Multi tenant rule evaluation

[brancz]

Is your proposal related to a problem?

Scope individual rule evaluations to tenants.

Describe the solution you'd like

Have a native solution (opt-in via a flag like --multi-tenant) that automatically evaluates rules scoped to a tenant. Ideally paired with #3822, as then the only thing needed for this is to set the multi tenancy header based on the tenant configured for a particular rule. A simple mean for determining the tenant could be by structuring the rule files on-disk as one directory per tenant.

Describe alternatives you've considered

The only alternative I can think of could be to re-write rules to enforce the tenant as a label, the issue I see with this is that isolation security is an opt-in mechanism essentially, whereas users expect tenant isolation to be the default.

[bwplotka]

Discussions on Contributor Hours:

• Wonder, how is this related to Stateless Ruler epic.

Have a native solution (opt-in via a flag like --multi-tenant) that automatically evaluates rules scoped to a tenant. Ideally paired with #3822, as then the only thing needed for this is to set the multi tenancy header based on the tenant configured for a particular rule. A simple mean for determining the tenant could be by structuring the rule files on-disk as one directory per tenant.

How this is different to tenant label injected to rule by user? I guess it's just automation for that?

[bwplotka]

Also with #3822 fixed isolation would be enforced by querier on request, so the only thing might needed is just making sure the header/param is filled on ruler calling side

[brancz]

Also with #3822 fixed isolation would be enforced by querier on request, so the only thing might needed is just making sure the header/param is filled on ruler calling side

Yes that's what I said in the issue description.

Wonder, how is this related to Stateless Ruler epic.

Yes it's kind of a prerequisite.

[bwplotka]

Right, makes sense to me then, thanks for proposing. LGTM, let's discuss on #3822 on details (header/param and external labels/tenant abstraction)

As agreed: By default non-tenant model, opt-in for build isolation and security.

[kakkoyun]

cc @Abhishek357

[stale]

Hello 👋 Looks like there was no activity on this issue for the last two months.
Do you mind updating us on the status? Is this still reproducible or needed? If yes, just comment on this PR or push a commit. Thanks! 🤗
If there will be no activity in the next two weeks, this issue will be closed (we can always reopen an issue if we need!). Alternatively, use remind command if you wish to be reminded at some point in future.

[yeya24]

We are still interested in this feature.

[stale]

Hello 👋 Looks like there was no activity on this issue for the last two months.
Do you mind updating us on the status? Is this still reproducible or needed? If yes, just comment on this PR or push a commit. Thanks! 🤗
If there will be no activity in the next two weeks, this issue will be closed (we can always reopen an issue if we need!). Alternatively, use remind command if you wish to be reminded at some point in future.

[stale]

Closing for now as promised, let us know if you need this to be reopened! 🤗

[yeya24]

Is this still valid?

[phillebaba]

This is one of the bigger challenges I am facing right now. Running multiple setups of receivers per tenant which write to their own buckets. Then I have a single query deployment that allows running queries across multiple tenants metrics. The thing missing right now is how the ruler should be deployed. Right now it seems a lot simpler to also deploy a ruler per tenant but that just seems to waste resources.