sugestions from dsabsay

Author: bogdan-st

integration/overrides_test.go

@@ -99,13 +99,7 @@ func TestOverridesAPIWithRunningCortex(t *testing.T) {
 		require.NoError(t, err)
 		defer resp.Body.Close()
 
-		assert.Equal(t, http.StatusOK, resp.StatusCode)
-
-		var overrides map[string]interface{}
-		err = json.NewDecoder(resp.Body).Decode(&overrides)
-		require.NoError(t, err)
-
-		assert.Empty(t, overrides)
+		assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
 	})
 
 	t.Run("POST overrides for new user", func(t *testing.T) {
@@ -196,13 +190,119 @@ func TestOverridesAPIWithRunningCortex(t *testing.T) {
 		require.NoError(t, err)
 		defer resp.Body.Close()
 
+		assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+	})
+
+	require.NoError(t, s.Stop(cortexSvc))
+}
+
+func TestOverridesAPIHardLimits(t *testing.T) {
+	s, err := e2e.NewScenario(networkName)
+	require.NoError(t, err)
+	defer s.Close()
+
+	minio := e2edb.NewMinio(9001, "cortex")
+	require.NoError(t, s.StartAndWaitReady(minio))
+
+	// Runtime config with hard limits
+	runtimeConfig := map[string]interface{}{
+		"overrides": map[string]interface{}{},
+		"hard_overrides": map[string]interface{}{
+			"user1": map[string]interface{}{
+				"ingestion_rate":             10000,
+				"max_global_series_per_user": 50000,
+			},
+		},
+		"api_allowed_limits": []string{
+			"ingestion_rate",
+			"max_global_series_per_user",
+		},
+	}
+	runtimeConfigData, err := yaml.Marshal(runtimeConfig)
+	require.NoError(t, err)
+
+	s3Client, err := s3.NewBucketWithConfig(nil, s3.Config{
+		Endpoint:  minio.HTTPEndpoint(),
+		Insecure:  true,
+		Bucket:    "cortex",
+		AccessKey: e2edb.MinioAccessKey,
+		SecretKey: e2edb.MinioSecretKey,
+	}, "overrides-test-hard-limits", nil)
+	require.NoError(t, err)
+
+	require.NoError(t, s3Client.Upload(context.Background(), "runtime.yaml", bytes.NewReader(runtimeConfigData)))
+
+	flags := map[string]string{
+		"-target": "overrides",
+
+		"-runtime-config.file":                 "runtime.yaml",
+		"-runtime-config.backend":              "s3",
+		"-runtime-config.s3.access-key-id":     e2edb.MinioAccessKey,
+		"-runtime-config.s3.secret-access-key": e2edb.MinioSecretKey,
+		"-runtime-config.s3.bucket-name":       "cortex",
+		"-runtime-config.s3.endpoint":          minio.NetworkHTTPEndpoint(),
+		"-runtime-config.s3.insecure":          "true",
+	}
+
+	cortexSvc := e2ecortex.NewSingleBinary("cortex-overrides-hard-limits", flags, "")
+	require.NoError(t, s.StartAndWaitReady(cortexSvc))
+
+	t.Run("POST overrides within hard limits", func(t *testing.T) {
+		overrides := map[string]interface{}{
+			"ingestion_rate":             5000,  // Within hard limit of 10000
+			"max_global_series_per_user": 25000, // Within hard limit of 50000
+		}
+		requestBody, err := json.Marshal(overrides)
+		require.NoError(t, err)
+
+		req, err := http.NewRequest("POST", "http://"+cortexSvc.HTTPEndpoint()+"/api/v1/user-overrides", bytes.NewReader(requestBody))
+		require.NoError(t, err)
+		req.Header.Set("X-Scope-OrgID", "user1")
+		req.Header.Set("Content-Type", "application/json")
+
+		resp, err := http.DefaultClient.Do(req)
+		require.NoError(t, err)
+		defer resp.Body.Close()
+
 		assert.Equal(t, http.StatusOK, resp.StatusCode)
+	})
 
-		var overrides map[string]interface{}
-		err = json.NewDecoder(resp.Body).Decode(&overrides)
+	t.Run("POST overrides exceeding hard limits", func(t *testing.T) {
+		overrides := map[string]interface{}{
+			"ingestion_rate": 15000, // Exceeds hard limit of 10000
+		}
+		requestBody, err := json.Marshal(overrides)
+		require.NoError(t, err)
+
+		req, err := http.NewRequest("POST", "http://"+cortexSvc.HTTPEndpoint()+"/api/v1/user-overrides", bytes.NewReader(requestBody))
+		require.NoError(t, err)
+		req.Header.Set("X-Scope-OrgID", "user1")
+		req.Header.Set("Content-Type", "application/json")
+
+		resp, err := http.DefaultClient.Do(req)
+		require.NoError(t, err)
+		defer resp.Body.Close()
+
+		assert.Equal(t, http.StatusBadRequest, resp.StatusCode)
+	})
+
+	t.Run("POST overrides for user without hard limits", func(t *testing.T) {
+		overrides := map[string]interface{}{
+			"ingestion_rate": 20000, // No hard limits for user2
+		}
+		requestBody, err := json.Marshal(overrides)
+		require.NoError(t, err)
+
+		req, err := http.NewRequest("POST", "http://"+cortexSvc.HTTPEndpoint()+"/api/v1/user-overrides", bytes.NewReader(requestBody))
+		require.NoError(t, err)
+		req.Header.Set("X-Scope-OrgID", "user2")
+		req.Header.Set("Content-Type", "application/json")
+
+		resp, err := http.DefaultClient.Do(req)
 		require.NoError(t, err)
+		defer resp.Body.Close()
 
-		assert.Empty(t, overrides)
+		assert.Equal(t, http.StatusOK, resp.StatusCode)
 	})
 
 	require.NoError(t, s.Stop(cortexSvc))

pkg/overrides/api.go

@@ -16,14 +16,9 @@ import (
 )
 
 const (
-	// HTTP status codes
-	StatusOK                  = 200
-	StatusBadRequest          = 400
-	StatusUnauthorized        = 401
-	StatusInternalServerError = 500
-
 	// Error messages
-	ErrInvalidJSON = "Invalid JSON"
+	ErrInvalidJSON  = "Invalid JSON"
+	ErrUserNotFound = "User not found"
 
 	// Runtime config errors
 	ErrRuntimeConfig = "runtime config read error"
@@ -39,7 +34,8 @@ func (a *API) getAllowedLimitsFromBucket(ctx context.Context) ([]string, error)
 
 	var config runtimeconfig.RuntimeConfigValues
 	if err := yaml.NewDecoder(reader).Decode(&config); err != nil {
-		return []string{}, nil // No allowed limits if config can't be decoded
+		level.Error(a.logger).Log("msg", "failed to decode runtime config", "err", err)
+		return []string{}, fmt.Errorf("failed to decode runtime config")
 	}
 
 	return config.APIAllowedLimits, nil
@@ -49,14 +45,19 @@ func (a *API) getAllowedLimitsFromBucket(ctx context.Context) ([]string, error)
 func (a *API) GetOverrides(w http.ResponseWriter, r *http.Request) {
 	userID, _, err := tenant.ExtractTenantIDFromHTTPRequest(r)
 	if err != nil {
-		http.Error(w, err.Error(), StatusUnauthorized)
+		http.Error(w, err.Error(), http.StatusUnauthorized)
 		return
 	}
 
 	// Read overrides from bucket storage
 	overrides, err := a.getOverridesFromBucket(r.Context(), userID)
 	if err != nil {
-		http.Error(w, err.Error(), StatusInternalServerError)
+		if err.Error() == ErrUserNotFound {
+			http.Error(w, "User not found", http.StatusBadRequest)
+		} else {
+			level.Error(a.logger).Log("msg", "failed to get overrides from bucket", "userID", userID, "err", err)
+			http.Error(w, "Internal server error", http.StatusInternalServerError)
+		}
 		return
 	}
 
@@ -72,65 +73,70 @@ func (a *API) GetOverrides(w http.ResponseWriter, r *http.Request) {
 func (a *API) SetOverrides(w http.ResponseWriter, r *http.Request) {
 	userID, _, err := tenant.ExtractTenantIDFromHTTPRequest(r)
 	if err != nil {
-		http.Error(w, err.Error(), StatusUnauthorized)
+		http.Error(w, err.Error(), http.StatusUnauthorized)
 		return
 	}
 
 	var overrides map[string]interface{}
 	if err := json.NewDecoder(r.Body).Decode(&overrides); err != nil {
-		http.Error(w, ErrInvalidJSON, StatusBadRequest)
+		http.Error(w, ErrInvalidJSON, http.StatusBadRequest)
 		return
 	}
 
 	// Get allowed limits from runtime config
 	allowedLimits, err := a.getAllowedLimitsFromBucket(r.Context())
 	if err != nil {
-		http.Error(w, "Failed to read allowed limits", StatusInternalServerError)
+		level.Error(a.logger).Log("msg", "failed to get allowed limits from bucket", "userID", userID, "err", err)
+		http.Error(w, "Internal server error", http.StatusInternalServerError)
 		return
 	}
 
 	// Validate that only allowed limits are being changed
 	if err := ValidateOverrides(overrides, allowedLimits); err != nil {
-		http.Error(w, err.Error(), StatusBadRequest)
+		level.Error(a.logger).Log("msg", "invalid overrides validation", "userID", userID, "err", err)
+		http.Error(w, "Invalid overrides", http.StatusBadRequest)
 		return
 	}
 
 	// Validate that values don't exceed hard limits from runtime config
 	if err := a.validateHardLimits(overrides, userID); err != nil {
-		http.Error(w, err.Error(), StatusBadRequest)
+		level.Error(a.logger).Log("msg", "hard limits validation failed", "userID", userID, "err", err)
+		http.Error(w, "Invalid overrides", http.StatusBadRequest)
 		return
 	}
 
 	// Write overrides to bucket storage
 	if err := a.setOverridesToBucket(r.Context(), userID, overrides); err != nil {
-		http.Error(w, err.Error(), StatusInternalServerError)
+		level.Error(a.logger).Log("msg", "failed to set overrides to bucket", "userID", userID, "err", err)
+		http.Error(w, "Internal server error", http.StatusInternalServerError)
 		return
 	}
 
-	w.WriteHeader(StatusOK)
+	w.WriteHeader(http.StatusOK)
 }
 
 // DeleteOverrides removes tenant-specific overrides
 func (a *API) DeleteOverrides(w http.ResponseWriter, r *http.Request) {
 	userID, _, err := tenant.ExtractTenantIDFromHTTPRequest(r)
 	if err != nil {
-		http.Error(w, err.Error(), StatusUnauthorized)
+		http.Error(w, err.Error(), http.StatusUnauthorized)
 		return
 	}
 
 	if err := a.deleteOverridesFromBucket(r.Context(), userID); err != nil {
-		http.Error(w, err.Error(), StatusInternalServerError)
+		level.Error(a.logger).Log("msg", "failed to delete overrides from bucket", "userID", userID, "err", err)
+		http.Error(w, "Internal server error", http.StatusInternalServerError)
 		return
 	}
 
-	w.WriteHeader(StatusOK)
+	w.WriteHeader(http.StatusOK)
 }
 
 // getOverridesFromBucket reads overrides for a specific tenant from the runtime config file
 func (a *API) getOverridesFromBucket(ctx context.Context, userID string) (map[string]interface{}, error) {
 	reader, err := a.bucketClient.Get(ctx, a.runtimeConfigPath)
 	if err != nil {
-		return map[string]interface{}{}, nil
+		return nil, fmt.Errorf("failed to get runtime config: %w", err)
 	}
 	defer reader.Close()
 
@@ -155,8 +161,11 @@ func (a *API) getOverridesFromBucket(ctx context.Context, userID string) (map[st
 
 			return result, nil
 		}
+		// User does not exist in config - return error
+		return nil, fmt.Errorf(ErrUserNotFound)
 	}
 
+	// No tenant limits configured - return empty map (no overrides)
 	return map[string]interface{}{}, nil
 }
 

pkg/overrides/limits.go

@@ -3,9 +3,11 @@ package overrides
 import (
 	"context"
 	"fmt"
+	"slices"
 	"strconv"
 	"strings"
 
+	"github.com/go-kit/log/level"
 	"gopkg.in/yaml.v3"
 
 	"github.com/cortexproject/cortex/pkg/util/runtimeconfig"
@@ -23,7 +25,7 @@ func ValidateOverrides(overrides map[string]interface{}, allowedLimits []string)
 	var invalidLimits []string
 
 	for limitName := range overrides {
-		if !IsLimitAllowed(limitName, allowedLimits) {
+		if !slices.Contains(allowedLimits, limitName) {
 			invalidLimits = append(invalidLimits, limitName)
 		}
 	}
@@ -35,39 +37,23 @@ func ValidateOverrides(overrides map[string]interface{}, allowedLimits []string)
 	return nil
 }
 
-// GetAllowedLimits returns the allowed limits from runtime config
-// If no allowed limits are configured, returns empty slice (no limits allowed)
-func GetAllowedLimits(allowedLimits []string) []string {
-	return allowedLimits
-}
-
-// IsLimitAllowed checks if a specific limit can be modified
-func IsLimitAllowed(limitName string, allowedLimits []string) bool {
-	for _, allowed := range allowedLimits {
-		if allowed == limitName {
-			return true
-		}
-	}
-	return false
-}
-
 // validateHardLimits checks if the provided overrides exceed any hard limits from the runtime config
 func (a *API) validateHardLimits(overrides map[string]interface{}, userID string) error {
 	// Read the runtime config to get hard limits
 	reader, err := a.bucketClient.Get(context.Background(), a.runtimeConfigPath)
 	if err != nil {
-		// If we can't read the config, skip hard limit validation
-		return nil
+		level.Error(a.logger).Log("msg", "failed to read hard limits configuration", "userID", userID, "err", err)
+		return fmt.Errorf("failed to validate hard limits")
 	}
 	defer reader.Close()
 
 	var config runtimeconfig.RuntimeConfigValues
 	if err := yaml.NewDecoder(reader).Decode(&config); err != nil {
-		// If we can't decode the config, skip hard limit validation
-		return nil
+		level.Error(a.logger).Log("msg", "failed to decode hard limits configuration", "userID", userID, "err", err)
+		return fmt.Errorf("failed to validate hard limits")
 	}
 
-	// If no hard overrides are defined, skip validation
+	// If no hard overrides are defined, allow the request
 	if config.HardTenantLimits == nil {
 		return nil
 	}
@@ -80,12 +66,14 @@ func (a *API) validateHardLimits(overrides map[string]interface{}, userID string
 
 	yamlData, err := yaml.Marshal(userHardLimits)
 	if err != nil {
-		return nil // Skip validation if we can't marshal
+		level.Error(a.logger).Log("msg", "failed to marshal hard limits", "userID", userID, "err", err)
+		return fmt.Errorf("failed to validate hard limits")
 	}
 
 	var hardLimitsMap map[string]interface{}
 	if err := yaml.Unmarshal(yamlData, &hardLimitsMap); err != nil {
-		return nil // Skip validation if we can't unmarshal
+		level.Error(a.logger).Log("msg", "failed to unmarshal hard limits", "userID", userID, "err", err)
+		return fmt.Errorf("failed to validate hard limits")
 	}
 
 	// Validate each override against the user's hard limits