|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * observability/distr_tracing/distr_tracing_tempo/distr-tracing-tempo-configuring.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: REFERENCE |
| 6 | +[id="distr-tracing-tempo-config-query-rbac_{context}"] |
| 7 | += Query role based access control (RBAC) |
| 8 | + |
| 9 | +Query RBAC is a feature that allows users to see attributes only for spans that originate from namespaces that they have access to. |
| 10 | +Which means users will be able to see traces from all namespaces, however the attributes will be filtered based on the namespaces they have access to, |
| 11 | +except for the attributes `service.name` and `k8s.namespace.name` which are always kept. |
| 12 | + |
| 13 | +.Sample Tempo CR with enabled multitenancy and enabled query RBAC |
| 14 | +[source,yaml] |
| 15 | +---- |
| 16 | +apiVersion: tempo.grafana.com/v1alpha1 |
| 17 | +kind: TempoStack |
| 18 | +metadata: |
| 19 | + name: simplest |
| 20 | + namespace: chainsaw-multitenancy |
| 21 | +spec: |
| 22 | + storage: |
| 23 | + secret: |
| 24 | + name: minio |
| 25 | + type: s3 |
| 26 | + storageSize: 1Gi |
| 27 | + resources: |
| 28 | + total: |
| 29 | + limits: |
| 30 | + memory: 2Gi |
| 31 | + cpu: 2000m |
| 32 | + tenants: |
| 33 | + mode: openshift |
| 34 | + authentication: |
| 35 | + - tenantName: dev |
| 36 | + tenantId: "1610b0c3-c509-4592-a256-a1871353dbfb" |
| 37 | + template: |
| 38 | + gateway: |
| 39 | + enabled: true # <1> |
| 40 | + rbac: |
| 41 | + enabled: true # <2> |
| 42 | + queryFrontend: |
| 43 | + jaegerQuery: |
| 44 | + enabled: false # <3> |
| 45 | +---- |
| 46 | + |
| 47 | +<1> Must be set to `true`. |
| 48 | +<2> Must be set to `true`. |
| 49 | +<3> Must be set to `false`. |
| 50 | + |
| 51 | +:_mod-docs-content-type: REFERENCE |
| 52 | +[id="distr-tracing-tempo-config-query-rbac-configure_{context}"] |
| 53 | +== Configuration |
| 54 | + |
| 55 | +The following example gives OpenShift authenticated users access to the Tempo `dev` tenant and read attributes from the project `project1`. |
| 56 | + |
| 57 | +.ClusterRole and ClusterRoleBinding to give authenticated users access to the `dev` tenant. |
| 58 | +[source,yaml] |
| 59 | +---- |
| 60 | +apiVersion: rbac.authorization.k8s.io/v1 |
| 61 | +kind: ClusterRole |
| 62 | +metadata: |
| 63 | + name: tempo-dev-read |
| 64 | +rules: |
| 65 | +- apiGroups: [tempo.grafana.com] |
| 66 | + resources: [dev] # <1> |
| 67 | + resourceNames: [traces] |
| 68 | + verbs: [get] |
| 69 | +--- |
| 70 | +apiVersion: rbac.authorization.k8s.io/v1 |
| 71 | +kind: ClusterRoleBinding |
| 72 | +metadata: |
| 73 | + name: tempo-dev-read |
| 74 | +roleRef: |
| 75 | + apiGroup: rbac.authorization.k8s.io |
| 76 | + kind: ClusterRole |
| 77 | + name: tempo-dev-read |
| 78 | +subjects: |
| 79 | +subjects: |
| 80 | + - kind: Group |
| 81 | + apiGroup: rbac.authorization.k8s.io |
| 82 | + name: system:authenticated # <2> |
| 83 | +---- |
| 84 | + |
| 85 | +<1> Refers to the tenant name defined in the `TempoStack` custom resource. |
| 86 | +<2> Refers to all authenticated OpenShift users. |
| 87 | + |
| 88 | +The second step is to give authenticated users access to the project `project1`. |
| 89 | + |
| 90 | +.Command to give authenticated users access to the project `project1`. |
| 91 | +[source,bash] |
| 92 | +---- |
| 93 | +oc adm policy add-role-to-group view system:authenticated -n tutorial-application-backend2 # <1> |
| 94 | +---- |
| 95 | + |
| 96 | +<1> Alternatively the access can be granted by creating a `Role` in the `project1` with `get` verb on `namespace` resource and assigning it to the `system:authenticated` group. |
0 commit comments