From 30d010f782588840d06a4e301a20ed1d9ff89a69 Mon Sep 17 00:00:00 2001
From: SungJin1212 <tjdwls1201@gmail.com>
Date: Tue, 31 Mar 2026 20:31:04 +0900
Subject: [PATCH] return 401 when tenant ID is missing in PRW2

Signed-off-by: SungJin1212 <tjdwls1201@gmail.com>
---
 CHANGELOG.md               |  1 +
 pkg/util/push/push.go      |  1 +
 pkg/util/push/push_test.go | 23 +++++++++++++++++++++++
 3 files changed, 25 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index ca162be539e..584a3bff5d3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -10,6 +10,7 @@
 * [BUGFIX] Fix nil when ingester_query_max_attempts > 1. #7369
 * [BUGFIX] Querier: Fix queryWithRetry and labelsWithRetry returning (nil, nil) on cancelled context by propagating ctx.Err(). #7370
 * [BUGFIX] Metrics Helper: Fix non-deterministic bucket order in merged histograms by sorting buckets after map iteration, matching Prometheus client library behavior. #7380
+* [BUGFIX] Distributor: Return HTTP 401 Unauthorized when tenant ID resolution fails in the Prometheus Remote Write 2.0 path. #7389
 
 ## 1.21.0 in progress
 
diff --git a/pkg/util/push/push.go b/pkg/util/push/push.go
index 64e169e58d3..da80c5d518f 100644
--- a/pkg/util/push/push.go
+++ b/pkg/util/push/push.go
@@ -90,6 +90,7 @@ func Handler(remoteWrite2Enabled bool, acceptUnknownRemoteWriteContentType bool,
 		handlePRW2 := func() {
 			userID, err := users.TenantID(ctx)
 			if err != nil {
+				http.Error(w, err.Error(), http.StatusUnauthorized)
 				return
 			}
 
diff --git a/pkg/util/push/push_test.go b/pkg/util/push/push_test.go
index fe13dda0f82..9dc50e7d0a7 100644
--- a/pkg/util/push/push_test.go
+++ b/pkg/util/push/push_test.go
@@ -1339,3 +1339,26 @@ func Test_convertV2RequestToV1_ExplicitStartTimestampTakesPrecedence(t *testing.
 		assert.Equal(t, int64(0), v1Req.Timeseries[0].Histograms[0].StartTimestampMs)
 	})
 }
+
+func TestHandler_remoteWriteV2_UnauthorizedWithoutTenantID(t *testing.T) {
+	var limits validation.Limits
+	flagext.DefaultValues(&limits)
+	overrides := validation.NewOverrides(limits, nil)
+
+	pushCalled := false
+	pushFunc := func(ctx context.Context, req *cortexpb.WriteRequest) (*cortexpb.WriteResponse, error) {
+		pushCalled = true
+		return &cortexpb.WriteResponse{}, nil
+	}
+
+	handler := Handler(true, false, 100000, overrides, nil, pushFunc, nil)
+
+	req := createRequest(t, createPrometheusRemoteWriteV2Protobuf(t), true)
+
+	resp := httptest.NewRecorder()
+	handler.ServeHTTP(resp, req)
+
+	assert.Equal(t, http.StatusUnauthorized, resp.Code)
+	assert.Contains(t, resp.Body.String(), user.ErrNoOrgID.Error())
+	assert.False(t, pushCalled, "push function must not be called when tenant ID is missing")
+}