|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * observability/distr_tracing/distr-tracing-tempo-configuring.adoc |
| 4 | + |
| 5 | +:_mod-docs-content-type: PROCEDURE |
| 6 | +[id="distr-tracing-tempo-configuring-query-rbac_{context}"] |
| 7 | += Configuring the query RBAC |
| 8 | + |
| 9 | +As an administrator, you can set up the query role-based access control (RBAC) to filter the span attributes for your users by the namespaces for which you granted them permissions. |
| 10 | + |
| 11 | +[NOTE] |
| 12 | +==== |
| 13 | +When you enable the query RBAC, users can still access traces from all namespaces, and the `service.name` and `k8s.namespace.name` attributes are also visible to all users. |
| 14 | +==== |
| 15 | + |
| 16 | +.Prerequisites |
| 17 | + |
| 18 | +* An active {oc-first} session by a cluster administrator with the `cluster-admin` role. |
| 19 | ++ |
| 20 | +[TIP] |
| 21 | +==== |
| 22 | +* Ensure that your {oc-first} version is up to date and matches your {product-title} version. |
| 23 | +
|
| 24 | +* Run `oc login`: |
| 25 | ++ |
| 26 | +[source,terminal] |
| 27 | +---- |
| 28 | +$ oc login --username=<your_username> |
| 29 | +---- |
| 30 | +==== |
| 31 | +
|
| 32 | +.Procedure |
| 33 | + |
| 34 | +. Enable multitenancy and query RBAC in the `TempoStack` custom resource (CR), for example: |
| 35 | ++ |
| 36 | +[source,yaml] |
| 37 | +---- |
| 38 | +apiVersion: tempo.grafana.com/v1alpha1 |
| 39 | +kind: TempoStack |
| 40 | +metadata: |
| 41 | + name: simplest |
| 42 | + namespace: chainsaw-multitenancy |
| 43 | +spec: |
| 44 | + storage: |
| 45 | + secret: |
| 46 | + name: minio |
| 47 | + type: s3 |
| 48 | + storageSize: 1Gi |
| 49 | + resources: |
| 50 | + total: |
| 51 | + limits: |
| 52 | + memory: 2Gi |
| 53 | + cpu: 2000m |
| 54 | + tenants: |
| 55 | + mode: openshift |
| 56 | + authentication: |
| 57 | + - tenantName: dev |
| 58 | + tenantId: "1610b0c3-c509-4592-a256-a1871353dbfb" |
| 59 | + template: |
| 60 | + gateway: |
| 61 | + enabled: true # <1> |
| 62 | + rbac: |
| 63 | + enabled: true # <2> |
| 64 | + queryFrontend: |
| 65 | + jaegerQuery: |
| 66 | + enabled: false # <3> |
| 67 | +---- |
| 68 | +<1> Always set to `true`. |
| 69 | +<2> Always set to `true`. |
| 70 | +<3> Always set to `false`. |
| 71 | + |
| 72 | +. Create a cluster role and cluster role binding to grant the target users the permissions to access the tenant that you specified in the `TempoStack` CR, for example: |
| 73 | ++ |
| 74 | +[source,yaml] |
| 75 | +---- |
| 76 | +apiVersion: rbac.authorization.k8s.io/v1 |
| 77 | +kind: ClusterRole |
| 78 | +metadata: |
| 79 | + name: tempo-dev-read |
| 80 | +rules: |
| 81 | +- apiGroups: [tempo.grafana.com] |
| 82 | + resources: [dev] # <1> |
| 83 | + resourceNames: [traces] |
| 84 | + verbs: [get] |
| 85 | +--- |
| 86 | +apiVersion: rbac.authorization.k8s.io/v1 |
| 87 | +kind: ClusterRoleBinding |
| 88 | +metadata: |
| 89 | + name: tempo-dev-read |
| 90 | +roleRef: |
| 91 | + apiGroup: rbac.authorization.k8s.io |
| 92 | + kind: ClusterRole |
| 93 | + name: tempo-dev-read |
| 94 | +subjects: |
| 95 | + - kind: Group |
| 96 | + apiGroup: rbac.authorization.k8s.io |
| 97 | + name: system:authenticated # <2> |
| 98 | +---- |
| 99 | +<1> Tenant name in the `TempoStack` CR. |
| 100 | +<2> Means all authenticated OpenShift users. |
| 101 | + |
| 102 | +. Grant the target users the permissions to read attributes for the project. You can do this by running the following command: |
| 103 | ++ |
| 104 | +[source,bash] |
| 105 | +---- |
| 106 | +$ oc adm policy add-role-to-user view <username> -n <project> |
| 107 | +---- |
0 commit comments