thanos icon indicating copy to clipboard operation
thanos copied to clipboard

Published 20 hours ago verified publisher icon thanos-io

Query UI: Add tenant box

Open jacobbaungard opened this issue 1 year ago • 4 comments

  • [x] I added CHANGELOG entry for this change.
  • [ ] Change is not relevant to the end user.

Changes

  • Tenant input box added to the Query UI, in order to be able to specify which tenant the query should use. This is especially useful for setups were tenancy enforcement is enabled (https://github.com/thanos-io/thanos/pull/6756).

tenant-ui

Verification

  • Manually verified that:
    • No tenant header is sent, if textbox is left empty
    • tenant HTTP header is sent if text is not empty
    • The tenant header name changes with the query.tenant-header option
    • The tenant input is added to the URL query params so one can link to the identical query

Todo

  • ~~Add tenant header to label calls used during autocompletion~~ Can be done in followup once https://github.com/prometheus/prometheus/pull/13118 has been released.

jacobbaungard avatar Nov 01 '23 14:11 jacobbaungard

Overall I think the UI is neat. But I do have one question. I assume this feature is mainly used for testing purpose. Is it correct? For production, having users entering arbitrary tenant value seems not safe.

yeya24 avatar Nov 02 '23 01:11 yeya24

Overall I think the UI is neat. But I do have one question. I assume this feature is mainly used for testing purpose. Is it correct? For production, having users entering arbitrary tenant value seems not safe.

In general for the tenancy features, Thanos doesn't do any authentication. If someone has access to the query API, there is nothing stopping anyone from setting an arbitrary tenant with the HTTP headers. It's assumed that you will put something in front of the query API to authenticate users and set the correct tenant.

For the UI specifically, at least as implemented here, I think it should not be exposed directly to end-users if tenancy enforcement is in place. If needed in the future, I think it could be possible to implement this in a way which would allow someone to setup a proxy in front of the UI that first authenticate users, and then set the tenant before reaching the UI, but I am not sure if anyone has that usecase.

jacobbaungard avatar Nov 02 '23 08:11 jacobbaungard

Rebased on latest main, and also added changelog. Currently the auto-completetion will always use the default tenant, but we need an improvement in the Prometheus library to implement that. I would suggest we can merge this meanwhile (or at latest shortly after https://github.com/thanos-io/thanos/pull/6756 is merged)

jacobbaungard avatar Nov 10 '23 10:11 jacobbaungard

Rebased on main and re-generated the react ui as needed following: https://github.com/thanos-io/thanos/pull/6900

jacobbaungard avatar Nov 20 '23 14:11 jacobbaungard