Introduce a regex tenant resolver #6713
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
SungJin1212
force-pushed
the
Support-regex-to-tenant-federation
branch
8 times, most recently
from
1b8963e to
e6a4222
Compare
|
@CharlieTLe |
SungJin1212
force-pushed
the
Support-regex-to-tenant-federation
branch
from
e6a4222 to
63f97d2
Compare
yeya24
reviewed
Apr 24, 2025
SungJin1212
force-pushed
the
Support-regex-to-tenant-federation
branch
from
63f97d2 to
605f91a
Compare
SungJin1212
force-pushed
the
Support-regex-to-tenant-federation
branch
from
605f91a to
d1b80e0
Compare
|
@CharlieTLe |
SungJin1212
force-pushed
the
Support-regex-to-tenant-federation
branch
2 times, most recently
from
b7ef458 to
7321e4b
Compare
SungJin1212
force-pushed
the
Support-regex-to-tenant-federation
branch
6 times, most recently
from
eaeb19e to
1135b06
Compare
yeya24
reviewed
Jun 13, 2025
CHANGELOG.md
Outdated
| @@ -11,6 +11,9 @@ | |||
| * [FEATURE] Ingester: Support out-of-order native histogram ingestion. It automatically enabled when `-ingester.out-of-order-time-window > 0` and `-blocks-storage.tsdb.enable-native-histograms=true`. #6626 #6663 | |||
| * [FEATURE] Ruler: Add support for percentage based sharding for rulers. #6680 | |||
| * [FEATURE] Ruler: Add support for group labels. #6665 | |||
| * [FEATURE] Query federation: Introduce a regex tenant resolver to allow regex in `X-Scope-OrgID` value. #6713 | |||
| - Add a `tenant-federation.regex-matcher-enabled` flag. If it enabled, user can input regex to `X-Scope-OrgId`, the matched tenantIDs are automatically involved. | |||
| - Add a `tenant-federation.user-sync-interval` flag, it specifies how frequently to scan users. The scanned users are used to calculate matched tenantIDs. | |||
There was a problem hiding this comment.
We should document it as experimental feature in the doc
There was a problem hiding this comment.
Maybe we should document that the user discovery is based on scanning block storage so new users are only available every 2h (assuming blocks are only uploaded every 2h).
SungJin1212
force-pushed
the
Support-regex-to-tenant-federation
branch
from
1135b06 to
1a3d2f1
Compare
Signed-off-by: SungJin1212 <[email protected]>
SungJin1212
force-pushed
the
Support-regex-to-tenant-federation
branch
from
1a3d2f1 to
8737cf6
Compare
|
@yeya24 |
yeya24
approved these changes
Jun 21, 2025
|
|
||
| _, err = labels.NewFastRegexMatcher(id) | ||
| if err != nil { | ||
| return "", errInvalidRegex |
There was a problem hiding this comment.
Just want to make sure, this error will be a 400?
There was a problem hiding this comment.
All tenant validation errors are 500 now, maybe we should change the response code to 400.
The current responses are:
{
"status": "error",
"errorType": "server_error",
"error": "expanding series: rpc error: code = Unknown desc = tenant ID is '.' or '..'"
}
{
"status": "error",
"errorType": "server_error",
"error": "expanding series: invalid regex present"
}
There was a problem hiding this comment.
Umm I think this needs to be fixed. We can do it in next PR
| @@ -497,6 +518,11 @@ func (t *Cortex) initQueryFrontendTripperware() (serv services.Service, err erro | |||
| shardedPrometheusCodec := queryrange.NewPrometheusCodec(true, t.Cfg.Querier.ResponseCompression, t.Cfg.API.QuerierDefaultCodec) | |||
| instantQueryCodec := instantquery.NewInstantQueryCodec(t.Cfg.Querier.ResponseCompression, t.Cfg.API.QuerierDefaultCodec) | |||
|
|
|||
| if t.Cfg.TenantFederation.Enabled && t.Cfg.TenantFederation.RegexMatcherEnabled { | |||
| // If regex matcher enabled, we use regex validator to pass regex to the querier | |||
| tenant.WithDefaultResolver(tenantfederation.NewRegexValidator()) | |||
There was a problem hiding this comment.
So the difference of regex validator and regex resolver are:
- regex validator allows regex in tenant ID and it passes it as is
- regex resolver is used in Querier and it is able to resolve the regex to tenant IDs?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR introduces a regex tenant resolver to allow regex in the
X-Scope-OrgIDvalue when the user usestenant-federationfeature.It introduces two flags,
tenant-federation.regex-matcher-enabledandtenant-federation.user-sync-interval.tenant-federation.regex-matcher-enabledenables the regex resolver, which allows regex to theX-Scope-OrgIDvalue.tenant-federation.user-sync-intervalspecifies how frequently to scan users. The scanned users are used to calculate matched tenantIDs.The regex matching rule follows the Prometheus regex matcher (
=~), See here.For example, if there are 3 tenants, whose IDs are
user-1,user-2, anduser-3. We can setX-Scope-OrgIDtouser-.+to query whole tenants.Also, we can use an existing way like setting
user-1|user-2|user-3toX-Scope-OrgID.It reuses
userScannerto find considered tenant IDs. So, only tenants who uploaded blocks are subject to regex resolution.Which issue(s) this PR fixes:
Fixes #6588
Checklist
CHANGELOG.mdupdated - the order of entries should be[CHANGE],[FEATURE],[ENHANCEMENT],[BUGFIX]