Documentation of OrgID
base698 opened this issue · 13 comments
Describe the bug
Documentation in https://github.com/grafana/loki/blob/master/docs/operations.md mentions an OrgID but the config examples have no mention of org id only s3 credentials. Where do you put the orgid?
Loki is using S3 as object storage. It stores log within directories based on OrgID. For example, Logs from org faker will stored in s3://BUCKET_NAME/faker/.
Expected behavior
Documentation which is consistent.
What is multitenancy mode?
$ ./loki --help 2>&1 | grep tenan
Nothing returns, don't appear to be an flags documentated.
It works if I do auth_enabled: false
. Not sure where the org Id is supposed to come from if it's used.
It is not a bug
Loki is designed with multi tenant in mind. If you are using Loki for internal use, you can turn off multi tenant support with auth_enabled to false.
If you want to use the multi tenant support. There are 2 ways to do that.
- Fork your own promtail and pass orgID in your header
- Have a nginx server in front of Loki and mutate the header by adding orgID
It is documented at operation.md
Authentication
Loki does not have an authentication layer. You are expected to run an authenticating reverse proxy in front of your services, such as an Nginx with basic auth or an OAuth2 proxy.
Multi-tenancy
Loki is a multitenant system; requests and data for tenant A are isolated from tenant B. Requests to the Loki API should include an HTTP header (X-Scope-OrgID) identifying the tenant for the request. Tenant IDs can be any alphanumeric string; limiting them to 20 bytes is reasonable. To run in multitenant mode, loki should be started with auth_enabled: true.
Loki can be run in "single-tenant" mode where the X-Scope-OrgID header is not required. In this situation, the tenant ID is defaulted to be fake.
Usually authentification system are specific to companies, so if you want to run in multi tenant you should write/use a proxy that will authenticate request and forward the correct X-Scope-OrgID to Loki.
auth_enabled
deactivates the need to send the X-Scope-OrgID, in fact it use a single dummy one.
I don't see why support couldn't be added to promtail to specify an OrgID via config which then adds the X-Scope-OrgID header? I don't see any harm in doing this?
I was going to do that @slim-bean. Then other things took priority
I had resolve this problem,using the nginx-ingress annotation,so it can work well in muti-cluster scene.
the request path may like : muti-cluster->muti-promtail->specific ingress in the cluster which was set to manager-plane and has deploy loki ->loki received
an example ingress for you
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: cluster-name-loki
namespace: loki
labels:
app: loki
chart: loki-0.13.0
release: release-name
heritage: Tiller
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "X-Scope-OrgID: cluster-name";
nginx.ingress.kubernetes.io/rewrite-target: /
nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
rules:
- http:
paths:
- backend:
serviceName: loki-servicename
servicePort: 3100
path: /cluster-name/loki/*
if your loki was runing in https
, please ignore this nginx.ingress.kubernetes.io/ssl-redirect: "false"
. may be this demo can add to the documentation if anyone want to set muti-cluster with single loki :)
This issue has been automatically marked as stale because it has not had any activity in the past 30 days. It will be closed in 7 days if no further activity occurs. Thank you for your contributions.
I don't understand if Loki doesn't have any kind of OrgID option, then the validation has to be done by us?
Also, I have also added Loki to Nginx as a proxy to do a basic password validation, the problem now that the Docker Driver plugin for Loggging does not have any option to send the user and password, or does it?
So right now, I can't find any way to secure the Loki API
Edit: I finally found the solution with internal network here #1368 (comment)