You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/latest/modules/en/pages/setup/security/authentication/oidc.adoc
+2-2Lines changed: 2 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -14,7 +14,7 @@ Before you can configure SUSE Observability to authenticate using OIDC, you need
14
14
=== Rancher
15
15
16
16
[NOTE]
17
-
This only works with Rancher 2.12 or later. You need to [configure Rancher as an OIDC provider](https://documentation.suse.com/cloudnative/rancher-manager/latest/en/rancher-admin/users/authn-and-authz/configure-oidc-provider.html).
17
+
This only works with Rancher 2.12 or later. You need to https://documentation.suse.com/cloudnative/rancher-manager/latest/en/rancher-admin/users/authn-and-authz/configure-oidc-provider.html[configure Rancher as an OIDC provider].
18
18
19
19
Create an OIDCClient resource in the Rancher local cluster:
20
20
[,yaml]
@@ -73,7 +73,7 @@ The result of this configuration should produce a *clientId* and a *secret*. Cop
73
73
=== Rancher
74
74
75
75
[NOTE]
76
-
This only works with Rancher 2.12 or later. You need to [configure Rancher as an OIDC provider](https://documentation.suse.com/cloudnative/rancher-manager/latest/en/rancher-admin/users/authn-and-authz/configure-oidc-provider.html).
76
+
This only works with Rancher 2.12 or later. You need to https://documentation.suse.com/cloudnative/rancher-manager/latest/en/rancher-admin/users/authn-and-authz/configure-oidc-provider.html[configure Rancher as an OIDC provider].
77
77
78
78
To configure Rancher as the OIDC provider for SUSE Observability, you need to add the OIDC details to the authentication values:
Copy file name to clipboardExpand all lines: docs/latest/modules/en/pages/setup/security/rbac/rbac_rancher.adoc
+68-27Lines changed: 68 additions & 27 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -8,41 +8,63 @@
8
8
The SUSE Rancher Prime Observability Extension uses Kubernetes RBAC to grant access to Rancher users in SUSE Observability.
9
9
If you do not use Rancher, look at xref:/setup/security/rbac/rbac_roles.adoc[How to set up roles] in a standalone installation.
10
10
11
-
NOTE: for Rancher RBAC to function, authentication for SUSE Observability must be configured with the xref:setup/security/authentication/oidc.adoc#_rancher[Rancher OIDC Provider].
11
+
[NOTE]
12
+
====
13
+
For Rancher RBAC to function,
14
+
15
+
* authentication for {stackstate-product-name} must be configured with the xref:setup/security/authentication/oidc.adoc#_rancher[Rancher OIDC Provider].
16
+
* the {stackstate-product-name} Agent must have the RBAC Agent enabled and must authenticate using a service token.
17
+
====
18
+
19
+
Every authenticated user has the *Instance Basic Access* role that allows them to use the system. These permissions provide access to the views, settings, metric bindings, and lets a user see system notifications. They do NOT grant access to any {stackstate-product-name} data. In order to see any data, a user needs to be given an additional role. Two directions for extending the *Instance Basic Access* role are provided with Rancher *Role Templates*:
12
20
13
-
You can use two kinds of roles for accessing SUSE Observability:
14
-
* A _scope role_ (Observer) grants access to data - either all data in a SUSE Observability instance, data coming from a cluster, or just the data for a namespace. This role is provisioned in a cluster to be observed.
15
-
* An _instance role_ grants permissions to access or modify functionality of SUSE Observability itself. These roles grant access to all data in SUSE Observability.
21
+
Instance Roles:: Enables you to configure or personalize {stacktate-product-name}.
22
+
Scoped Roles:: Grants access to {stackstate-product-name} data from observed clusters.
16
23
17
-
Several `RoleTemplate`s are available to achieve this, with common groupings of permissions. Binding these templates to users or groups on a cluster or namespace triggers roles and role-bindings for provisioning on the target cluster. A description of the default templates is below. It is possible to define your own combinations of permissions in a custom RoleTemplate.
24
+
== Instance roles
18
25
19
-
=== Observer role
26
+
You can assign the *Role Templates* for *Instance Roles* to users or groups in the *Project* that is running {stackstate-product-name}. If no instance roles are explicitly assigned to a member of a project, then they will have the permissions of the *Instance Basic Access* role.
20
27
21
-
The observer role grants a user the permission to read topology, metrics, logs and trace data for a namespace or a cluster. There are three `RoleTemplate`s that grant access to observability data:
28
+
=== Instance roles with access to {stackstate-product-name} data
22
29
23
-
* *Observer* - grants access to data coming from namespaces in a Project. You can use this in the "Project Membership" section of the cluster configuration.
24
-
* *Cluster Observer* - grants access to all data coming from a Cluster. You can use this template in the "Cluster Membership" section of the cluster configuration.
25
-
* *Instance Observer* - grants access to all data in a SUSE Observability instance. You can use this template on the Project that includes SUSE Observability itself.
30
+
A couple of "global" roles allow access to all {stackstate-product-name} data - in any of the observed clusters. These roles are intended to be used for setting up the system and for troubleshooting system-level problems. For users with any of these roles, it is not necessary to configure xref:scoped[Scoped Roles].
26
31
27
-
To use these observer roles, it is recommended that the following role is granted on the Project running SUSE Observability itself:
28
-
* *Recommended Access* - has recommended permissions for using SUSE Observability.
32
+
Instance Admin:: Grants full access to all views and all permissions.
33
+
Instance Troubleshooter:: Grants all permissions required to use SUSE Observability for troubleshooting, including the ability to enable/disable monitors, create custom views, and use the CLI.
34
+
Instance Observer:: Grants access to all data in a SUSE Observability instance.
29
35
30
-
=== Instance roles
36
+
=== Instance roles without access to {stackstate-product-name} data
31
37
32
-
There are two roles predefined in SUSE Observability, for configuring the system. This includes setting up views, monitors, notifications and so on.
33
-
As these concern "global" settings of SUSE Observability, these roles include access to all data in an observability instance.
38
+
These roles need to be combined with the *Instance Observer* role or one of the xref:scoped[Scoped Roles] (see below). Otherwise, no {stackstate-product-name} data is accessible and the UI will show a "No components found" message. This applies to all Rancher users, including users, such as Project owners.
34
39
35
-
* *Instance Troubleshooter* - has all permissions required to use SUSE Observability for troubleshooting, including the ability to enable/disable monitors, create custom views and use the Cli.
36
-
* *Instance Administrator* - has full access to all views and has all permissions.
40
+
Instance Recommended Access:: Grants recommended permissions to use SUSE Observability. This role includes permissions that are not strictly necessary, but provide (limited) means of personalization {stackstate-product-name}.
41
+
Instance Basic Access:: Grants minimal permissions to use {stackstate-product-name}. This role does not need to be explicitly assigned and there is no *Role Template* for it; every logged-in user has it.
37
42
38
43
You can find the permissions assigned to each predefined SUSE Observability role below. For details of the different permissions and how to manage them using the `sts` CLI, see xref:/setup/security/rbac/rbac_permissions.adoc[Role based access control (RBAC) permissions]
39
44
40
45
[tabs]
41
46
====
47
+
Basic Access::
48
+
+
49
+
--
50
+
Basic access grants minimal permissions for using SUSE Observability. To be combined with an Observer (Instance, Cluster or Project).
51
+
These permissions are granted to all users.
52
+
53
+
|===
54
+
|Resource |Verbs
55
+
56
+
|metric-bindings |get
57
+
|settings |get
58
+
|system-notifications |get
59
+
|views |get
60
+
|===
61
+
62
+
--
42
63
Recommended Access::
43
64
+
44
65
--
45
-
Recommended access grants permissions that are not strictly necessary, but that make SUSE Observability a lot more useful.
66
+
Recommended access grants permissions that are not strictly necessary, but that make SUSE Observability a lot more useful. It provides a limited degree of personalization.
67
+
To be combined with an Observer (Instance, Cluster or Project).
46
68
47
69
|===
48
70
|Resource |Verbs
@@ -54,6 +76,20 @@ Recommended access grants permissions that are not strictly necessary, but that
54
76
|visualization-settings |update
55
77
|===
56
78
79
+
--
80
+
Observer::
81
+
+
82
+
--
83
+
Observer grants access to all observability data in a SUSE Observability instance. Combine with *Recommended Access* for a better experience.
84
+
85
+
|===
86
+
|Resource |Verbs
87
+
88
+
|topology |get
89
+
|metrics |get
90
+
|traces |get
91
+
|===
92
+
57
93
--
58
94
Troubleshooter::
59
95
+
@@ -84,7 +120,7 @@ The Troubleshooter role has access to all data available in SUSE Observability a
84
120
|===
85
121
86
122
--
87
-
Administrator::
123
+
Admin::
88
124
+
89
125
--
90
126
The Administrator role has all permissions assigned.
@@ -121,21 +157,27 @@ The Administrator role has all permissions assigned.
121
157
--
122
158
====
123
159
124
-
=== Resource details
160
+
[#scoped]
161
+
== Scoped roles
162
+
163
+
You can assign the following *Role Templates* to users or groups in an observed cluster. They grant access to {stackstate-product-name} data coming from (a *Project* in) the *Cluster*, giving a user permission to read topology, metrics, logs and trace data.
125
164
126
-
These resources correspond to those of xref:/setup/security/rbac/rbac_permissions.adoc[RBAC Permissions]. In particular *scoped permissions* apply to data collected by the SUSE Observability agent and access should typically be limited on a cluster or a namespace level. The following resources are available in the `scope.observability.cattle.io` API Group:
165
+
Observer:: Grants access to data coming from namespaces in a *Project*. You can use this in the *Project Membership* section of the cluster configuration.
166
+
Cluster Observer:: Grants access to all data coming from a *Cluster*. You can use this template in the *Cluster Membership* section of the cluster configuration.
167
+
168
+
The resources in these roles correspond to xref:/setup/security/rbac/rbac_permissions.adoc#_scoped_permissions[Scoped Permissions]. They are available in the `scope.observability.cattle.io` API Group (with just verb `get` as these resources are read only):
127
169
128
170
* `topology` - components (deployments, pods, etcetera) from the cluster or namespace
129
171
* `traces` - spans from the cluster or namespace
130
172
* `metrics` - metric data originating from the cluster or namespace
131
173
132
-
These resources are read only, so the only applicable verb is `get`.
174
+
Note that access to logs is controlled by the `topology` resource.
133
175
134
-
Other permissions, those that are not *scoped*, define user capabilities and access to parts of SUSE Observability. These "system permissions" allow, for example, executing queries or scripts and configuring SUSE Observability. Those are collected from the `instance.observability.cattle.io` API Group.
176
+
Enable personalization for users with these observer roles by granting the *Instance Recommended Access* role on the *Project* running {stackstate-product-name}.
135
177
136
-
=== Custom roles
178
+
== Custom roles
137
179
138
-
To grant additional permissions beyond Recommended Access, create a custom Project `RoleTemplate` in Rancher, inheriting from "SUSE Observability Instance Recommended Access". Then, for example, to grant the rights to view monitors and metric charts, add rules with:
180
+
To grant additional permissions beyond Recommended Access, create a custom Project *RoleTemplate* in Rancher, inheriting from *SUSE Observability Instance Recommended Access*. Then, for example, to grant the rights to view monitors and metric charts, add rules with:
139
181
140
182
* Verb: `get`
141
183
* Resource: `metricbindings` and `monitors`
@@ -145,12 +187,11 @@ image::rancher-custom-role.png[Custom RoleTemplate for richer access]
145
187
146
188
You can specify any resource and verb combination defined in the xref:/setup/security/rbac/rbac_permissions.adoc[RBAC Permissions]. Note that the dashes (`-`) are dropped from resource names, so the permission `get-metric-bindings` becomes the Kubernetes RBAC resource `metricbindings` with the verb `get`.
147
189
190
+
148
191
== Troubleshooting
149
192
150
193
* Verify that the Rbac Agent for the cluster is able to communicate with the platform.
151
194
152
-
NOTE: the Rbac Agent must authenticate using service tokens.
153
-
154
195
* xref:/setup/security/rbac/rbac_permissions.adoc#_list_subjects_for_a_user[Inspect the user subjects] (user and roles).
155
196
** Verify any roles configuration on the OIDC provider.
156
197
* xref:/setup/security/rbac/rbac_permissions.adoc#_show_granted_permissions[Inspect the subject permission]
0 commit comments