github.com/muhammadn/cortex@v1.9.1-0.20220510110439-46bb7000d03d/docs/guides/authentication-and-authorisation.md

github.com/muhammadn/cortex@v1.9.1-0.20220510110439-46bb7000d03d/docs/guides/authentication-and-authorisation.md (about)

     1  ---
     2  title: "Authentication and Authorisation"
     3  linkTitle: "Authentication and Authorisation"
     4  weight: 10
     5  slug: auth
     6  ---
     7  
     8  All Cortex components take the tenant ID from a header `X-Scope-OrgID`
     9  on each request. A tenant (also called "user" or "org") is the owner of
    10  a set of series written to and queried from Cortex. All Cortex components
    11  trust this value completely: if you need to protect your Cortex installation
    12  from accidental or malicious calls then you must add an additional layer
    13  of protection.
    14  
    15  Typically this means you run Cortex behind a reverse proxy, and you must
    16  ensure that all callers, both machines sending data over the `remote_write`
    17  interface and humans sending queries from GUIs, supply credentials
    18  which identify them and confirm they are authorised. When configuring the
    19  `remote_write` API in Prometheus, the user and password fields of http Basic
    20  auth, or Bearer token, can be used to convey the tenant ID and/or credentials.
    21  See the [Cortex-Tenant](#cortex-tenant) section below for one way to solve this.
    22  
    23  In trusted environments, Prometheus can send the `X-Scope-OrgID` header itself
    24  by configuring the `headers` field in its [`remote_write` configuration](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write):
    25  ```
    26  remote_write:
    27    - url: http://<cortex>/prometheus/api/v1/push
    28      headers:
    29        X-Scope-OrgID: <org>
    30  ```
    31  
    32  To disable the multi-tenant functionality, you can pass the argument
    33  `-auth.enabled=false` to every Cortex component, which will set the OrgID
    34  to the string `fake` for every request.
    35  
    36  Note that the tenant ID that is used to write the series to the datastore
    37  should be the same as the one you use to query the data. If they don't match
    38  you won't see any data. As of now, you can't see series from other tenants.
    39  
    40  For more information regarding the tenant ID limits, refer to: [Tenant ID limitations](./limitations.md#tenant-id-naming)
    41  
    42  ### Cortex-Tenant
    43  
    44  One way to add `X-Scope-OrgID` to Prometheus requests is to use a [cortex-tenant](https://github.com/blind-oracle/cortex-tenant)
    45  proxy which is able to extract the tenant ID from Prometheus labels.
    46  
    47  It can be placed between Prometheus and Cortex and will search for a predefined
    48  label and use its value as `X-Scope-OrgID` header when proxying the timeseries to Cortex.
    49  
    50  This can help to run Cortex in a trusted environment where you want to separate your metrics
    51  into distinct namespaces by some criteria (e.g. teams, applications, etc).
    52  
    53  Be advised that **cortex-tenant** is a third-party community project and it's not maintained by Cortex team.