Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Documentation of OrgID #525

Closed
base698 opened this issue Apr 28, 2019 · 13 comments
Closed

Documentation of OrgID #525

base698 opened this issue Apr 28, 2019 · 13 comments
Labels
stale A stale issue or PR that will automatically be closed.

Comments

@base698
Copy link
Contributor

base698 commented Apr 28, 2019

Describe the bug
Documentation in https://github.com/grafana/loki/blob/master/docs/operations.md mentions an OrgID but the config examples have no mention of org id only s3 credentials. Where do you put the orgid?

Loki is using S3 as object storage. It stores log within directories based on OrgID. For example, Logs from org faker will stored in s3://BUCKET_NAME/faker/.

Expected behavior
Documentation which is consistent.
@base698
Copy link
Contributor Author

base698 commented Apr 28, 2019

What is multitenancy mode?

$ ./loki --help 2>&1 | grep tenan

Nothing returns, don't appear to be an flags documentated.

@daixiang0
Copy link
Contributor

ping @yubozhao

@base698
Copy link
Contributor Author

base698 commented Apr 30, 2019

It works if I do auth_enabled: false. Not sure where the org Id is supposed to come from if it's used.

@yubozhao
Copy link
Contributor

It is not a bug

Loki is designed with multi tenant in mind. If you are using Loki for internal use, you can turn off multi tenant support with auth_enabled to false.

If you want to use the multi tenant support. There are 2 ways to do that.

  1. Fork your own promtail and pass orgID in your header
  2. Have a nginx server in front of Loki and mutate the header by adding orgID

@yubozhao
Copy link
Contributor

It is documented at operation.md

Authentication
Loki does not have an authentication layer. You are expected to run an authenticating reverse proxy in front of your services, such as an Nginx with basic auth or an OAuth2 proxy.

Multi-tenancy
Loki is a multitenant system; requests and data for tenant A are isolated from tenant B. Requests to the Loki API should include an HTTP header (X-Scope-OrgID) identifying the tenant for the request. Tenant IDs can be any alphanumeric string; limiting them to 20 bytes is reasonable. To run in multitenant mode, loki should be started with auth_enabled: true.

Loki can be run in "single-tenant" mode where the X-Scope-OrgID header is not required. In this situation, the tenant ID is defaulted to be fake.

@base698
Copy link
Contributor Author

base698 commented Apr 30, 2019 via email

@base698
Copy link
Contributor Author

base698 commented Apr 30, 2019 via email

@cyriltovena
Copy link
Contributor

Usually authentification system are specific to companies, so if you want to run in multi tenant you should write/use a proxy that will authenticate request and forward the correct X-Scope-OrgID to Loki.

auth_enabled deactivates the need to send the X-Scope-OrgID, in fact it use a single dummy one.

@slim-bean
Copy link
Collaborator

I don't see why support couldn't be added to promtail to specify an OrgID via config which then adds the X-Scope-OrgID header? I don't see any harm in doing this?

@yubozhao
Copy link
Contributor

yubozhao commented May 1, 2019
edited
Loading

I was going to do that @slim-bean. Then other things took priority

@DeepLJH0001
Copy link

DeepLJH0001 commented Aug 16, 2019
edited
Loading

I had resolve this problem,using the nginx-ingress annotation,so it can work well in muti-cluster scene.
the request path may like : muti-cluster->muti-promtail->specific ingress in the cluster which was set to manager-plane and has deploy loki ->loki received

an example ingress for you

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: cluster-name-loki
  namespace: loki
  labels:
    app: loki
    chart: loki-0.13.0
    release: release-name
    heritage: Tiller
  annotations:
    nginx.ingress.kubernetes.io/configuration-snippet: |
      more_set_headers "X-Scope-OrgID: cluster-name";
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/ssl-redirect: "false" 
spec:
  rules:
  - http:
      paths:
      - backend:
          serviceName: loki-servicename
          servicePort: 3100
        path: /cluster-name/loki/*

if your loki was runing in https, please ignore this nginx.ingress.kubernetes.io/ssl-redirect: "false" . may be this demo can add to the documentation if anyone want to set muti-cluster with single loki :)

@stale
Copy link

stale bot commented Sep 15, 2019

This issue has been automatically marked as stale because it has not had any activity in the past 30 days. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale A stale issue or PR that will automatically be closed. label Sep 15, 2019
@stale stale bot closed this as completed Sep 22, 2019
@chiqui3d
Copy link

chiqui3d commented Apr 15, 2021
edited
Loading

I don't understand if Loki doesn't have any kind of OrgID option, then the validation has to be done by us?

Also, I have also added Loki to Nginx as a proxy to do a basic password validation, the problem now that the Docker Driver plugin for Loggging does not have any option to send the user and password, or does it?

So right now, I can't find any way to secure the Loki API

Edit: I finally found the solution with internal network here #1368 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale A stale issue or PR that will automatically be closed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@base698 @yubozhao @cyriltovena @chiqui3d @slim-bean @DeepLJH0001 @daixiang0