Tenant impersonation push stream#7475
Open
SungJin1212 wants to merge 6 commits intocortexproject:masterfrom
Open
Tenant impersonation push stream#7475SungJin1212 wants to merge 6 commits intocortexproject:masterfrom
SungJin1212 wants to merge 6 commits intocortexproject:masterfrom
Conversation
Signed-off-by: SungJin1212 <tjdwls1201@gmail.com>
SungJin1212
force-pushed
the
Tenant-impersonation-pushStream
branch
3 times, most recently
from
a4d294a to
2dc1ac9
Compare
SungJin1212
force-pushed
the
Tenant-impersonation-pushStream
branch
from
91cbdac to
64e9633
Compare
Signed-off-by: SungJin1212 <tjdwls1201@gmail.com>
SungJin1212
force-pushed
the
Tenant-impersonation-pushStream
branch
from
64e9633 to
bc012ac
Compare
Signed-off-by: SungJin1212 <tjdwls1201@gmail.com>
Signed-off-by: SungJin1212 <tjdwls1201@gmail.com>
SungJin1212
force-pushed
the
Tenant-impersonation-pushStream
branch
from
10504c6 to
c5053f2
Compare
friedrichg
reviewed
May 4, 2026
friedrichg
reviewed
May 4, 2026
Signed-off-by: SungJin1212 <tjdwls1201@gmail.com>
Signed-off-by: SungJin1212 <tjdwls1201@gmail.com>
SungJin1212
force-pushed
the
Tenant-impersonation-pushStream
branch
from
be91dbb to
1566253
Compare
friedrichg
approved these changes
May 5, 2026
Member
friedrichg
left a comment
friedrichg
left a comment
There was a problem hiding this comment.
Thanks for addressing this!
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem statement
PushStreamin the Ingester trustedreq.TenantIDfrom the stream payload without verifying it against the authenticated stream context. An attacker with direct access to the Ingester gRPC port could write metrics to any tenant.Changes
PushStreamnow rejects any request where the stream's authenticated orgID is a real tenant ID that doesn't matchreq.TenantID. It cannot prevent worker ID (ingester-<addr>-stream-push-worker-<N>) spoofing, seeTestAttack_DirectGRPC_BypassWithWorkerID.Add a
-distributor.sign-write-requests-keysflag. The Distributor signs eachPushStreamconnection with the first key; the Ingester verifies the signature before accepting the stream. This blocks worker-ID spoofing even from callers who know the orgID pattern.Which issue(s) this PR fixes:
Fixes #
Checklist
CHANGELOG.mdupdated - the order of entries should be[CHANGE],[FEATURE],[ENHANCEMENT],[BUGFIX]docs/configuration/v1-guarantees.mdupdated if this PR introduces experimental flags