Check `X-Scope-OrgID` in the header before replacing it with tenand_id in the code about cortex-gateway HOT 6 CLOSED

Thanks for explaining your usecase. Given that this gateway is fairly simple and only a few lines of code I'd recommend you to fork it for your own needs. As of now we don't want to add more features so that we can keep it as straight forward as possible.

Keep in mind that the Cortex team is also going to develop an official gateway maybe your usecase can be considered there?

from cortex-gateway.

Okay. I understand that. Thank you for taking the time to understand my use case.
About the cortex team working on official gateway. Is there a work in progress repo or a formal announce page where I can learn more ?
Appreciate all the help.

from cortex-gateway.

Hi,
I am struggling to understand the usecase for your request.

This gateway can be run in untrusted environments and therefore it is not supposed to accept other X-Scope-OrgID headers.

from cortex-gateway.

@weeco Thank you for quick turnaround.
My use case is so, I am passing the orgId with a valid jwt token. I am assuming that the trust is established once the jwt is verified. After verification the orgId coming from upstream is okay to be allowed. Am I understanding this correctly?

from cortex-gateway.

Hi @weeco,

Please let me explain the complete scenario.

I have prometheus servers sending metrics to a back end cortex setup via cortex-gw. Since prometheus does not allow adding custom payload, I am creating a token for all my prometheus servers with a dummy tenantid:0 and expecting it reset it the receiver side. The private-key to this is not shared with any of the senders and only available to cortex-gw for decrypting the incoming bearer token.

Further, on the cortex-gw side, I have an ingress receiving the traffic and adding the right header like so
nginx.ingress.kubernetes.io/configuration-snippet: "proxy_set_header X-Scope-OrgID {{ .Values.tenant.id }};".
The data is then forwarded from ingress to cortex-gw.

Problem is, the cortex-gw replaces this X-Scope-OrgID with the tenant id that I am sending encoded in the bearer token.
I understand that you have designed the cortex-gw to provide tenantid from the senders side. But I had to do this work around as the sender is prometheus which does not allow to add tenantid in the header. Also this design makes sure that the private key is not shared anywhere.

To summarize. -- prometheusServer(bearer token with dummy tenantid = 0) --> Ingress(adding the desired X-Scope-OrgID) --> Cortex-gw(replacing the X-Scope-OrgID with value 0)

Is there anything we can do to address this use case ? Any help is appreciated.

Best

from cortex-gateway.

@gauscian I think there's no dedicated issues in the Cortex repo, just some note here and there (in their slack and in the grafana blog), see: https://grafana.com/blog/2020/01/21/the-future-of-cortex-into-the-next-decade/

If you can't find an issue for the gateway I think you can submit an issue for it in the Cortex repo or just ask in their slack for it. Closing this issue for now.

from cortex-gateway.