Documentation survey

Permissions

Overview

Permissions in SUSE Observability allow Administrators to manage the actions that each user or user group can perform inside SUSE Observability and the information that will be shown in their SUSE Observability UI. Only the feature set relevant to each user’s active role will be presented. The actions, information and pages that a user doesn’t have access to are simply not displayed in their SUSE Observability UI.

Permissions are stored in StackGraph. This means that:

  • If you perform an upgrade with "clear all data", permission setup will also be removed.

  • To completely remove a user, they must also be manually removed from StackGraph.

SUSE Observability permissions

There are two types of permission in SUSE Observability. System permissions scope user capabilities, such as access to settings, query execution and scripting. Scoped permissions determine access to observability data and some resource types like SUSE Observability Views. For CRUD operations on SUSE Observability Views, these can be granted for a specific view or for all views. For details of the permissions attached to each predefined role in SUSE Observability, see predefined roles

The following permissions are available in SUSE Observability:

Table 1. Permissions
Resources Verbs Description

agents

get

Connected agents

api-tokens

get

The API key to use for authentication with the SUSE Observability CLI. This is unique per user.

component-actions

execute

Component actions in the topology perspective.

metric-bindings

get, create, update, delete

Bindings to visualize data in the metrics perspective.

metrics

get[1], update

Ingest and query metric data using PromQL

monitors

get, create, update, delete, execute

Determine component health with monitors.

notifications

get, create, update, delete

Get alerted with notifications.

permissions

get, update

Manage permissions on subjects.

scoped-permissions

update[1]

Manage scoped permissions, granting (or revoking) access to topology, metrics and traces from a single cluster.

scripts

execute

Execute a script in the SUSE Observability UI Analytics environment.

restricted-scripts

execute

Use the HTTP script and Gremlin graph API in the Analytics environment.

service-token

get, create, delete

Service tokens authenticate an external service and can be used for data ingestion.

settings

get, update, unlock

Export or import settings or unlock locked configuration items.

stackpacks

get, update

List or upload Stackpacks.

stackpack-configurations

create, update, delete

Manage integrations using Stackpacks.

sync-data

get, delete

Inspect or reset the topology and health synchronization pipelines.

system-notifications

get

Access the system notifications in the UI

topic-messages

get

Access SUSE Observability Receiver data.

topology

get[1]

Explore topology scoped views.

traces

get[1]

Explore traces.

views

get[1], create, update[1], delete[1]

Use or manage custom views.

favorite-views

create, delete

Add and remove stars from views.

visualization

update

Change visualization settings.

[1] This is a scoped permission, the interpretation of the resource name depends on the context

Scoped permissions

You can grant certain permissions system-wide, or you can limit them to a subset of the resources. You can give them a Resource Name, which indicates the scope. The interpretation of this name is dependent on the type of resource. Note that the scoping may apply to only some of the verbs.

  • views - The name of the view

  • topology - Any component label. In a Kubernetes environment, this can be, for example, cluster-name:<cluster-name> or k8s-scope:<cluster-name>/<namespace>

  • metrics - In a Kubernetes environment, either k8s:<cluster-name>:__any__ or k8s:<cluster-name>:<namespace>

  • traces - In a Kubernetes environment, either k8s.cluster.name:<cluster-name> or k8s.scope:<cluster-name>/<namespace>

  • scoped-permissions - The name of the cluster for which permissions are managed

Manage permissions

You can manage SUSE Observability permissions using the sts CLI. For scoped permissions, a resource name may be specified. If none is given, the permission will be granted (or revoked) system-wide.

Important note: All permissions in SUSE Observability are case sensitive.

List all available permissions

List all available permissions:

sts rbac list-permissions

List all subjects

List all subjects:

sts rbac describe-subjects

SUBJECT                                    | SOURCE
stackstate-admin                           | Static
suse-observability-instance-admin          | Kubernetes
suse-observability-agent-clusterA          | Observability

The subject `SOURCE shows who owns and manages the subject. It can be one of our RBAC sources (Configuration|Static, Observability, Kubernetes)

  • Configuration|Static: Subjects obtained via Suse Observability configuration through helm

  • Observability: Subjects managed via the sts cli

  • Kubernetes: Subjects obtained via RBAC agent from Kubernetes RoleBindings and ClusterRoleBindings

List subjects for a user

List all subjects that are assigned to the context:

sts user-session roles

keycloakoidc_group://suse-observability-instance-troubleshooter
keycloakoidc_group://suse-observability-instance-observer
keycloakoidc_group://suse-observability-cluster-observer
keycloakoidc_group://suse-observability-instance-admin
keycloakoidc_group://suse-observability-observer

List all subjects that are assigned to a user, by providing their api-token:

sts user-session roles --api-token [api-token]

keycloakoidc_group://suse-observability-instance-admin

Show granted permissions

Show the permissions granted to a specific role.

sts rbac describe-permissions --subject [role-name]

--subject can be any of the subjects available in the different RBAC sources (Configuration, Observability, Kubernetes)

Grant permissions

--subject can be an Observability subject, Configuration and Kubernetes subjects are read-only

Allow a user to open a view

Give a subject with permission to open a view:

sts rbac grant --subject [role-name] --permission get-views --resource [view-name]

Allow a user to create views

Give a subject with the system permission to create views:

sts rbac grant --subject [role-name] --permission create-views

Allow a user to check SUSE Observability settings

Give a subject with the system permission to check SUSE Observability settings:

sts rbac grant --subject [role-name] --permission get-settings

Revoke permissions

--subject can be an Observability subject, Configuration and Kubernetes subjects are read-only

Revoke permissions for a subject to open a view:

sts rbac revoke --subject [role-name] --permission get-views --resource [view-name]

SUSE Observability UI with no permissions

Below is an example of how the SUSE Observability UI would look for a user without any permissions:

No permissions