openshift · max-cx · Feb 20, 2025
diff --git a/modules/distr-tracing-tempo-config-query-rbac.adoc b/modules/distr-tracing-tempo-config-query-rbac.adoc
@@ -0,0 +1,94 @@
+// Module included in the following assemblies:
+//
+// * observability/distr_tracing/distr-tracing-tempo-configuring.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="distr-tracing-tempo-config-query-rbac_{context}"]
+= Query RBAC
+
+Query Role-Based Access Control (RBAC) allows users to see attributes only for spans that originate from the namespaces that the users have access to.
+Although a user can see traces from all namespaces, the attributes are filtered by the namespaces accessible to the user. The `service.name` and `k8s.namespace.name` attributes are filtered for all users.
+
+.Example `TempoStack` custom resource with enabled multitenancy and query RBAC
+[source,yaml]
+----
+apiVersion: tempo.grafana.com/v1alpha1
+kind:  TempoStack
+metadata:
+  name: simplest
+  namespace: chainsaw-multitenancy
+spec:
+  storage:
+    secret:
+      name: minio
+      type: s3
+  storageSize: 1Gi
+  resources:
+    total:
+      limits:
+        memory: 2Gi
+        cpu: 2000m
+  tenants:
+    mode: openshift
+    authentication:
+      - tenantName: dev
+        tenantId: "1610b0c3-c509-4592-a256-a1871353dbfb"
+  template:
+    gateway:
+      enabled: true # <1>
+    rbac:
+      enabled: true # <2>
+    queryFrontend:
+      jaegerQuery:
+        enabled: false # <3>
+----
+<1> Always set to `true`.
+<2> Always set to `true`.
+<3> Always set to `false`.
+
+:_mod-docs-content-type: REFERENCE
+[id="distr-tracing-tempo-config-query-rbac-configure_{context}"]
+== Configuration
+
+The following example gives OpenShift authenticated users access to the Tempo `dev` tenant and read attributes from the project `project1`.
+
+.ClusterRole and ClusterRoleBinding to give authenticated users access to the `dev` tenant.
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tempo-dev-read
+rules:
+- apiGroups: [tempo.grafana.com]
+  resources: [dev]  # <1>
+  resourceNames: [traces]
+  verbs: [get]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tempo-dev-read
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: tempo-dev-read
+subjects:
+subjects:
+  - kind: Group
+    apiGroup: rbac.authorization.k8s.io
+    name: system:authenticated # <2>
+----
+
+<1> Refers to the tenant name  defined in the `TempoStack` custom resource.
+<2> Refers to all authenticated OpenShift users.
+
+The second step is to give authenticated users access to the project `project1`.
+
+.Command to give authenticated users access to the project `project1`.
+[source,bash]
+----
+oc adm policy add-role-to-group view system:authenticated -n tutorial-application-backend2  # <1>
+----
+
+<1> Alternatively the access can be granted by creating a `Role` in the `project1` with `get` verb on `namespace` resource and assigning it to the `system:authenticated` group.
diff --git a/observability/distr_tracing/distr-tracing-tempo-configuring.adoc b/observability/distr_tracing/distr-tracing-tempo-configuring.adoc
@@ -60,6 +60,8 @@ include::modules/distr-tracing-tempo-config-receiver-tls-for-tempomonolithic.ado
 * xref:../../security/certificates/service-serving-certificate.adoc#understanding-service-serving_service-serving-certificate[Understanding service serving certificates]
 * xref:../../security/certificate_types_descriptions/service-ca-certificates.adoc#cert-types-service-ca-certificates[Service CA certificates] 
 
+include::modules/distr-tracing-tempo-config-query-rbac.adoc[leveloffset=+1]
+
 [id="taints-and-tolerations_{context}"]
 == Using taints and tolerations