span.End()
+
 	lockNode, err := c.getTreeNode(ctx, bktInfo, nodeID, isLockKV)
 	if err != nil {
 		return nil, err
@ -1681,6 +1766,9 @@ func getLock(lockNode *treeNode) (*data.LockInfo, error) {
 }

 func (c *Tree) GetObjectTaggingAndLock(ctx context.Context, bktInfo *data.BucketInfo, objVersion *data.NodeVersion) (map[string]string, *data.LockInfo, error) {
+	ctx, span := tracing.StartSpanFromContext(ctx, "tree.GetObjectTaggingAndLock")
+	defer span.End()
+
 	nodes, err := c.getTreeNodes(ctx, bktInfo, objVersion.ID, isTagKV, isLockKV)
 	if err != nil {
 		return nil, nil, err
Author	SHA1	Message	Date
Roman Loginov	f8852c7626	[#498 ] Update frostfs-observability version The new version of frostfs-observability has improved the detail of tracing low-level rpc calls by adding send and receive events. Signed-off-by: Roman Loginov <r.loginov@yadro.com>	2025-02-21 11:25:11 +03:00
Roman Loginov	ac0140506c	[#498 ] middleware: Add spans to detail the trace Spans are added only to the following middleware: * PolicyCheck * Auth * FrostfsIDValidation This is done this way because these middleware are basic and they interact with frostfs-storage. Also, an explicit context has been added to many functions so that the middleware spans do not include all subsequent spans. Signed-off-by: Roman Loginov <r.loginov@yadro.com>	2025-02-21 11:25:08 +03:00
Roman Loginov	c2c062b778	[#498 ] frostfs: Add spans to detail the trace Signed-off-by: Roman Loginov <r.loginov@yadro.com>	2025-02-18 18:28:23 +03:00
Roman Loginov	94af2770e5	[#498 ] tree: Add spans to detail the trace Signed-off-by: Roman Loginov <r.loginov@yadro.com>	2025-02-18 18:14:22 +03:00
Roman Loginov	b5f0d0871c	[#498 ] layer: Add spans to detail the trace Signed-off-by: Roman Loginov <r.loginov@yadro.com>	2025-02-18 18:14:22 +03:00
Roman Loginov	4f0af5a0fd	[#498 ] handler: Add spans to detail the trace Signed-off-by: Roman Loginov <r.loginov@yadro.com>	2025-02-18 18:14:11 +03:00
Roman Loginov	bfec3e0a5e	[#619 ] Fix content-length invalid check Signed-off-by: Roman Loginov <r.loginov@yadro.com>	2025-02-18 14:15:23 +00:00
Denis Kirillov	711d6b2c71	[#642 ] Simplify tests Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2025-02-17 09:44:41 +03:00
Denis Kirillov	092567a5a0	Release v0.32.10 Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2025-02-14 16:11:27 +03:00
Denis Kirillov	e0a54fcbd3	[#642 ] Fix streaming empty body Signed-off-by: Denis Kirillov <d.kirillov@yadro.com>	2025-02-13 16:55:27 +03:00
Marina Biryukova	e184b333e4	[#612 ] Port changelog from support branch Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>	2025-02-12 14:50:09 +03:00
Marina Biryukova	853036e44e	[#612 ] Make Content-Md5 header check optional Signed-off-by: Marina Biryukova <m.biryukova@yadro.com>	2025-02-12 14:29:19 +03:00