-
Notifications
You must be signed in to change notification settings - Fork 2.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multi tenant rule evaluation #3834
Comments
Discussions on Contributor Hours:
How this is different to tenant label injected to rule by user? I guess it's just automation for that? |
Also with #3822 fixed isolation would be enforced by querier on request, so the only thing might needed is just making sure the header/param is filled on ruler calling side |
Yes that's what I said in the issue description.
Yes it's kind of a prerequisite. |
Right, makes sense to me then, thanks for proposing. LGTM, let's discuss on #3822 on details (header/param and external labels/tenant abstraction) As agreed: By default non-tenant model, opt-in for build isolation and security. |
cc @Abhishek357 |
Hello 👋 Looks like there was no activity on this issue for the last two months. |
We are still interested in this feature. |
Hello 👋 Looks like there was no activity on this issue for the last two months. |
Closing for now as promised, let us know if you need this to be reopened! 🤗 |
Is this still valid? |
This is one of the bigger challenges I am facing right now. Running multiple setups of receivers per tenant which write to their own buckets. Then I have a single query deployment that allows running queries across multiple tenants metrics. The thing missing right now is how the ruler should be deployed. Right now it seems a lot simpler to also deploy a ruler per tenant but that just seems to waste resources. |
Is your proposal related to a problem?
Scope individual rule evaluations to tenants.
Describe the solution you'd like
Have a native solution (opt-in via a flag like
--multi-tenant
) that automatically evaluates rules scoped to a tenant. Ideally paired with #3822, as then the only thing needed for this is to set the multi tenancy header based on the tenant configured for a particular rule. A simple mean for determining the tenant could be by structuring the rule files on-disk as one directory per tenant.Describe alternatives you've considered
The only alternative I can think of could be to re-write rules to enforce the tenant as a label, the issue I see with this is that isolation security is an opt-in mechanism essentially, whereas users expect tenant isolation to be the default.
The text was updated successfully, but these errors were encountered: