cluster: obtain tenant information from headers

2024-11-21 14:44:00 +00:00 · 2024-10-01 10:47:55 +03:00 · 2024-10-01 10:47:55 +03:00 · 72a93df699
commit 72a93df699
parent 93bc205e05
6 changed files with 27 additions and 18 deletions
--- a/app/vmagent/main.go
+++ b/app/vmagent/main.go
@ -197,16 +197,16 @@ func getOpenTSDBHTTPInsertHandler() func(req *http.Request) error {
 		}
 	}
 	return func(req *http.Request) error {
-		path := strings.Replace(req.URL.Path, "//", "/", -1)
-		at, err := getAuthTokenFromPath(path)
+		at, err := getAuthTokenFromReq(req)
 		if err != nil {
-			return fmt.Errorf("cannot obtain auth token from path %q: %w", path, err)
+			return fmt.Errorf("cannot obtain auth token: %w", err)
 		}
 		return opentsdbhttp.InsertHandler(at, req)
 	}
 }

-func getAuthTokenFromPath(path string) (*auth.Token, error) {
+func getAuthTokenFromReq(req *http.Request) (*auth.Token, error) {
+	path := strings.Replace(req.URL.Path, "//", "/", -1)
 	p, err := httpserver.ParsePath(path)
 	if err != nil {
 		return nil, fmt.Errorf("cannot parse multitenant path: %w", err)
@ -217,7 +217,7 @@ func getAuthTokenFromPath(path string) (*auth.Token, error) {
 	if p.Suffix != "opentsdb/api/put" {
 		return nil, fmt.Errorf("unsupported path requested: %q; expecting 'opentsdb/api/put'", p.Suffix)
 	}
-	return auth.NewTokenPossibleMultitenant(p.AuthToken)
+	return auth.NewTokenPossibleMultitenant(p.AuthToken, req.Header)
 }

 func requestHandler(w http.ResponseWriter, r *http.Request) bool {
@ -498,7 +498,7 @@ func processMultitenantRequest(w http.ResponseWriter, r *http.Request, path stri
 		httpserver.Errorf(w, r, `unsupported multitenant prefix: %q; expected "insert"`, p.Prefix)
 		return true
 	}
-	at, err := auth.NewToken(p.AuthToken)
+	at, err := auth.NewTokenPossibleMultitenant(p.AuthToken, r.Header)
 	if err != nil {
 		httpserver.Errorf(w, r, "cannot obtain auth token: %s", err)
 		return true
--- a/app/vminsert/main.go
+++ b/app/vminsert/main.go
@ -217,7 +217,7 @@ func requestHandler(w http.ResponseWriter, r *http.Request) bool {
 		// This is not our link.
 		return false
 	}
-	at, err := auth.NewTokenPossibleMultitenant(p.AuthToken)
+	at, err := auth.NewTokenPossibleMultitenant(p.AuthToken, r.Header)
 	if err != nil {
 		httpserver.Errorf(w, r, "auth error: %s", err)
 		return true
--- a/app/vminsert/opentsdbhttp/request_handler.go
+++ b/app/vminsert/opentsdbhttp/request_handler.go
@ -34,7 +34,7 @@ func InsertHandler(req *http.Request) error {
 		// This is not our link.
 		return fmt.Errorf("unexpected path requested on HTTP OpenTSDB server: %q", path)
 	}
-	at, err := auth.NewTokenPossibleMultitenant(p.AuthToken)
+	at, err := auth.NewTokenPossibleMultitenant(p.AuthToken, req.Header)
 	if err != nil {
 		return fmt.Errorf("auth error: %w", err)
 	}
--- a/app/vmselect/main.go
+++ b/app/vmselect/main.go
@ -269,7 +269,7 @@ func requestHandler(w http.ResponseWriter, r *http.Request) bool {
 		httpserver.Errorf(w, r, "cannot parse path %q: %s", path, err)
 		return true
 	}
-	at, err := auth.NewTokenPossibleMultitenant(p.AuthToken)
+	at, err := auth.NewTokenPossibleMultitenant(p.AuthToken, nil)
 	if err != nil {
 		httpserver.Errorf(w, r, "auth error: %s", err)
 		return true
@ -656,7 +656,7 @@ func handleStaticAndSimpleRequests(w http.ResponseWriter, r *http.Request, path
 	}
 	switch p.Suffix {
 	case "prometheus/api/v1/status/active_queries":
-		at, err := auth.NewTokenPossibleMultitenant(p.AuthToken)
+		at, err := auth.NewTokenPossibleMultitenant(p.AuthToken, nil)
 		if err != nil {
 			return false
 		}
@ -665,7 +665,7 @@ func handleStaticAndSimpleRequests(w http.ResponseWriter, r *http.Request, path
 		promql.ActiveQueriesHandler(at, w, r)
 		return true
 	case "prometheus/api/v1/status/top_queries":
-		at, err := auth.NewTokenPossibleMultitenant(p.AuthToken)
+		at, err := auth.NewTokenPossibleMultitenant(p.AuthToken, nil)
 		if err != nil {
 			return false
 		}
--- a/lib/auth/auth.go
+++ b/lib/auth/auth.go
@ -2,6 +2,7 @@ package auth

 import (
 	"fmt"
+	"net/http"
 	"strconv"
 	"strings"
 )
@ -34,9 +35,12 @@ func NewToken(authToken string) (*Token, error) {

 // NewTokenPossibleMultitenant returns new Token for the given authToken.
 //
-// If authToken == "multitenant", then nil Token is returned.
-func NewTokenPossibleMultitenant(authToken string) (*Token, error) {
+// If authToken == "multitenant" and TenantID header is not set, then nil Token is returned.
+func NewTokenPossibleMultitenant(authToken string, headers http.Header) (*Token, error) {
 	if authToken == "multitenant" {
+		if tenantID := headers.Get("TenantID"); tenantID != "" {
+			return NewToken(tenantID)
+		}
 		return nil, nil
 	}
 	return NewToken(authToken)
--- a/lib/auth/auth_test.go
+++ b/lib/auth/auth_test.go
@ -1,6 +1,7 @@
 package auth

 import (
+	"net/http"
 	"testing"
 )

@ -29,9 +30,11 @@ func TestNewTokenSuccess(t *testing.T) {
 }

 func TestNewTokenPossibleMultitenantSuccess(t *testing.T) {
-	f := func(token string, want string) {
+	f := func(token string, tenantIDValue string, want string) {
 		t.Helper()
-		newToken, err := NewTokenPossibleMultitenant(token)
+		headers := http.Header{}
+		headers.Set("TenantID", tenantIDValue)
+		newToken, err := NewTokenPossibleMultitenant(token, headers)
 		if err != nil {
 			t.Fatalf("unexpected error: %s", err)
 		}
@ -41,11 +44,13 @@ func TestNewTokenPossibleMultitenantSuccess(t *testing.T) {
 		}
 	}
 	// token with accountID only
-	f("1", "1")
+	f("1", "", "1")
 	// token with accountID and projecTID
-	f("1:2", "1:2")
+	f("1:2", "", "1:2")
 	// multitenant
-	f("multitenant", "multitenant")
+	f("multitenant", "", "multitenant")
+	// multitenant with tenantID in headers
+	f("multitenant", "1:2", "1:2")
 }

 func TestNewTokenFailure(t *testing.T) {