You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/guides/authentication-and-authorisation.md
+13-6Lines changed: 13 additions & 6 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -15,12 +15,19 @@ of protection.
15
15
Typically this means you run Cortex behind a reverse proxy, and you must
16
16
ensure that all callers, both machines sending data over the `remote_write`
17
17
interface and humans sending queries from GUIs, supply credentials
18
-
which identify them and confirm they are authorised.
19
-
20
-
When configuring the `remote_write` API in Prometheus there is no way to
21
-
add extra headers. The user and password fields of http Basic auth, or
22
-
Bearer token, can be used to convey the tenant ID and/or credentials.
23
-
See the **Cortex-Tenant** section below for one way to solve this.
18
+
which identify them and confirm they are authorised. When configuring the
19
+
`remote_write` API in Prometheus, the user and password fields of http Basic
20
+
auth, or Bearer token, can be used to convey the tenant ID and/or credentials.
21
+
See the [Cortex-Tenant](#cortex-tenant) section below for one way to solve this.
22
+
23
+
In trusted environments, Prometheus can send the `X-Scope-OrgID` header itself
24
+
by configuring the `headers` field in its [`remote_write` configuration](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#remote_write):
25
+
```
26
+
remote_write:
27
+
- url: http://<cortex>/prometheus/api/v1/push
28
+
headers:
29
+
X-Scope-OrgID: <org>
30
+
```
24
31
25
32
To disable the multi-tenant functionality, you can pass the argument
26
33
`-auth.enabled=false` to every Cortex component, which will set the OrgID
0 commit comments