openshift · jeana-redhat · Jun 17, 2025 · Feb 20, 2025
diff --git a/modules/distr-tracing-tempo-config-query-rbac.adoc b/modules/distr-tracing-tempo-config-query-rbac.adoc
@@ -0,0 +1,107 @@
+// Module included in the following assemblies:
+//
+// * observability/distr_tracing/distr-tracing-tempo-configuring.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="distr-tracing-tempo-configuring-query-rbac_{context}"]
+= Configuring the query RBAC
+
+As an administrator, you can set up the query role-based access control (RBAC) to filter the span attributes for your users by the namespaces for which you granted them permissions.
+
+[NOTE]
+====
+When you enable the query RBAC, users can still access traces from all namespaces, and the `service.name` and `k8s.namespace.name` attributes are also visible to all users.
+====
+
+.Prerequisites
+
+* An active {oc-first} session by a cluster administrator with the `cluster-admin` role.
++
+[TIP]
+====
+* Ensure that your {oc-first} version is up to date and matches your {product-title} version.
+
+* Run `oc login`:
++
+[source,terminal]
+----
+$ oc login --username=<your_username>
+----
+====
+
+.Procedure
+
+. Enable multitenancy and query RBAC in the `TempoStack` custom resource (CR), for example:
++
+[source,yaml]
+----
+apiVersion: tempo.grafana.com/v1alpha1
+kind: TempoStack
+metadata:
+  name: simplest
+  namespace: chainsaw-multitenancy
+spec:
+  storage:
+    secret:
+      name: minio
+      type: s3
+  storageSize: 1Gi
+  resources:
+    total:
+      limits:
+        memory: 2Gi
+        cpu: 2000m
+  tenants:
+    mode: openshift
+    authentication:
+      - tenantName: dev
+        tenantId: "1610b0c3-c509-4592-a256-a1871353dbfb"
+  template:
+    gateway:
+      enabled: true # <1>
+      rbac:
+        enabled: true # <2>
+    queryFrontend:
+      jaegerQuery:
+        enabled: false # <3>
+----
+<1> Always set to `true`.
+<2> Always set to `true`.
+<3> Always set to `false`.
+
+. Create a cluster role and cluster role binding to grant the target users the permissions to access the tenant that you specified in the `TempoStack` CR, for example:
++
+[source,yaml]
+----
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: tempo-dev-read
+rules:
+- apiGroups: [tempo.grafana.com]
+  resources: [dev] # <1>
+  resourceNames: [traces]
+  verbs: [get]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: tempo-dev-read
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: tempo-dev-read
+subjects:
+  - kind: Group
+    apiGroup: rbac.authorization.k8s.io
+    name: system:authenticated # <2>
+----
+<1> Tenant name in the `TempoStack` CR.
+<2> Means all authenticated OpenShift users.
+
+. Grant the target users the permissions to read attributes for the project. You can do this by running the following command:
++
+[source,bash]
+----
+$ oc adm policy add-role-to-user view <username> -n <project>
+----
diff --git a/observability/distr_tracing/distr-tracing-tempo-configuring.adoc b/observability/distr_tracing/distr-tracing-tempo-configuring.adoc
@@ -60,6 +60,8 @@ include::modules/distr-tracing-tempo-config-receiver-tls-for-tempomonolithic.ado
 * xref:../../security/certificates/service-serving-certificate.adoc#understanding-service-serving_service-serving-certificate[Understanding service serving certificates]
 * xref:../../security/certificate_types_descriptions/service-ca-certificates.adoc#cert-types-service-ca-certificates[Service CA certificates] 
 
+include::modules/distr-tracing-tempo-config-query-rbac.adoc[leveloffset=+1]
+
 [id="taints-and-tolerations_{context}"]
 == Using taints and tolerations