-
Notifications
You must be signed in to change notification settings - Fork 2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
query: Passing THANOS-TENANT: <tenant>
header has no effect unless --query.enforce-tenancy
is set
#7339
Comments
This was not a scenario we considered when designing the tenant feature, so yes this won't work at the moment at least. As it is now you can either have enforcement fully enabled on all queries, or not at all. When no tenant header is sent along with the request to the querier, it will use the default tenant for enforcement which can be configured using For now you'd need to setup two different query paths, one for global view where the tenant enforcement is disabled in the querier, and another where enforcement is enabled. The reason for having tenant information at all when enforcement is disabled, is in order to get self-monitoring metrics for each tenant (for example to determine the query load on a per-tenant basis). |
Thanks @jacobbaungard for the input. Not sure if it just me or documentation could be more clear on that - I read the "Tenant Metrics" paragraph and I was under the impression that all I need to do is pass the tenant id along with the header to get the tenant specific metrics. Then the next paragraph "Tenant Enforcement" tells how you can actually enforce this behavior, if you want. But from your explanation they should be combined into one (e.g. there is no tenant-specific metrics without enforcement and vice versa).
|
There is probably some room for improvement on the wording there, happy to take suggestions/PRs on how to word this more clearly. The "Tenant Metrics" section is about annotating Thanos' "self-monitoring metrics" with tenant information - i.e this is about metrics Thanos exports about Thanos itself. For example the Thanos Query component exports metrics such as |
Thanos, Prometheus and Golang version used: v0.35.0
What happened:
Our setup: Grafana -> Query Frontend -> Query -> ...
Goal: 1 global data source to query all data/all tenants + multiple per-tenant datasources.
I was following https://thanos.io/tip/components/query.md/#tenancy in order to setup multi-tenancy on read path.
Enforcing tenancy is not an option, because we need a way to query across all tenants as well and this paragraph gives an impression that this is totally possible by passing tenant-id in the appropriate HTTP request header.
I've setup Grafana datasource to pass
THANOS-TENANT: <tenant>
, but Thanos returned metrics for all tenants. Once I added--query.enforce-tenancy
flag to Thanos Query the aforementioned datasource start working as expected. But it broke global datasource, that allows to query across all the tenants (no metrics were returned).What you expected to happen:
--query.enforce-tenancy
is not set:THANOS-TENANT: <tenant>
header is not provided (current behavior)THANOS-TENANT: <tenant>
header was provided (not working)--query.enforce-tenancy
is set:THANOS-TENANT: <tenant>
header is not provided (current behavior)THANOS-TENANT: <tenant>
header was provided (current behavior)How to reproduce it (as minimally and precisely as possible):
Query Frontend flags related to tenant awareness functionality:
Query flags:
I've tested it through Grafana, but I guess the curl analog would be:
Full logs to relevant components:
Anything else we need to know:
The text was updated successfully, but these errors were encountered: