IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Docs: Add http docs for lbac for datasources (#93399)

Browse Source 
* Add: http docs for lbac for datasources

* spelling

* update with only cloud loki

* rename to lbac for datasources

* moved it

* Update _index.md

This commit fixes minor style and punctuation issus

* change datasource to data source

* replace datasource with data source

minor updates and style fixes

* minor style changes

* prettier

---------

Co-authored-by: Irene Rodriguez <irene.rodriguez@grafana.com>
This commit is contained in:
Eric Leijonmarck 2024-09-18 11:54:21 +01:00 committed by GitHub
parent af42f31fe6
commit 6ee7f7dc79
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
4 changed files with 166 additions and 63 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

54
docs/sources/administration/data-source-management/teamlbac/_index.md
View File

@ -8,67 +8,63 @@ labels:
products:
- enterprise
- cloud
title: Team LBAC
title: Label Based Access Control (LBAC) for data sources
weight: 100
---
# Team LBAC
# Label Based Access Control (LBAC) for data sources
Team Label Based Access Control (LBAC) simplifies and streamlines data source access management based on team memberships.
Label Based Access Control (LBAC) simplifies and streamlines data source access management based on team memberships.
{{< admonition type="note" >}}
Creating Team LBAC rules is available for preview for logs with Loki in Grafana Cloud.
LBAC rules is available for preview for logs with Loki in Grafana Cloud.
Report any unexpected behavior to the Grafana Support team.
To use Team LBAC rules you must enable the `teamHttpHeaders` feature toggle because the feature uses HTTP headers for the LBAC rules requests.
- Be sure that you are running Grafana Enterprise.
{{< /admonition >}}
To use LBAC rules you must enable the `teamHttpHeaders` feature toggle because the feature uses HTTP headers for the LBAC rules requests.
{{< /admonition >}}
You can configure user access based upon team memberships using LogQL.
Team LBAC controls access to logs depending on the rules set for each team.
LBAC for data sources controls access to logs depending on the rules set for each team.
This feature addresses two common challenges faced by Grafana users:
1. Having a high number of Grafana Cloud data sources.
Team LBAC lets Grafana administrators reduce the total number of data sources per instance from hundreds, to one.
LBAC for data sources lets Grafana administrators reduce the total number of data sources per instance from hundreds, to one.
1. Using the same dashboard across multiple teams.
Team LBAC lets Grafana Teams use the same dashboard with different access control rules.
LBAC for data sources lets Grafana Teams use the same dashboard with different access control rules.
To set up Team LBAC for a Loki data source, refer to [Configure Team LBAC](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/teamlbac/configure-teamlbac-for-loki/).
To set up LBAC for data sources for a Loki data source, refer to [Configure LBAC for data sources](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/teamlbac/configure-teamlbac-for-loki/).
## Limitations
- There is a set number of rules to be configured within a datasource, depending on the size of the rules.
- There is a set number of rules to be configured within a data source, depending on the size of the rules.
- Around ~500-600 rules is the upper limit.
- If there are no Team LBAC rules for a user's team, that user can query all logs.
- If an administrator is part of a team with Team LBAC rules, those rules are applied to the administrator requests.
- Cloud Access Policies (CAP) LBAC rules override Team LBAC rules.
Cloud Access Policies are the access controls from Grafana Cloud.
If there are any CAP LBAC rules configured for the same data source, then only the CAP LBAC rules are applied.
- If there are no LBAC for data sources rules for a user's team, that user can query all logs.
- If an administrator is part of a team with LBAC for data sources rules, those rules are applied to the administrator requests.
- Cloud Access Policy (CAP) LBAC rules override LBAC for data sources rules.
CAP are the access controls from Grafana Cloud.
You must remove any label selectors from your Cloud Access Policies to use Team LBAC.
For more information about CAP label selectors, refer to [Use label-based access control (LBAC) with access policies](https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/access-policies/label-access-policies/).
You must remove any label selectors from your Cloud Access Policy that is configured for the Loki data source, otherwise the CAP label selectors override the LBAC for data sources rules. For more information about CAP label selectors, refer to [Use label-based access control (LBAC) with access policies](https://grafana.com/docs/grafana-cloud/account-management/authentication-and-permissions/access-policies/label-access-policies/).
## Data source permissions
Data source permissions allow the users access to query the data source.
Administrators set the permissions at the data source level.
All the teams and users that are part of the data source inherit those permissions.
- Data source permissions allow the users access to query the data source.
- Administrators set the permissions at the data source level.
- All the teams and users that are part of the data source inherit those permissions.
## Recommended setup
It's recommended that you create a single Loki data source for using Team LBAC rules so you have a clear separation of data sources using Team LBAC and those that aren't.
It's recommended that you create a single Loki data source for using LBAC for data sources rules so you have a clear separation of data sources using LBAC for data sources and those that aren't.
All teams should have with only teams having `query` permission.
You should create another Loki data source configured without Team LBAC for full access to the logs.
You should create another Loki data source configured without LBAC for data sources for full access to the logs.
## Team LBAC rules
## LBAC rules
Grafana adds Team LBAC rules to the HTTP request via the Loki data source.
Grafana adds LBAC for data sources rules to the HTTP request via the Loki data source.
If you configure multiple rules for a team, each rule is evaluated separately.
Query results include lines that match any of the rules.
Only users with data source `Admin` permissions can edit Team LBAC rules in the **Data source permissions** tab because changing LBAC rules requires the same access level as editing data source permissions.
Only users with data source `Admin` permissions can edit LBAC for data sources rules in the **Data source permissions** tab because changing LBAC rules requires the same access level as editing data source permissions.
To set up Team LBAC for a Loki data source, refer to [Configure Team LBAC](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/teamlbac/configure-teamlbac-for-loki/).
To set up LBAC for data sources for a Loki data source, refer to [Configure LBAC for data sources](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/teamlbac/configure-teamlbac-for-loki/).

27
docs/sources/administration/data-source-management/teamlbac/configure-teamlbac-for-loki/index.md
View File

@ -1,5 +1,5 @@
---
description: Configure Team LBAC for Loki data source on Grafana Cloud
description: Configure LBAC for data sources for Loki data source on Grafana Cloud
keywords:
- loki
- datasource
@ -7,40 +7,39 @@ keywords:
labels:
products:
- cloud
title: Configure Team LBAC for Loki
title: Configure LBAC for data sources for Loki
weight: 250
---
# Configure Team LBAC for Loki data source on Grafana Cloud
# Configure LBAC for data sources for Loki data source on Grafana Cloud
Team LBAC is available in private preview on Grafana Cloud for Loki created with basic authentication. Loki datasources for Team LBAC can only be created, provisioning is currently not available.
LBAC for data sources is available in private preview on Grafana Cloud for Loki created with basic authentication. Loki data sources for LBAC for data sources can only be created, provisioning is currently not available.
## Before you begin
To be able to use Team LBAC rules, you need to enable the feature toggle `teamHttpHeaders` on your Grafana instance. Contact support to enable the feature toggle for you.
To be able to use LBAC for data sources rules, you need to enable the feature toggle `teamHttpHeaders` on your Grafana instance. Contact support to enable the feature toggle for you.
- Be sure that you are running Grafana Enterprise.
- Be sure that you have the permission setup to create a loki tenant in Grafana Cloud
- Be sure that you have the permission setup to create a Loki tenant in Grafana Cloud
- Be sure that you have admin data source permissions for Grafana.
### Permissions
We recommend that you remove all permissions for roles and teams that are not required to access the data source. This will help to ensure that only the required teams have access to the data source. The recommended permissions are `Admin` permission and only add the teams `Query` permissions that you want to add Team LBAC rules for.
We recommend that you remove all permissions for roles and teams that are not required to access the data source. This will help to ensure that only the required teams have access to the data source. The recommended permissions are `Admin` permission and only add the teams `Query` permissions that you want to add LBAC for data sources rules for.
## Task 1: Configure Team LBAC for a new Loki data source
## Task 1: LBAC Configuration for New Loki Data Source
1. Access Loki data sources details for your stack through grafana.com
1. Copy Loki Details and Create a CAP
1. Copy Loki details and create a CAP
- Copy the details of your Loki setup.
- Create a Cloud Access Policy (CAP) for the Loki data source in grafana.com.
- Ensure the CAP includes `logs:read` permissions.
- Ensure the CAP does not include `labels` rules.
1. Create a New Loki Data Source
1. Create a new Loki data source
- In Grafana, proceed to add a new data source and select Loki as the type.
1. Navigate back to the Loki data source
- Set up the Loki data source using basic authentication. Use the userID as the username. Use the generated CAP token as the password.
- Save and connect.
1. Navigate to Data Source Permissions
- Go to the permissions tab of the newly created Loki data source. Here, you'll find the Team LBAC rules section.
1. Navigate to data source permissions
- Go to the permissions tab of the newly created Loki data source. Here, you'll find the LBAC for data sources rules section.
For more information on how to setup Team LBAC rules for a Loki data source, refer to [Create Team LBAC rules for the Loki data source](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/teamlbac/create-teamlbac-rules/).
For more information on how to setup LBAC for data sources rules for a Loki data source, refer to [Create LBAC for data sources rules for the Loki data source](https://grafana.com/docs/grafana/<GRAFANA_VERSION>/administration/data-source-management/teamlbac/create-teamlbac-rules/).

39
docs/sources/administration/data-source-management/teamlbac/create-teamlbac-rules/index.md
View File

@ -1,42 +1,41 @@
---
description: Learn how to create Team LBAC rules for the Loki data source.
description: Learn how to create LBAC for data sources rules for the Loki data source.
keywords:
- loki
- lbac
- team
labels:
products:
- enterprise
- cloud
title: Create Team LBAC rules for the Loki data source
title: Create LBAC for data sources rules for the Loki data source
weight: 250
---
# Create Team LBAC rules for the Loki data source
# Create LBAC for data sources rules for the Loki data source
Team LBAC is available on Cloud for data sources created with basic authentication. Any managed Loki data source can **NOT** be configured with Team LBAC rules.
LBAC for data sources is available on Cloud for Loki data sources created with basic authentication. Managed/Provisioned Loki data source can **NOT** be configured with LBAC for data sources as of now.
## Before you begin
To be able to use Team LBAC rules, you need to enable the feature toggle `teamHttpHeaders` on your Grafana instance. Contact support to enable the feature toggle for you.
To be able to use LBAC for data sources rules, you need to enable the feature toggle `teamHttpHeaders` on your Grafana instance. Contact support to enable the feature toggle for you.
- Be sure that you are running Grafana Enterprise.
- Be sure that you have the permission setup to create a Loki tenant in Grafana Cloud.
- Be sure that you have admin data source permissions for Grafana.
- Be sure that you have a team setup in Grafana.
### Create a Team LBAC Rule for a team
### Create a LBAC for data sources Rule for a team
1. Navigate to your Loki datasource
1. Navigate to your Loki data source
1. Navigate to the permissions tab
- Here, you'll find the Team LBAC rules section.
1. Add a Team LBAC Rule
- Add a new rule for the team in the Team LBAC rules section.
1. Define Label Selector for the Rule
- Here, you'll find the LBAC for data sources rules section.
1. Add a LBAC for data sources Rule
- Add a new rule for the team in the LBAC for data sources rules section.
1. Define a label selector for the rule
- Add a label selector to the rule. Refer to Loki query documentation for guidance on the types of log selections you can specify.
### LBAC rule
A LBAC rule is a `logql` query that runs as a query to the loki instance for your logs. Each rule is it's own filtering operating independently from the other rules within a team. For example, you can create a label policy that includes all log lines with the label.
A LBAC rule is a `logql` query that runs as a query to the Loki instance for your logs. Each rule operates independently as its own filter, separate from other rules within a team. For example, you can create a label policy that includes all log lines with a specific label.
One rule `{namespace="dev", cluster="us-west-0"}` created with multiple namespaces will be seen as `namespace="dev"` **AND** `cluster="us-west-0"`.
Two rules `{namespace="dev"}`, `{cluster="us-west-0"}` created for a team will be seen as `namespace="dev"` **OR** `cluster="us-west-0"`.
@ -47,11 +46,11 @@ We recommend you only add `query` permissions for teams that should use the data
We recommend for a first setup, setting up as few rules as possible for each team and make them additive for simplicity.
For validating the rules, we recommend testing the rules in the Loki Explore view. This will allow you to see the logs that would be returned for the rule.
To validate the rules, we recommend testing the rules in the Loki Explore view. This will allow you to see the logs that would be returned for the rule.
#### Tasks
### Task 1: One rule setup for each team
### Task 1: One rule set up for each team
One common use case for creating an LBAC policy is to have specific access to logs that have a specific label. For example, you can create a label policy that includes all log lines with the label.
@ -67,9 +66,9 @@ A user that is part of Team B will have access to logs that match `namespace="pr
A user that is part of Team A and Team B will have access to logs that match `namespace="dev"` OR `namespace="prod"`.
### Task 2: One rule setup for a team Exclude a label
### Task 2: Set up a rule to exclude a label for a team
One common use case for creating an LBAC policy is to exclude logs that have a specific label. For example, you can create a label policy that excludes all log lines with the label secret=true by adding a selector with `secret!="true"` when you create an access policy:
One common use case for creating an LBAC policy is to exclude logs that have a specific label. For example, you can create a label policy that excludes all log lines with the label `secret=true` by adding a selector with `secret!="true"` when you create an access policy:
We have one team, Team A `Query` permissions. Loki access is setup with `Admin` roles to have `Admin` permission only.
@ -77,7 +76,7 @@ We have one team, Team A `Query` permissions. Loki access is setup with `Admin`
A user that is part of Team A will **NOT** have access to logs that match `secret!="true"`.
### Task 3: Multiple rules setup for one team
### Task 3: Set up multiple rules for a team
We have two teams, Team A and Team B with `Query` permissions. Loki access is setup with `Admin` roles having `Admin` permission.
@ -113,7 +112,7 @@ A user in Team B will have access to logs that match `namespace!="dev"`.
> _NOTE:_ A user that is part of Team A and Team B will have access to all logs that match `namespace="dev"` `OR` `namespace!="dev"`.
### Task 5: One rule setup for a Team
### Task 5: Single rule setup for a team
We have two teams, Team A and Team B. Loki access is setup with `Editor`, `Viewer` roles to have `Query` permission.

109
docs/sources/developers/http_api/datasource_lbac_rules.md Normal file
View File

@ -0,0 +1,109 @@
---
aliases:
- ../../http_api/datasource_lbac_rules/
canonical: /docs/grafana/latest/developers/http_api/datasource_lbac_rules/
description: Data Source LBAC rules API
keywords:
- grafana
- http
- documentation
- api
- datasource
- lbac
- acl
- enterprise
labels:
products:
- cloud
title: Datasource LBAC rules HTTP API
---
# Data Source LBAC rules API
> The Data Source LBAC rules are only available in Grafana Cloud. Only cloud loki data sources are supported.
LBAC (Label-Based Access Control) rules can be set for teams.
## Get LBAC rules for a data source
`GET /api/datasources/:uid/lbac/teams`
Gets all existing LBAC rules for the data source with the given `uid`.
**Required permissions**
| Action | Scope |
| ---------------- | ---------------------------------------------------------------------------------------- |
| datasources:read | datasources:_<br>datasources:uid:_<br>datasources:uid:my_datasource (single data source) |
### Examples
**Example request:**
```
GET /api/datasources/:uid/lbac/teams HTTP/1.1
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
```
## Update LBAC rules for a data source
`PUT /api/datasources/:uid/lbac/teams`
Updates LBAC rules for teams associated with the data source with the given `uid`. Here you submit a list of teams and the rules for each team.
Deleting a team from the list will remove the team's LBAC rules. You have to submit all teams and their rules to be updated, to remove a team's rules, you have to submit the current list of rules without the team.
**Required permissions**
| Action | Scope |
| ----------------------------- | ---------------------------------------------------------------------------------------- |
| datasources:write | datasources:_<br>datasources:uid:_<br>datasources:uid:my_datasource (single data source) |
| datasources.permissions:write | datasources:_<br>datasources:uid:_<br>datasources:uid:my_datasource (single data source) |
### Examples
**Example request:**
```http
PUT /api/datasources/my_datasource/lbac/teams
Accept: application/json
Content-Type: application/json
Authorization: Bearer eyJrIjoiT0tTcG1pUlY2RnVKZTFVaDFsNFZXdE9ZWmNrMkZYbk
{
"teamId": 1,
"rules": [
{
"header": "X-Prom-Label-Policy",
"value": "18042:{ foo=\"bar\" }"
}
]
}
```
**Example response:**
```http
HTTP/1.1 200 OK
Content-Type: application/json; charset=UTF-8
Content-Length: 35
{
"message": "Data source LBAC rules updated",
"id": 1,
"uid": "my_datasource",
"name": "My Data Source",
"lbacRules": [
{
"teamId": 1,
"rules": [
{
"header": "X-Prom-Label-Policy",
"value": "18042:{ foo=\"bar\" }"
}
]
}
]
}
```