Per org/user/action/log entitlement

[sokoide]

Is your feature request related to a problem? Please describe.
Loki enabled native mTLS for both HTTP and gRPC with #4176. However, the following 2 scenarios are still not supported.

1. There is no allow/deny per CNAME per action (read/write). All the valid client certs are accepted.
2. There is no per log line entitlement (allow/deny per logline for query and push)
3. Not only CNAMEs in client certs, but we sometimes want to put Loki behind a reverse proxy and use a specific header set by it (e.g. OIDC-USERNAME) as client user names

1 can be implemented by an external mTLS reverse proxy.
2 is not possible only by the reverse proxy.

Describe the solution you'd like

• We want to allow/deny users for Push and Query APIs if the authorization feature is enabled
• The entitlement check should be per orgid ('fake' if single-tenancy), userid, action (read or write) and log line (specified by label)
• Sometimes we want to put Loki behind a reverse proxy and enable proxy auth (e.g. use OIDC-USERNAME as end username). To do that, we want to configure trusted CNAMES in Loki to define if OIDC-USERNAME header should be used or not.

Describe alternatives you've considered
If we add an mTLS reverse proxy, we can allow/deny users per API (entry). However, it doesn't have granular controls. For example, it can't allow/deny per log file.

Additional context
Per log file access control is a common requirement for some organizations.

[owen-d]

Hey @sokoide! Great to see another contribution :). I'll add this to my todo list and check it out soon.

[sokoide]

We'll consider adding the feature into a custom proxy.