XML

Word

Printable

Type: Epic
Resolution: Unresolved
Priority: Blocker
Fix Version/s: ACM 2.16.0
Affects Version/s: Future
Component/s: Observability
Labels:
- acmobs216

Epic Name:
[Dev Preview] MCOA Hub Storage AuthZ
Activity Type:
Product / Portfolio Work
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
Color Status:
Not Selected
Epic Status:
In Progress
Feature Link:
ACM-12063 - Multi-signal Observability Storage, Collection and Query Support in ACM
Parent Link:
ACM-12063Multi-signal Observability Storage, Collection and Query Support in ACM
Hierarchy Progress Bar:

33% To Do, 0% In Progress, 67% Done

SFDC Cases Links:
SFDC Cases Open:
SFDC Cases Counter:

PX Impact Score:

Intelligence Requested:
Market:

Epic Goal

...

Goal for ACM 2.16 is at least to have a ready to implement plan to achieve:

Fine-Grained RBAC for metrics
Multitenancy for MultiClusterLogging.

It is not expectation to have a customer facing solution (maybe Dev-Preview), but we should be able to implement plan for ACM 2.17

This is a summary of current plan

1. ObservabilityAddonRole CRD: A new custom resource, ObservabilityAddonRole, is introduced to define fine-grained permissions. This CRD specifies:

- Actions: Which signals and access types are allowed (e.g., "metrics:read", "logs:read").

- Scopes: The specific resources the actions apply to, defined using label-based filtering (e.g., cluster="managed-cluster-1", namespace="stage"). The syntax for filtering is based on the query language for the signal (PromQL for metrics, LogQL for logs, etc.).

2- ClusterRole Mapping: The standard Kubernetes ClusterRole will no longer define the specific metric access directly. Instead, it will simply point to a corresponding ObservabilityAddonRole using a {{}}

3. Authorization: The Observatorium API will enforce these label-based filters on incoming requests, ensuring users only see data they are permitted to access across all observability signals.

4. long term the solution will be open for KesselSpiceDB-Integration, but would not block neither DP/TP and likely not GA

Why is this important?

it blocks multicluster-logging and fine-grained rbac for metrics

Scenarios

...

Acceptance Criteria

...

Dependencies (internal and external)

Previous Work (Optional):

Open questions:

Done Checklist

CI - CI is running, tests are automated and merged.
Release Enablement <link to Feature Enablement Presentation>
DEV - Upstream code and tests merged: <link to meaningful PR or GitHub
Issue>
DEV - Upstream documentation merged: <link to meaningful PR or GitHub
Issue>
DEV - Downstream build attached to advisory: <link to errata>
QE - Test plans in Polarion: <link or reference to Polarion>
QE - Automated tests merged: <link or reference to automated tests>
DOC - Doc issue opened with a completed template. Separate doc issue
opened for any deprecation, removal, or any current known
issue/troubleshooting removal from the doc, if applicable.

blocks

ACM-12475 [Dev Preview] MCOA Hub Metric Storage

ACM-12479 [Dev Preview] MCOA Hub Trace Storage

ACM-12470 [Dev Preview] MCOA Hub Log Storage

In Progress

ACM-12476 [Dev Preview] MCOA ACM Console Alerting UI

Closed

is blocked by

ACM-12467 MCOA Centralized Storage and Sharding

Closed

relates to

ACM-19058 Advanced RBAC in Observability

(1 relates to)

Assignee:: Jacob Baungard Hansen

Reporter:: Moad Zardab

QA Contact:: Xiang Yin

Product Manager:: Christian Stark

Votes:: 1 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2024/06/28 1:48 PM

Updated:: 2025/11/18 2:16 PM

Details

Description

Epic Goal

Why is this important?

Scenarios

Acceptance Criteria

Dependencies (internal and external)

Previous Work (Optional):

Open questions:

Done Checklist

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates