return 401 when tenant ID is missing in PRW2

CHANGELOG.md

@@ -10,6 +10,7 @@
 * [BUGFIX] Fix nil when ingester_query_max_attempts > 1. #7369
 * [BUGFIX] Querier: Fix queryWithRetry and labelsWithRetry returning (nil, nil) on cancelled context by propagating ctx.Err(). #7370
 * [BUGFIX] Metrics Helper: Fix non-deterministic bucket order in merged histograms by sorting buckets after map iteration, matching Prometheus client library behavior. #7380
+* [BUGFIX] Distributor: Return HTTP 401 Unauthorized when tenant ID resolution fails in the Prometheus Remote Write 2.0 path. #7389
 
 ## 1.21.0 in progress
 

pkg/util/push/push.go

@@ -90,6 +90,7 @@ func Handler(remoteWrite2Enabled bool, acceptUnknownRemoteWriteContentType bool,
 		handlePRW2 := func() {
 			userID, err := users.TenantID(ctx)
 			if err != nil {
+				http.Error(w, err.Error(), http.StatusUnauthorized)
 				return
 			}
 

pkg/util/push/push_test.go

@@ -1339,3 +1339,26 @@ func Test_convertV2RequestToV1_ExplicitStartTimestampTakesPrecedence(t *testing.
 		assert.Equal(t, int64(0), v1Req.Timeseries[0].Histograms[0].StartTimestampMs)
 	})
 }
+
+func TestHandler_remoteWriteV2_UnauthorizedWithoutTenantID(t *testing.T) {
+	var limits validation.Limits
+	flagext.DefaultValues(&limits)
+	overrides := validation.NewOverrides(limits, nil)
+
+	pushCalled := false
+	pushFunc := func(ctx context.Context, req *cortexpb.WriteRequest) (*cortexpb.WriteResponse, error) {
+		pushCalled = true
+		return &cortexpb.WriteResponse{}, nil
+	}
+
+	handler := Handler(true, false, 100000, overrides, nil, pushFunc, nil)
+
+	req := createRequest(t, createPrometheusRemoteWriteV2Protobuf(t), true)
+
+	resp := httptest.NewRecorder()
+	handler.ServeHTTP(resp, req)
+
+	assert.Equal(t, http.StatusUnauthorized, resp.Code)
+	assert.Contains(t, resp.Body.String(), user.ErrNoOrgID.Error())
+	assert.False(t, pushCalled, "push function must not be called when tenant ID is missing")
+}