The authorization components included in LokiStack are currently not prepared to deal with queries only using OTel semantics stream labels. This only affects the "fine-grained logs access", so it currently only limits the queries of non-admin users in the application tenant.

Currently the authorization code only uses the "kubernetes_namespace_name" stream label to enforce the fine-grained authorization scheme. The OTel data model uses a different label, "k8s_namespace_name" to store the same information. The authorization code needs to be extended to support queries targeting either of the two stream labels.

Acceptance Criteria

• It's possible to query logs using the ViaQ namespace label "kubernetes_namespace_name" as a non-admin user
• It's possible to query logs using the OTel namespace label "k8s_namespace_name" as a non-admin user
• Authorization is correctly evaluated for RecordingRules / AlertingRules using "kubernetes_namespace_name"
• Authorization is correctly evaluated for RecordingRules / AlertingRules using "k8s_namespace_name"

Optional Criteria

• Queries using a mixture of ViaQ and OTel label matchers are handled correctly