|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * observability/distr_tracing/distr-tracing-tempo-configuring.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: REFERENCE |
| 6 | +[id="distr-tracing-tempo-config-query-rbac_{context}"] |
| 7 | += Query RBAC |
| 8 | + |
| 9 | +Query Role-Based Access Control (RBAC) allows users to see attributes only for spans that originate from the namespaces that the users have access to. |
| 10 | +Although a user can see traces from all namespaces, the attributes are filtered by the namespaces accessible to the user. The `service.name` and `k8s.namespace.name` attributes are filtered for all users. |
| 11 | + |
| 12 | +.Example `TempoStack` custom resource with enabled multitenancy and query RBAC |
| 13 | +[source,yaml] |
| 14 | +---- |
| 15 | +apiVersion: tempo.grafana.com/v1alpha1 |
| 16 | +kind: TempoStack |
| 17 | +metadata: |
| 18 | + name: simplest |
| 19 | + namespace: chainsaw-multitenancy |
| 20 | +spec: |
| 21 | + storage: |
| 22 | + secret: |
| 23 | + name: minio |
| 24 | + type: s3 |
| 25 | + storageSize: 1Gi |
| 26 | + resources: |
| 27 | + total: |
| 28 | + limits: |
| 29 | + memory: 2Gi |
| 30 | + cpu: 2000m |
| 31 | + tenants: |
| 32 | + mode: openshift |
| 33 | + authentication: |
| 34 | + - tenantName: dev |
| 35 | + tenantId: "1610b0c3-c509-4592-a256-a1871353dbfb" |
| 36 | + template: |
| 37 | + gateway: |
| 38 | + enabled: true # <1> |
| 39 | + rbac: |
| 40 | + enabled: true # <2> |
| 41 | + queryFrontend: |
| 42 | + jaegerQuery: |
| 43 | + enabled: false # <3> |
| 44 | +---- |
| 45 | +<1> Always set to `true`. |
| 46 | +<2> Always set to `true`. |
| 47 | +<3> Always set to `false`. |
| 48 | + |
| 49 | +:_mod-docs-content-type: REFERENCE |
| 50 | +[id="distr-tracing-tempo-config-query-rbac-configure_{context}"] |
| 51 | +== Configuration |
| 52 | + |
| 53 | +The following example gives OpenShift authenticated users access to the Tempo `dev` tenant and read attributes from the project `project1`. |
| 54 | + |
| 55 | +.ClusterRole and ClusterRoleBinding to give authenticated users access to the `dev` tenant. |
| 56 | +[source,yaml] |
| 57 | +---- |
| 58 | +apiVersion: rbac.authorization.k8s.io/v1 |
| 59 | +kind: ClusterRole |
| 60 | +metadata: |
| 61 | + name: tempo-dev-read |
| 62 | +rules: |
| 63 | +- apiGroups: [tempo.grafana.com] |
| 64 | + resources: [dev] # <1> |
| 65 | + resourceNames: [traces] |
| 66 | + verbs: [get] |
| 67 | +--- |
| 68 | +apiVersion: rbac.authorization.k8s.io/v1 |
| 69 | +kind: ClusterRoleBinding |
| 70 | +metadata: |
| 71 | + name: tempo-dev-read |
| 72 | +roleRef: |
| 73 | + apiGroup: rbac.authorization.k8s.io |
| 74 | + kind: ClusterRole |
| 75 | + name: tempo-dev-read |
| 76 | +subjects: |
| 77 | +subjects: |
| 78 | + - kind: Group |
| 79 | + apiGroup: rbac.authorization.k8s.io |
| 80 | + name: system:authenticated # <2> |
| 81 | +---- |
| 82 | + |
| 83 | +<1> Refers to the tenant name defined in the `TempoStack` custom resource. |
| 84 | +<2> Refers to all authenticated OpenShift users. |
| 85 | + |
| 86 | +The second step is to give authenticated users access to the project `project1`. |
| 87 | + |
| 88 | +.Command to give authenticated users access to the project `project1`. |
| 89 | +[source,bash] |
| 90 | +---- |
| 91 | +oc adm policy add-role-to-group view system:authenticated -n tutorial-application-backend2 # <1> |
| 92 | +---- |
| 93 | + |
| 94 | +<1> Alternatively the access can be granted by creating a `Role` in the `project1` with `get` verb on `namespace` resource and assigning it to the `system:authenticated` group. |
0 commit comments