The latest articles on DEV Community by OpenLBAC (@openlbac). https://dev.to/openlbac https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F3873437%2Fb3a9b3d7-7d12-4480-8499-c897680b57df.png https://dev.to/openlbac en OpenLBAC Wed, 15 Apr 2026 20:52:49 +0000 https://dev.to/openlbac/skip-the-cortex-tenant-headers-deploy-multi-tenant-prometheus-in-5-minutes-1emn https://dev.to/openlbac/skip-the-cortex-tenant-headers-deploy-multi-tenant-prometheus-in-5-minutes-1emn <p>If you've tried Cortex or Mimir for multi-tenant Prometheus, you've hit the same wall: <strong>every client needs tenant headers</strong>. Your existing Grafana dashboards break. CLI tools need updates. API integrations require modification. Your proof-of-concept becomes a migration project.</p> <p>There's a better approach: <strong>query-level access control with zero client changes</strong>.</p> <h2> The tenant header problem </h2> <p>Current multi-tenant solutions require the <code>X-Scope-OrgID</code> header on every request:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Every client needs modification</span> curl <span class="nt">-H</span> <span class="s2">"X-Scope-OrgID: team-alpha"</span> http://prometheus:9090/api/v1/query?query<span class="o">=</span>up <span class="c"># Grafana datasources need tenant configuration</span> <span class="c"># CLI tools need wrapper scripts</span> <span class="c"># API clients need header injection</span> </code></pre> </div> <p>This breaks existing infrastructure and creates security vulnerabilities - headers can be spoofed, misconfigured, or simply forgotten.</p> <h2> Prerequisites </h2> <p>Before deploying OpenLBAC, ensure you have:</p> <ul> <li>Docker and Docker Compose installed</li> <li>An existing Prometheus instance (or willingness to deploy one)</li> <li>An OIDC provider with group claims (Keycloak, Okta, Auth0)</li> <li>Basic understanding of PromQL and observability concepts</li> </ul> <h2> Setup: Complete multi-tenant stack </h2> <p>Clone and deploy the full OpenLBAC stack with example Prometheus and Keycloak:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/openlbac/openlbac <span class="nb">cd </span>openlbac <span class="c"># Deploy complete stack: OpenLBAC + Prometheus + Keycloak</span> docker-compose up <span class="nt">-d</span> </code></pre> </div> <p>This starts four OpenLBAC components:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># docker-compose.yml (relevant sections)</span> <span class="na">services</span><span class="pi">:</span> <span class="na">lbac-server</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">openlbac/lbac-server:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8090:8090"</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">DATABASE_URL=postgresql://postgres:password@postgres:5432/openlbac</span> <span class="na">lbac-proxy</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">openlbac/lbac-proxy:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8080:8080"</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">LBAC_CORE_URL=http://lbac-core:9090</span> <span class="pi">-</span> <span class="s">UPSTREAM_PROMETHEUS_URL=http://prometheus:9090</span> <span class="na">lbac-core</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">openlbac/lbac-core:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">9090:9090"</span> <span class="na">environment</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">LBAC_SERVER_URL=http://lbac-server:8090</span> <span class="na">prometheus</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">prom/prometheus:latest</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">9091:9090"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./prometheus.yml:/etc/prometheus/prometheus.yml</span> </code></pre> </div> <h2> Configuration: OIDC integration </h2> <h3> Step 1: Configure OIDC provider </h3> <p>For Keycloak (included in docker-compose):<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Access Keycloak admin console</span> open http://localhost:8081 <span class="c"># Default credentials: admin/admin</span> <span class="c"># Create realm: "observability"</span> <span class="c"># Create groups: "platform-team", "backend-team", "frontend-team"</span> <span class="c"># Create users and assign group memberships</span> </code></pre> </div> <h3> Step 2: Configure OpenLBAC OIDC </h3> <p>Update the OIDC configuration in <code>config/oidc.yml</code>:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="na">oidc</span><span class="pi">:</span> <span class="na">provider_url</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://localhost:8081/realms/observability"</span> <span class="na">client_id</span><span class="pi">:</span> <span class="s2">"</span><span class="s">openlbac-client"</span> <span class="na">client_secret</span><span class="pi">:</span> <span class="s2">"</span><span class="s">your-client-secret"</span> <span class="na">scopes</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">openid"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">profile"</span><span class="pi">,</span> <span class="s2">"</span><span class="s">groups"</span><span class="pi">]</span> <span class="na">groups_claim</span><span class="pi">:</span> <span class="s2">"</span><span class="s">groups"</span> <span class="na">policies</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">platform-team"</span> <span class="na">groups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">platform-team"</span><span class="pi">]</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">label</span><span class="pi">:</span> <span class="s2">"</span><span class="s">namespace"</span> <span class="na">operator</span><span class="pi">:</span> <span class="s2">"</span><span class="s">=~"</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">production|staging|development"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">backend-team"</span> <span class="na">groups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">backend-team"</span><span class="pi">]</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">label</span><span class="pi">:</span> <span class="s2">"</span><span class="s">namespace"</span> <span class="na">operator</span><span class="pi">:</span> <span class="s2">"</span><span class="s">="</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">production"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">label</span><span class="pi">:</span> <span class="s2">"</span><span class="s">service"</span> <span class="na">operator</span><span class="pi">:</span> <span class="s2">"</span><span class="s">=~"</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">api|database|cache"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">name</span><span class="pi">:</span> <span class="s2">"</span><span class="s">frontend-team"</span> <span class="na">groups</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">frontend-team"</span><span class="pi">]</span> <span class="na">rules</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">label</span><span class="pi">:</span> <span class="s2">"</span><span class="s">namespace"</span> <span class="na">operator</span><span class="pi">:</span> <span class="s2">"</span><span class="s">="</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">production"</span><span class="pi">]</span> <span class="pi">-</span> <span class="na">label</span><span class="pi">:</span> <span class="s2">"</span><span class="s">service"</span> <span class="na">operator</span><span class="pi">:</span> <span class="s2">"</span><span class="s">="</span> <span class="na">values</span><span class="pi">:</span> <span class="pi">[</span><span class="s2">"</span><span class="s">web"</span><span class="pi">]</span> </code></pre> </div> <h2> Testing: Query rewriting in action </h2> <h3> Step 1: Verify policy enforcement </h3> <p>Test different user contexts to see query rewriting:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Platform team member (full access)</span> curl <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$PLATFORM_TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="s2">"http://localhost:8080/api/v1/query?query=up"</span> <span class="c"># Backend team member (service-filtered)</span> curl <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$BACKEND_TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="s2">"http://localhost:8080/api/v1/query?query=up"</span> <span class="c"># Frontend team member (web service only)</span> curl <span class="nt">-H</span> <span class="s2">"Authorization: Bearer </span><span class="nv">$FRONTEND_TOKEN</span><span class="s2">"</span> <span class="se">\</span> <span class="s2">"http://localhost:8080/api/v1/query?query=up"</span> </code></pre> </div> <h3> Step 2: Observe automatic query rewriting </h3> <p>Original query:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>rate(http_requests_total{status="200"}[5m]) </code></pre> </div> <p>Rewritten for backend-team:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>rate(http_requests_total{status="200", namespace="production", service=~"api|database|cache"}[5m]) </code></pre> </div> <p>Rewritten for frontend-team:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>rate(http_requests_total{status="200", namespace="production", service="web"}[5m]) </code></pre> </div> <h3> Step 3: Test with existing tools </h3> <p>Point your existing tools to OpenLBAC instead of Prometheus directly:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># Grafana datasource configuration</span> <span class="na">apiVersion</span><span class="pi">:</span> <span class="s">v1</span> <span class="na">kind</span><span class="pi">:</span> <span class="s">ConfigMap</span> <span class="na">metadata</span><span class="pi">:</span> <span class="na">name</span><span class="pi">:</span> <span class="s">grafana-datasources</span> <span class="na">data</span><span class="pi">:</span> <span class="na">prometheus.yml</span><span class="pi">:</span> <span class="pi">|</span> <span class="s">apiVersion: 1</span> <span class="s">datasources:</span> <span class="s">- name: Prometheus</span> <span class="s">type: prometheus</span> <span class="s">url: http://lbac-proxy:8080 # Changed from prometheus:9090</span> <span class="s">access: proxy</span> <span class="s">jsonData:</span> <span class="s">httpHeaderName1: "Authorization"</span> <span class="s">secureJsonData:</span> <span class="s">httpHeaderValue1: "Bearer $GRAFANA_OIDC_TOKEN"</span> </code></pre> </div> <p>Your existing dashboards work unchanged. CLI tools work unchanged. The only change is the endpoint URL.</p> <h2> Optimization: Production deployment </h2> <h3> Horizontal scaling </h3> <p>Scale proxy instances for high throughput:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># docker-compose.override.yml</span> <span class="na">services</span><span class="pi">:</span> <span class="na">lbac-proxy</span><span class="pi">:</span> <span class="na">deploy</span><span class="pi">:</span> <span class="na">replicas</span><span class="pi">:</span> <span class="m">3</span> <span class="na">nginx</span><span class="pi">:</span> <span class="na">image</span><span class="pi">:</span> <span class="s">nginx:alpine</span> <span class="na">ports</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">8080:80"</span> <span class="na">volumes</span><span class="pi">:</span> <span class="pi">-</span> <span class="s">./nginx.conf:/etc/nginx/nginx.conf</span> </code></pre> </div> <p>Nginx configuration for load balancing:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight nginx"><code><span class="k">upstream</span> <span class="s">lbac_proxies</span> <span class="p">{</span> <span class="kn">server</span> <span class="nf">lbac-proxy-1</span><span class="p">:</span><span class="mi">8080</span><span class="p">;</span> <span class="kn">server</span> <span class="nf">lbac-proxy-2</span><span class="p">:</span><span class="mi">8080</span><span class="p">;</span> <span class="kn">server</span> <span class="nf">lbac-proxy-3</span><span class="p">:</span><span class="mi">8080</span><span class="p">;</span> <span class="p">}</span> <span class="k">server</span> <span class="p">{</span> <span class="kn">listen</span> <span class="mi">80</span><span class="p">;</span> <span class="kn">location</span> <span class="n">/</span> <span class="p">{</span> <span class="kn">proxy_pass</span> <span class="s">http://lbac_proxies</span><span class="p">;</span> <span class="kn">proxy_set_header</span> <span class="s">Authorization</span> <span class="nv">$http_authorization</span><span class="p">;</span> <span class="p">}</span> <span class="p">}</span> </code></pre> </div> <h3> Monitoring and alerting </h3> <p>Monitor OpenLBAC components:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># prometheus.yml</span> <span class="na">global</span><span class="pi">:</span> <span class="na">scrape_interval</span><span class="pi">:</span> <span class="s">15s</span> <span class="na">scrape_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">job_name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">lbac-proxy'</span> <span class="na">static_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">targets</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">lbac-proxy:8080'</span><span class="pi">]</span> <span class="na">metrics_path</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/metrics'</span> <span class="pi">-</span> <span class="na">job_name</span><span class="pi">:</span> <span class="s1">'</span><span class="s">lbac-core'</span> <span class="na">static_configs</span><span class="pi">:</span> <span class="pi">-</span> <span class="na">targets</span><span class="pi">:</span> <span class="pi">[</span><span class="s1">'</span><span class="s">lbac-core:9090'</span><span class="pi">]</span> <span class="na">metrics_path</span><span class="pi">:</span> <span class="s1">'</span><span class="s">/metrics'</span> </code></pre> </div> <p>Key metrics to monitor:</p> <ul> <li> <code>lbac_proxy_query_duration_seconds</code> - Query rewriting latency</li> <li> <code>lbac_proxy_queries_total</code> - Request rate and error rate</li> <li> <code>lbac_core_policy_updates_total</code> - Policy propagation health</li> <li> <code>lbac_core_connected_proxies</code> - Proxy connectivity status</li> </ul> <h3> Audit and compliance </h3> <p>Enable audit logging for compliance frameworks:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># config/audit.yml</span> <span class="na">audit</span><span class="pi">:</span> <span class="na">enabled</span><span class="pi">:</span> <span class="kc">true</span> <span class="na">sink_type</span><span class="pi">:</span> <span class="s2">"</span><span class="s">elasticsearch"</span> <span class="na">elasticsearch</span><span class="pi">:</span> <span class="na">endpoint</span><span class="pi">:</span> <span class="s2">"</span><span class="s">http://elasticsearch:9200"</span> <span class="na">index</span><span class="pi">:</span> <span class="s2">"</span><span class="s">openlbac-audit"</span> <span class="na">events</span><span class="pi">:</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">query_execution"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">policy_violation"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">authentication_failure"</span> <span class="pi">-</span> <span class="s2">"</span><span class="s">authorization_decision"</span> </code></pre> </div> <p>Each query execution logs:</p> <ul> <li>User identity and group membership</li> <li>Original query and rewritten query</li> <li>Data sources accessed</li> <li>Timestamp and request metadata</li> </ul> <h2> Troubleshooting common issues </h2> <h3> Issue: JWT token validation fails </h3> <p><strong>Symptoms:</strong> <code>401 Unauthorized</code> responses from lbac-proxy</p> <p><strong>Solution:</strong> Verify OIDC configuration and token format:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Check token structure</span> <span class="nb">echo</span> <span class="nv">$TOKEN</span> | <span class="nb">base64</span> <span class="nt">-d</span> | jq <span class="nb">.</span> <span class="c"># Verify groups claim exists</span> <span class="c"># Ensure issuer matches provider_url</span> <span class="c"># Check client_id in token audience</span> </code></pre> </div> <h3> Issue: Queries return empty results </h3> <p><strong>Symptoms:</strong> Valid queries return no data after policy application</p> <p><strong>Solution:</strong> Check policy rule logic and label presence:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="c"># Verify labels exist in your metrics</span> curl http://prometheus:9090/api/v1/labels <span class="c"># Test policy rules manually</span> curl <span class="s2">"http://localhost:8090/api/v1/policies/test"</span> <span class="se">\</span> <span class="nt">-d</span> <span class="s1">'{"query": "up", "user_groups": ["backend-team"]}'</span> </code></pre> </div> <h3> Issue: High query latency </h3> <p><strong>Symptoms:</strong> Increased response times after OpenLBAC deployment</p> <p><strong>Solution:</strong> Optimize policy complexity and caching:<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight yaml"><code><span class="c1"># config/performance.yml</span> <span class="na">cache</span><span class="pi">:</span> <span class="na">policy_cache_ttl</span><span class="pi">:</span> <span class="s">300s</span> <span class="na">query_cache_ttl</span><span class="pi">:</span> <span class="s">60s</span> <span class="na">optimization</span><span class="pi">:</span> <span class="na">max_rule_complexity</span><span class="pi">:</span> <span class="m">10</span> <span class="na">parallel_policy_evaluation</span><span class="pi">:</span> <span class="kc">true</span> </code></pre> </div> <p>OpenLBAC adds &lt;5ms latency in most configurations. Higher latencies indicate policy complexity issues or network bottlenecks.</p> <h2> Why this approach works better </h2> <p><strong>Zero client modification:</strong> Existing tools continue working unchanged. No headers to manage or spoof.</p> <p><strong>Real-time enforcement:</strong> Policies apply at query execution, not just dashboard level. API access and CLI tools automatically controlled.</p> <p><strong>Enterprise IdP integration:</strong> Leverage existing Keycloak, Okta, or Auth0 groups. No custom authentication development required.</p> <p><strong>Comprehensive audit:</strong> Every query decision logged for PCI DSS, GDPR, and SOC 2 compliance requirements.</p> <p><strong>Five-minute deployment:</strong> Docker Compose to production-ready in minutes, not weeks of client migration.</p> <p>The tenant header approach assumes you can modify every client. The query rewriting approach assumes you can't - and works anyway.</p> <p>What's your experience with multi-tenant observability? Have you hit the tenant header wall, or found other approaches that preserve existing integrations?</p> architecture devops monitoring tutorial