Docs: Team LBAC create concept and tasks (#82020)

* create concept and tasks * update docs * formattting * Update docs/sources/administration/data-source-management/teamlbac/create-teamlbac-rules/index.md Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com> * Update docs/sources/administration/data-source-management/teamlbac/create-teamlbac-rules/index.md Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com> * Update docs/sources/administration/data-source-management/teamlbac/create-teamlbac-rules/index.md Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com> * Update docs/sources/administration/data-source-management/teamlbac/create-teamlbac-rules/index.md Co-authored-by: Jack Baldry <jack.baldry@grafana.com> * Update docs/sources/administration/data-source-management/teamlbac/create-teamlbac-rules/index.md Co-authored-by: Jack Baldry <jack.baldry@grafana.com> * Update docs/sources/administration/data-source-management/teamlbac/create-teamlbac-rules/index.md Co-authored-by: Jack Baldry <jack.baldry@grafana.com> * Update docs/sources/administration/data-source-management/teamlbac/_index.md Co-authored-by: Jack Baldry <jack.baldry@grafana.com> * Update docs/sources/administration/data-source-management/teamlbac/create-teamlbac-rules/index.md Co-authored-by: Jack Baldry <jack.baldry@grafana.com> * update of docs * updated w. limitations and explaination of permissions * spelling * formatting * formatting * added another task * formatting --------- Co-authored-by: Alexander Zobnin <alexanderzobnin@gmail.com> Co-authored-by: Jack Baldry <jack.baldry@grafana.com>
2025-02-25 18:55:37 -06:00 · 2024-02-09 10:20:09 +00:00 · 2024-02-09 10:20:09 +00:00 · 3d73cd5c8e
commit 3d73cd5c8e
parent e03a96d09b
4 changed files with 233 additions and 158 deletions
--- a/docs/sources/administration/data-source-management/team_lbac.md
+++ b/docs/sources/administration/data-source-management/team_lbac.md
@ -1,158 +0,0 @@
---
-aliases:
-description: Label based data access for Loki given Teams
-labels:
-  products:
-    - enterprise
-    - cloud
-title: Team LBAC
-weight: 100
---
-
-# Team LBAC
-
-{{% admonition type="note" %}}
-Creating Team LBAC rules is available for preview preview for logs with Loki in Grafana Cloud. Report any unexpected behavior to the Grafana Support team.
-{{% /admonition %}}
-
-Grafana's new Team LBAC (Label Based Access Control) feature for Loki is a significant enhancement that simplifies and streamlines data source access management based on team memberships. Users wanting fine grained access to their logs in Loki, can now configure their users access based on their team memberships.
-
-**LBAC**
-control access to data based on labels. In the context of Loki, it is a way to control access to logs based on labels. Users wanting fine grained access to their logs in Loki, can now configure their users access based on their team memberships via **LogQL**.
-
-This feature addresses two common challenge faced by Grafana users:
-
-1. High volume of Grafana Cloud datasource. Team LBAC lets Grafana Admins reduce the total volume of data sources per instance from hundreds, to one.
-1. Hard for teams to share dashboard. Team LBAC lets Grafana Teams share the same dashboard despite different access control rules.
-
-## Team LBAC rules
-
-Team LBAC rules are added to the http request to Loki data source. Setting up Team LBAC rules for any team will apply those rules to the teams.
-Users who want teams with a specific set of label selectors can add rules for each team.
-
-Configuring multiple rules for a team, each rule is evaluated separately. If a team has `X` number of rules configured for it, all rules will be applied to the request and the result will be the an "OR" operation of the `X` number of rules.
-
-Only users with data source Admin permissions can edit LBAC rules at the data source permissions tab. Changing LBAC rules requires the same access level as editing data source permissions (admin permission for data source).
-
-> "Can I use CAPs (cloud access policies) together with TeamLBAC rules?"
-> No, CAP (cloud access policies) always have precedence. If there are any CAP LBAC configured for the same datasource and there are TeamLBAC rules configured, then only the CAP LBAC will be applied.
-
-Cloud access policies are the access controls from Grafana Cloud, the CAP configured for loki should only to be used to gain read access to the logs.
-
-> "If administrator forget to add rule for a team, what happens?"
-> The teams that does not have a rule applied to it, would be able to query all logs if `query` permissions are setup for their role within Grafana.
-
-**Note:** A user who is part of a team within Grafana without a rule will be able to query all logs if there are role based queriying setup.
-
-#### Best practices
-
-We recommend you only add team LBAC permissions for teams that should use the data source and remove default `Viewer` and `Editor` query permissions.
-
-We recommend for a first setup, setting up as few rules for each team as possible and make them additive and not negated.
-
-For validating the rules, we recommend testing the rules in the Loki Explore view. This will allow you to see the logs that would be returned for the rule.
-
-#### Scenarios
-
-**Scenario 1: One rule setup for each team**
-
-We have two teams, Team A and Team B. Loki access is setup with `Admin` roles to have `Admin` permission only.
-
- Team A has a rule `namespace="dev"`.
-
- Team B has a rule `namespace="prod"`.
-
-A user that is part of Team A will have access to logs that match `namespace="dev"`.
-
-A user that is part of Team B will have access to logs that match `namespace="prod"`.
-
-**Scenario 2: Multiple rules setup for one team**
-
-We have two teams, Team A and Team B. Loki access is setup with `Admin` roles having `Admin` permission.
-
- Team A has rule `cluster="us-west-0", namespace="dev|prod"` configured.
-
- Team B has rule `cluster="us-west-0", namespace="!prod"` configured.
-
-A user that is only part of Team A will have access to logs that match `cluster="us-west-0" AND (namespace="dev" OR namespace="prod")`.
-
-A user that is only part of Team B will have access to logs that match `cluster="us-west-0" AND namespace!="prod"`.
-
-A user that is part of both Team A and Team B will have access to logs that match `cluster="us-west-0" AND (namespace="dev" OR namespace="prod") OR (is this true?) (cluster="us-west-0" AND namespace!="prod")`.
-
-A user that is **not** part of any Team with `Editor/Viewer` role will not have access to query any logs.
-
-**Important**
-
-A `Admin` user that is part of a Team with will only have access to that teams logs
-
-A `Admin` user that is not part of any Team with `Admin` role will have access to all logs
-
-**Scenario 3: Rules that overlap**
-
-We have two teams, Team A and Team B.
-
- Team A has a rule `namespace="dev"`.
-
- Team B has a rule `namespace!="dev"`.
-
-A user in Team A will have access to logs that match `namespace="dev"`.
-
-A user in Team b will have access to logs that match `namespace!="dev"`.
-
-> _NOTE:_ A user that is part of Team A and Team B will have access to all logs that match `namespace="dev"` `OR` `namespace!="dev"`.
-
-**Scenario 4: One rule setup for a Team**
-
-We have two teams, Team A and Team B. Loki access is setup with `Editor`, `Viewer` roles to have `Query` permission.
-
- Team A has a rule `namespace="dev"` configured.
-
- Team B does not have a rule configured for it.
-
-A user that is part of Team A will have access to logs that match `namespace="dev"`.
-
-A user that is part of Team A and part of Team B will have access to logs that match `namespace="dev"`.
-
-A user that is not part of Team A and part of Team B, that is `Editor` or `Viewer` will have access to all logs (due to the query permission for the user).
-
-## Setting up Team LBAC rules
-
-To be able to use Team LBAC rules, you need to enable the feature toggle `teamHTTPHeaders` on your Grafana instance. Contact support to enable the feature toggle for you.
-
-### Prerequisites
-
-### Required permissions
-
-Ensure you have administrative access to Grafana Cloud (GCom) and the necessary permissions to configure data sources and access policies. You will need to have access to the teams you want to configure rules for.
-
-To configure Team LBAC rules, you need to have admin permissions for the data source and edit permissions on the teams you want to configure rules for.
-
-### Steps to Configure Team LBAC Rules for a team
-
-1. Navigate to your Loki datasource
-1. Navigate to the permissions tab
-   - Here, you'll find the Team LBAC rules section.
-1. Add a Team LBAC Rule
-   - Add a new rule for the team in the Team LBAC rules section.
-1. Define Label Selector for the Rule
-   - Add a label selector to the rule. Refer to Loki query documentation for guidance on the types of log selections you can specify.
-
-### Steps to Configure Team LBAC Rules for a new Loki data source
-
-1. Access Loki data sources details for your stack through grafana.com
-1. Copy Loki Details and Create a CAP
-   - Copy the details of your Loki setup.
-   - Create a Cloud Access Policy (CAP) for the Loki data source in grafana.com.
-   - Ensure the CAP includes `logs:read` permissions.
-1. Create a New Loki Data Source
-   - In Grafana, proceed to add a new data source and select Loki as the type.
-1. Navigate back to the Loki data source
-   - Set up the Loki data source using basic authentication. Use the userID as the username. Use the generated CAP token as the password.
-   - Save and connect.
-1. Navigate to Data Source Permissions
-   - Go to the permissions tab of the newly created Loki data source. Here, you'll find the Team LBAC rules section.
-1. Add a Team LBAC Rule
-   - Add a new rule for the team in the Team LBAC rules section.
-1. Define Label Selector for the Rule
-   - Add a label selector to the rule. Refer to Loki query documentation for guidance on the types of log selections you can specify.
--- a/docs/sources/administration/data-source-management/teamlbac/_index.md
+++ b/docs/sources/administration/data-source-management/teamlbac/_index.md
@ -0,0 +1,70 @@
+---
+description: Label based data access for Loki given Teams
+keywords:
+  - grafana
+  - loki
+  - lbac
+labels:
+  products:
+    - enterprise
+    - cloud
+title: Team LBAC
+weight: 100
+---
+
+# Team LBAC
+
+{{% admonition type="note" %}}
+Creating Team LBAC rules is available for preview preview for logs with Loki in Grafana Cloud. Report any unexpected behavior to the Grafana Support team.
+{{% /admonition %}}
+
+**Current Limitation:**
+
+- Any user with `query` permissions for a Loki data source can query all logs if there are no Team LBAC rules configured for any of the users team.
+- An admin that is part of a team, would have it's Team LBAC rules applied to the request.
+
+Grafana's new **Team LBAC** (Label Based Access Control) feature for Loki is a significant enhancement that simplifies and streamlines data source access management based on team memberships.
+
+**Team LBAC** in the context of Loki, is a way to control access to logs based on labels present depending on the rules set for each team. Users wanting fine grained access to their logs in Loki, can now configure their users access based on their team memberships via **LogQL**.
+
+This feature addresses two common challenge faced by Grafana users:
+
+1. High volume of Grafana Cloud datasource. Team LBAC lets Grafana Admins reduce the total volume of data sources per instance from hundreds, to one.
+1. Hard for teams to share dashboard. Team LBAC lets Grafana Teams share the same dashboard despite different access control rules.
+
+For setting up Team LBAC for a Loki data source, refer to [Configure Team LBAC]({{< relref "./configure-teamlbac-for-loki/" >}}).
+
+#### Datasource Permissions
+
+Datasource permissions allow the users access to query the datasource. The permissions are set at the datasource level and are inherited by all the teams and users that are part of the datasource.
+
+We recommend to create a new loki datasource for Team LBAC rules with only teams having `query` permission. This will allow you to have a clear separation of datasources for Team LBAC and the datasources that are not using Team LBAC.
+
+## Team LBAC rules
+
+Team LBAC rules are added to the http request to Loki data source. Setting up Team LBAC rules for any team will apply those rules to the teams.
+Users who want teams with a specific set of label selectors can add rules for each team.
+
+Configuring multiple rules for a team, each rule is evaluated separately. If a team has `X` number of rules configured for it, all rules will be applied to the request and the result will be the an "OR" operation of the `X` number of rules.
+
+Only users with data source Admin permissions can edit LBAC rules at the data source permissions tab. Changing LBAC rules requires the same access level as editing data source permissions (admin permission for data source).
+
+For setting up Team LBAC Rules for the data source, refer to [Create Team LBAC rules]({{< relref "./create-teamlbac-rules/" >}}).
+
+### FAQ
+
+> #### "If a team does not have a rule, what happens?"
+
+If a team does not have a rule; any users that are part of that team having query permissions for loki will have access to **all** logs.
+
+> #### "Can I use CAPs (cloud access policies) together with TeamLBAC rules?"
+
+No, CAP (cloud access policies) always have precedence. If there are any CAP LBAC configured for the same datasource and there are TeamLBAC rules configured, then only the CAP LBAC will be applied.
+
+Cloud access policies are the access controls from Grafana Cloud, the CAP configured for loki should only to be used to gain read access to the logs.
+
+> #### "If administrator forget to add rule for a team, what happens?"
+
+The teams that does not have a rule applied to it, would be able to query all logs if `query` permissions are setup for their role within Grafana.
+
+**Note:** A user who is part of a team within Grafana without a rule will be able to query all logs if there are role based queriying setup.
--- a/docs/sources/administration/data-source-management/teamlbac/configure-teamlbac-for-loki/index.md
+++ b/docs/sources/administration/data-source-management/teamlbac/configure-teamlbac-for-loki/index.md
@ -0,0 +1,45 @@
+---
+description: Configure Team LBAC for Loki data source on Grafana Cloud
+keywords:
+  - loki
+  - datasource
+  - team
+labels:
+  products:
+    - cloud
+title: Configure Team LBAC for Loki
+weight: 250
+---
+
+# Configure Team LBAC for Loki data source on Grafana Cloud
+
+Team LBAC is available in private preview on Grafana Cloud for Loki created with basic authentication. Loki datasources for Team LBAC can only be created, provisioning is currently not available.
+
+## Before you begin
+
+To be able to use Team LBAC rules, you need to enable the feature toggle `teamHTTPHeaders` on your Grafana instance. Contact support to enable the feature toggle for you.
+
+- Be sure that you have the permission setup to create a loki tenant in Grafana Cloud
+- Be sure that you have admin data source permissions for Grafana.
+
+### Permissions
+
+We recommend that you remove all permissions for roles and teams that are not required to access the data source. This will help to ensure that only the required teams have access to the data source. The recommended permissions are `Admin` permission and only add the teams `Query` permissions that you want to add Team LBAC rules for.
+
+## Task 1: Configure Team LBAC for a new Loki data source
+
+1. Access Loki data sources details for your stack through grafana.com
+1. Copy Loki Details and Create a CAP
+   - Copy the details of your Loki setup.
+   - Create a Cloud Access Policy (CAP) for the Loki data source in grafana.com.
+   - Ensure the CAP includes `logs:read` permissions.
+   - Ensure the CAP does not include `labels` rules.
+1. Create a New Loki Data Source
+   - In Grafana, proceed to add a new data source and select Loki as the type.
+1. Navigate back to the Loki data source
+   - Set up the Loki data source using basic authentication. Use the userID as the username. Use the generated CAP token as the password.
+   - Save and connect.
+1. Navigate to Data Source Permissions
+   - Go to the permissions tab of the newly created Loki data source. Here, you'll find the Team LBAC rules section.
+
+For more information on how to setup Team LBAC rules for a Loki data source, [Add Team LBAC rules]({{< relref "./../create-teamlbac-rules/" >}}).
--- a/docs/sources/administration/data-source-management/teamlbac/create-teamlbac-rules/index.md
+++ b/docs/sources/administration/data-source-management/teamlbac/create-teamlbac-rules/index.md
@ -0,0 +1,118 @@
+---
+description: Learn how to create Team LBAC rules for the Loki data source.
+keywords:
+  - loki
+  - lbac
+  - team
+labels:
+  products:
+    - enterprise
+    - cloud
+title: Create Team LBAC rules for the Loki data source
+weight: 250
+---
+
+# Create Team LBAC rules for the Loki data source
+
+Team LBAC is available on Cloud for data sources created with basic authentication. Any managed Loki data source can **NOT** be configured with Team LBAC rules.
+
+## Before you begin
+
+- Be sure that you have admin data source permissions for Grafana.
+- Be sure that you have a team setup in Grafana.
+
+### Create a Team LBAC Rule for a team
+
+1. Navigate to your Loki datasource
+1. Navigate to the permissions tab
+   - Here, you'll find the Team LBAC rules section.
+1. Add a Team LBAC Rule
+   - Add a new rule for the team in the Team LBAC rules section.
+1. Define Label Selector for the Rule
+   - Add a label selector to the rule. Refer to Loki query documentation for guidance on the types of log selections you can specify.
+
+#### Best practices
+
+We recommend you only add `query` permissions for teams that should use the data source and only `Admin` have `Admin` permissions.
+
+We recommend for a first setup, setting up as few rules as possible for each team and make them additive for simplicity.
+
+For validating the rules, we recommend testing the rules in the Loki Explore view. This will allow you to see the logs that would be returned for the rule.
+
+#### Tasks
+
+### Task 1: One rule setup for each team
+
+One common use case for creating an LBAC policy is to have specific access to logs that have a specific label. For example, you can create a label policy that includes all log lines with the label.
+
+We have two teams, Team A and Team B with `Query` permissions. Loki access is setup with `Admin` roles to have `Admin` permission only.
+
+- Team A has a rule `namespace="dev"`.
+
+- Team B has a rule `namespace="prod"`.
+
+A user that is part of Team A will have access to logs that match `namespace="dev"`.
+
+A user that is part of Team B will have access to logs that match `namespace="prod"`.
+
+A user that is part of Team A and Team B will have access to logs that match `namespace="dev"` OR `namespace="prod"`.
+
+### Task 2: One rule setup for a team Exclude a label
+
+One common use case for creating an LBAC policy is to exclude logs that have a specific label. For example, you can create a label policy that excludes all log lines with the label secret=true by adding a selector with `secret!="true"` when you create an access policy:
+
+We have one team, Team A `Query` permissions. Loki access is setup with `Admin` roles to have `Admin` permission only.
+
+- Team A has a rule `secret!="true"`.
+
+A user that is part of Team A will **NOT** have access to logs that match `secret!="true"`.
+
+### Task 3: Multiple rules setup for one team
+
+We have two teams, Team A and Team B with `Query` permissions. Loki access is setup with `Admin` roles having `Admin` permission.
+
+- Team A has rule `cluster="us-west-0", namespace=~"dev|prod"` configured.
+
+- Team B has rule `cluster="us-west-0", namespace="staging"` configured.
+
+A user that is only part of Team A will have access to logs that match `cluster="us-west-0" AND (namespace="dev" OR namespace="prod")`.
+
+A user that is only part of Team B will have access to logs that match `cluster="us-west-0" AND namespace="staging"`.
+
+A user in Team A has access to logs in cluster us-west-0 with namespaces `dev` and `prod`. A user in Team B has access to to everything in cluster us-west-0, except namespace prod. So basically, user who is member of both team A and team B has access to everything in cluster us-west-0.
+
+A user that is **not** part of any Team with `Editor/Viewer` role will not have access to query any logs.
+
+**Important**
+
+A `Admin` user that is part of a Team with will only have access to that teams logs
+
+A `Admin` user that is not part of any Team with `Admin` role will have access to all logs
+
+### Task 4: Rules that overlap
+
+We have two teams, Team A and Team B.
+
+- Team A has a rule `namespace="dev"`.
+
+- Team B has a rule `namespace!="dev"`.
+
+A user in Team A will have access to logs that match `namespace="dev"`.
+
+A user in Team B will have access to logs that match `namespace!="dev"`.
+
+> _NOTE:_ A user that is part of Team A and Team B will have access to all logs that match `namespace="dev"` `OR` `namespace!="dev"`.
+
+### Task 5: One rule setup for a Team
+
+We have two teams, Team A and Team B. Loki access is setup with `Editor`, `Viewer` roles to have `Query` permission.
+
+- Team A has a rule `namespace="dev"` configured.
+
+- Team B does not have a rule configured for it.
+
+A user that is part of Team A will have access to logs that match `namespace="dev"`.
+
+A user that is part of Team A and part of Team B will have access to logs that match `namespace="dev"`.
+
+A user that is not part of Team A and part of Team B, that is `Editor` or `Viewer` will have access to all logs (due to the query permission for the user).