-
Task
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
5
-
False
-
False
-
NEW
-
OBSDA-7 - Adopting Loki as an alternative to Elasticsearch to support more lightweight, easier to manage/operate storage scenarios
-
NEW
-
Undefined
-
-
Logging (LogExp) - Sprint 204, Logging (LogExp) - Sprint 205, Logging (LogExp) - Sprint 206, Logging (LogExp) - Sprint 207
As a LokiStack admin operating Loki-Operator on OCP, I want the lokistack-gateway's OPA agent to delegate authorization requests to OCP's apiserver to allow developers to access only namespaces they are authorized to.
Acceptance criteria:
- The opa-openshift sidecar delegates authorization requests via SubjectAccessReviews to OCP apiserver.
- The opa-openshift sidecar returns a list of permitted namespaces to the lokistack-gateway authorizer for the Developer persona.
- The opa-openshift sidecar permits access to all namespaces to the lokistack-gateway for the Admin persona.
- The lokistack-gateway passes a list of namespaces as extra label filter for the Developer persona to Loki's query frontend.
Dev notes:
- will need to implement this, based on https://github.com/observatorium/opa-ams
- single http handler that will run as a container in the lokistack-gateway pod
- will need to be connected to CPaaS (will be a separate card)
- Repo should be created under ViaQ org
Docs impact:
- Need to capture requirements to be considered Admin user for loki
- cc rdlugyhe
- is documented by
-
-
- Closed
-
- links to
(1 links to)
